It is showing parsing error on line 17 I have thoroughly checked it but unable to find error.So how do I fix this error.it is insert_city_query.php
<?php
include('../../Connections/autodealers.php');
//error_reporting(0);
$cityname=$_POST['cityname'];
$cityorder=$_POST['cityorder'];
$status=$_POST['status'];
if($status="Enabled")
$status=1;
else
$status=0;
$query = "INSERT INTO ".$db_prefix."city (cityname,cityorder,status) values
(
'" . addslashes($cityname) . "' ,
'" . addslashes($cityorder) . "' ,
'" . addslashes($status) . " '
WHERE LCASE='strtolower($_REQUEST['cityname'])')";
echo $query;
$result=mysql_query($query);
if(!$result)
{
die ('ERROR: '.mysql_error());
header("Location: " .$base_url. "admin/city_insert.php" );//if query fails
}
else
{
header("Location: " .$base_url. "admin/cities.php" );//if query suceeds
}
mysql_close($autodealers);
?>
Change your query to,
$query = "INSERT INTO ".$db_prefix."city (cityname,cityorder,status) values
('" . addslashes($cityname) . "' ,
'" . addslashes($cityorder) . "' ,
'" . addslashes($status) . " '
WHERE LCASE='" . strtolower($_REQUEST['cityname']) . "')";
Note: Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.
Warning: The query is vulnerable with SQL Injection if the value (s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it.
How to prevent SQL injection in PHP?
You do not use strtolower() as a function.
You should change this line:
WHERE LCASE='strtolower($_REQUEST['cityname'])')";
to
WHERE LCASE='".strtolower($_REQUEST['cityname'])."')";
Related
I am using PHP to pass a query like this:
"UPDATE `prove750_mrdias`.`stringsMrDias`
SET `conteudo` = '$conteudo'
WHERE `stringsMrDias`.`ID` = $id;"
when I echo $conteudo I get Sobre\nmim as expected.
But after the query, I look at the database and the value stored is the formatted string:
'sobre
mim'
That's causing all sorts of problems when parsing the data back to my application.
If I go to phpMyAdmin and pass the value of $conteudo manually it maintains the expected behavior, only when querying the replace is happening without calling it.
Any ideas?
I suspect it's an issue of interpolation. You can kill two birds with one stone by using prepared statements. By using prepared statements
your data won't be corrupted or need to be manually handled by you,
your application will not be subject to security issues a la SQL injection.
This might look like:
$sql = "UPDATE `prove750_mrdias`.`stringsMrDias` SET `conteudo` = ? WHERE `stringsMrDias`.`ID` = ?";
$preparedStatement = $pdo_handle->prepare( $sql );
$preparedStatement->execute([$conteudo, $id]);
That is, you first tell the database the form of the query you want executed, and then -- in a separate call -- you send the arguments to that query.
Try http://php.net/manual/en/function.nl2br.php
Example,
$conteudo = nl2br($conteudo);
Then store into database.
Prepared statements was the right direction.
After looking at the mysqli documentation I ended up with a code like this:
`$sql = "UPDATE `prove750_mrdias`.`stringsMrDias` SET `conteudo` = (?) WHERE `stringsMrDias`.`ID` = (?)";
if (!($stmt = $con->prepare($sql))) {
echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;
}
if (!$stmt->bind_param('ss', $conteudo,$id)) {
echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error;
}
if (!$stmt->execute()) {
echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
}`
Had to use the bind_param() as execute() don't accept any parameters.
This question already has answers here:
How to prevent against XSS and SQL injection [duplicate]
(4 answers)
Closed 6 years ago.
Sadly my student website just got hacked. Someone insert script tag and stored in the database. Database also been published in a website call pastebin. I just took down the website. Can someone show me how to fix this quick.
Use a combination of filters and prepared statements.
http://php.net/manual/en/function.filter-input.php
http://php.net/manual/en/pdo.prepared-statements.php
You can use strip_tags() before inserting any value into database to remove any HTML or PHP tags from the string.
This is how you can remove HTML and PHP tags from string,
$code=strip_tags($code);
Use it with every variable you want to insert into database.
