Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
I have this MySQL query:
$querynotis = "SELECT * FROM notifications WHERE pid = " . $_SESSION['sess_id'] . " AND read = 0";
And it gives me the error;
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'read = 0' at line 1
If I remove the:
AND read = 0
part, it works perfectly fine. What could I have done wrong?
READ is a Reserved Keyword and happens to be the name of your column. In order to avoid syntax error, the column name should be escaped using backticks. Ex,
$pid = $_SESSION['sess_id'];
$querynotis = "SELECT * FROM notifications WHERE pid = $pid AND `read` = 0";
MySQL Reserved Keywords List
Another way, rather than escaping it with backtick:
$pid = $_SESSION['sess_id'];
$querynotis = "SELECT * FROM notifications n WHERE pid = $pid AND n.read = 0";
If you have the privilege to alter the table, change the column name that is not on the Reserved Keyword List to prevent the same error from getting back again on the future.
As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.
How to prevent SQL injection in PHP?
use this query, you are trying to use reserved keyword of mysql. READ is a reserve keyword. Use backtick operator
$querynotis = "SELECT * FROM notifications WHERE pid = " . $_SESSION['sess_id'] . " AND `read` = '0'";
Related
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 7 years ago.
Improve this question
Please explain to me why it is not working.
$sql = "SELECT nombre,precio,presentacion FROM '$keywords'";
I used the next code and it worked but it's not what I need
$sql = "SELECT nombre,precio,presentacion FROM productos";
You're using the incorrect quotes (Identifier Qualifiers) for your table, being single quotes.
$sql = "SELECT nombre,precio,presentacion FROM '$keywords'";
needs to read as
$sql = "SELECT nombre,precio,presentacion FROM `$keywords`";
While unknown as to which MySQL API you are using to connect with, using error checking on the query, would have thrown a syntax error.
Now, if your table name doesn't contain spaces or hyphens or a reserved word or anything else to give MySQL to complain about, you can just remove the quotes.
$sql = "SELECT nombre,precio,presentacion FROM $keywords";
For more information on Identifier Qualifiers, visit:
https://dev.mysql.com/doc/refman/5.0/en/identifier-qualifiers.html
Error checking link references:
http://php.net/manual/en/function.mysql-error.php - MySQL_*
http://php.net/manual/en/mysqli.error.php - MySQLi_*
http://php.net/manual/en/pdo.error-handling.php - PDO
Footnotes:
If you're assigning "productos" to the $keywords variable (which seems to be the case), such as:
$keywords = "productos";
then you can omit the quotes/ticks around that variable in your query.
Remove the ticks from your table name. Hopefully $keywords is not a user supplied value or you will need to sanitize it
$sql = "SELECT nombre,precio,presentacion FROM $keywords";
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
I definitely regret asking such a simple question, but it's been driving me off the wall, and I'm not sure if it's because of an update or anything. But can anyone tell me what the error with the following SQL statement is?
$iname = mysql_query("SELECT * FROM calendarevents WHERE 'EventMonth'="January" AND 'EventDay'="1"")
or die(mysql_error());
This should work better, using correct quotes and backticks, please have a look at the query
$iname = mysql_query("SELECT * FROM calendarevents WHERE `EventMonth`= 'January' AND `EventDay`= 1 ")
SIDENOTE:
Please consider using PDO or mysqli_ instead of mysql_* functions.
This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
Use the following:
$iname = mysql_query("SELECT * FROM calendarevents WHEREEventMonth='January' ANDEventDay='1'")
or die(mysql_error());
The way that you have used double quotes (") is the first and the biggest of issues, and you should use backticks(`) instead of single quotes(') for escaping table and column names in mysql.
you cannot use double quotes ["] inside of a sql statement.
january and 1 need to be in single quotes instead of double.
You also don't need quotes around the field names.
"SELECT * FROM calendarevents WHERE 'EventMonth'="January" AND 'EventDay'="1""
should be
"SELECT * FROM calendarevents WHERE EventMonth='Januay' AND EventDay='1'"
$iname = mysql_query("SELECT * FROM `calendarevents` WHERE `EventMonth`="January" AND `EventDay`=1")
or die(mysql_error());
Try this:
$query = "SELECT * FROM calendarevents WHERE EventMonth='January' AND EventDay = '1'";
$iname = mysql_query($query);
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
I'm trying to confirm a users email where the users verification key is the variable $verify_mod. However, I get the error,
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE verification='72b4ad7ee82dd6e177f2588c168abb51user=test123'' at line 1
Here's my query:
$confirm_query = "INSERT INTO users (confirm_email) VALUES ('1') WHERE verification='$verify_mod'";
The INSERT statement doesn't go with a WHERE clause. Either you're trying to insert something, in which case you should remove the WHERE clause, or you want to modify a value, in which case you should use UPDATE .. SET.
// For an insert:
$confirm_query = "INSERT INTO users (confirm_email) VALUES ('1')";
// For an update:
$confirm_query = "UPDATE users SET confirm_email='1' WHERE verification='$verify_mod'";
Besides that, it's always a good idea to put ` characters around table and column names to reduce the risk of SQL injection. So:
// For an insert:
$confirm_query = "INSERT INTO `users` (`confirm_email`) VALUES ('1')";
// For an update:
$confirm_query = "UPDATE `users` SET `confirm_email`='1' WHERE `verification`='$verify_mod'";
Lastly, I don't know if you're using mysqli_* functions or PDO or mysql_* functions (in the latter case you should definitely change to one of the others as mysql_* is deprecated). In any of the first two cases you should use parameterized queries or prepared statements. You prepare the query and then fill in the variables ($verify_mod here). That way, the variables get escaped properly, again, to reduce the risk of SQL injection.
You are doing an insert, this sounds like it should be an update statement though (you can't do where in inserts either as it doesn't make sense to):
$confirm_query = "UPDATE users set confirm_email=1 WHERE verification='$verify_mod'"
Extending upon #CamilStaps answer, here's how you can parameterize your query using mysqli.
// For an insert: (No need to bind parameters for this one)
$confirm_query = $mysqli->prepare("INSERT INTO `users` (`confirm_email`) VALUES ('1')");
$confirm_query->execute();
// For an update:
$confirm_query = $mysqli->prepare("UPDATE `users` SET `confirm_email`='1' WHERE `verification`= ? ");
$confirm_query->bind_param('s', $verify_mod);
$confirm_query->execute();
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
Im trying to order By "ItemLevel" in shops in a game I'm currently developing. it should be correct as because this code
ini_set('display_errors', 'On');
error_reporting(E_ALL | E_STRICT)
Displays no errors.
Heres the ORDER BY ItemLevel line.
$item = mysql_query("SELECT * FROM knightG_{$shop["ItemCategory"]}s WHERE
ItemId='{$shop["ItemId"]}' ORDER BY ItemLevel ASC") or die (mysql_error());
I can give anyone more information