$code=strip_tags($code);
$fn=strip_tags($fn);
$em=strip_tags($em);
$un=strip_tags($un);
$hash=strip_tags($hash);
$salt=strip_tags($salt);
$ip=strip_tags($ip);
$this->db1->query("INSERT INTO users SET code='" . $code . "', firstname='" . $fn . "', email='" . $em . "', username='" . $un . "', password='" . $hash . "', salt='" . $salt . "', registerdate='" . time() . "', ipregister='" . $ip . "'");
Although strip_tags() doesn't prevent SQL injection completely. You should better use prepared statements.
Reference: http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
i am very new at MYSQL and after i created this script to update a row in the table of a MYSQL Database and run it i get this error
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '265'', Employer_VAT_number = ''45698'', Employer_Name = ''Namtax_Ltd'', Employer' at line 3
here is the code
// username and password sent from form
$Numb=$_POST["Numb"];
$VAT=$_POST["VAT"];
$Name=$_POST["Name"];
$Addr=$_POST["Addr"];
$PO=$_POST["PO"];
// To protect MySQL injection (more detail about MySQL injection )
$Numb = stripslashes($Numb);
$VAT = stripslashes($VAT) ;
$Name = stripslashes($Name) ;
$Addr = stripslashes($Addr) ;
$PO = stripslashes($PO) ;
$Numb = "'" . mysql_real_escape_string($Numb) . "'";
$VAT = "'" . mysql_real_escape_string($VAT) . "'";
$Name = "'" . mysql_real_escape_string($Name) . "'";
$Addr = "'" . mysql_real_escape_string($Addr) . "'";
$PO = "'" . mysql_real_escape_string($PO) . "'";
$sql=("UPDATE $tb1_name SET Employer_Registration_Number ='".$Numb."', Employer_VAT_number = '".$VAT."', Employer_Name = '".$Name."', Employer_Address = '".$Addr."', Employer_Postal_Address = '".$PO."' WHERE Employer_Name = '".$Name."' ");
if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
echo "Successfully Updated";
mysqli_close($con);
?>
</body>
This here:
$Numb = "'" . mysql_real_escape_string($Numb) . "'";
Firstly, that isn't proper syntax and you're using mysqli_ to connect with, least I sure hope you are.
Those different MySQL APIs do not intermix with each other.
That should read as:
$Numb = mysqli_real_escape_string($con,$Numb);
while doing the same for the rest of your variables, following the same method outlined here.
Footnotes:
Seeing you didn't post what $tb1_name is, doubt that would be causing an issue. But just for the sake of argument, wrap that variable in ticks, just so if your table name changes to something containing a hyphen or a space, or anything that MySQL will complain about.
UPDATE `$tb1_name` SET...
Plus, since you didn't mention which MySQL API you're using to connect with, make sure it is in fact mysqli_ and not mysql_ or PDO.
It doesn't look like it, but I have to be 100% sure.
Your connection should resemble something like this:
$con = mysqli_connect("yourhost","user","pass","your_DB")
or die("Error " . mysqli_error($con));
Again, those different MySQL APIs do not intermix with each other.
Consult (PHP: Choosing an API - Manual): https://php.net/mysqlinfo.api.choosing
"I am very new at MYSQL..."
Seeing you're new to this:
Use mysqli with prepared statements, or PDO with prepared statements.
Additional notes. (as an edit)
I noticed another question you posted earlier:
https://stackoverflow.com/q/30191388/
where you said "Thank you it worked " in the answer given https://stackoverflow.com/a/30191647/
I don't get that.
How could that possibly work where you're using if (!mysqli_query($con,$sql))?
You'll need to show us the way you're connecting with here.
If you truly want to see if your query was successful, use mysqli_affected_rows().
if(mysqli_affected_rows($con)){
echo "Successfully updated.";
}
else{
echo "Not updated.";
}
Add error reporting to the top of your file(s) which will help find errors.
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
// rest of your code
Sidenote: Error reporting should only be done in staging, and never production.
Hello guys I have an error in this query and again I cant Figure out what is wrong? i cant find the error. I know this is a simple code but Can you guys please help me in solving this
I got an error
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'where testid=4 and qnid=1' at line 1
$query = "update question set question='" . htmlspecialchars($_REQUEST['question'],ENT_QUOTES) . "',optiona='" . htmlspecialchars($_REQUEST['optiona'],ENT_QUOTES) . "',optionb='" . htmlspecialchars($_REQUEST['optionb'],ENT_QUOTES) . "',optionc='" . htmlspecialchars($_REQUEST['optionc'],ENT_QUOTES) . "',optiond='" . htmlspecialchars($_REQUEST['optiond'],ENT_QUOTES) . "',correctanswer='" . htmlspecialchars($_REQUEST['correctans'],ENT_QUOTES) . "',marks='" . htmlspecialchars($_REQUEST['marks'],ENT_QUOTES) . "',audiopath=" . htmlspecialchars($_REQUEST['AudioPath'],ENT_QUOTES) . " where testid=" . $_SESSION['testqn'] . " and qnid=" . $_REQUEST['qnid'] . " ;";
if (!#executeQuery($query))
$_GLOBALS['message'] = mysql_error();
else
$_GLOBALS['message'] = "Question is updated Successfully.";
}
Thank for those who will answer
This should be what you need. You are missing quotes. Looks like you also have an extra semi-colon there.
audiopath='" . htmlspecialchars($_REQUEST['AudioPath'],ENT_QUOTES) . "' where testid='" . $_SESSION['testqn'] . "' and qnid='" . $_REQUEST['qnid'] . "'";
To make your app more secure I would use PDO extensions http://www.phptherightway.com/#pdo_extension
I seem to be missing something quite fundamental here and yet my code doesn't seem to be any different to any of the numerous online tutorials that I have looked at.
What I would like is for someone to look at this and say....Oh you have forgotten to...etc;
This is what I have on a separate update page which is intended to perform the update then cycle back to the main admin page:
require_once('../Connections/MyConn.php');
$sql_statement = "UPDATE skyscrapers SET ";
$sql_image = "Ad_image = '" . $_REQUEST['image'] . "', ";
$sql_expire = "Ad_Expires = '" . $_REQUEST['expire'] . "'";
$result = mysql_query($sql_statement . $sql_image . $sql_expire . " WHERE Ad_ID=" . $_REQUEST['ADID']);
if (!$result) {
echo("<p>Error performing query: " . mysql_error() . "</p>");
exit();
}
mysql_close ($MyConn);
header("location:Admin_skyscrapers.php");
However when I run this I get the following error:-
"Error performing query: No database selected"
Well, haven't I selected the database in the connection script which already works everywhere else?
I realise the code isn't very pretty and I am being naughty using the url to pass variables at the moment - I do promise to change this when I get it to work :)
So, any pointers would be helpful, thanks in advance.
Edit to add...
This is the connection script with the sensitive stuff redacted:-
# FileName="Connection_php_mysql.htm"
# Type="MYSQL"
# HTTP="true"
$hostname_MyConn = "*************.co.uk";
$database_MyConn = "db**********";
$username_MyConn = "dbo*********";
$password_MyConn = "*****";
$MyConn = mysql_pconnect($hostname_MyConn, $username_MyConn, $password_MyConn) or trigger_error(mysql_error(),E_USER_ERROR);
This may or may not be declared in your MyConn.php but all you need is a line:
mysql_select_db($db_name);
Where $db_name is the name of your database.
This should come before you attempt to execute the query.
For DB select you have to add mysql_select_db(DatabaseName); or
$dbconn=mysql_select_db($dbname,$MyConn);in MyConn.php
For update in Database you have to use connection variable which is in MyConn.php i.e.$MyConn as follows
$result = mysql_query($sql_statement . $sql_image . $sql_expire . " WHERE Ad_ID=" . $_REQUEST['ADID'],$MyConn);
or
$result = mysql_query($sql_statement . $sql_image . $sql_expire . " WHERE Ad_ID=" . $_REQUEST['ADID'],$dbconn);
respectively
Hope It Helps!!!!!!!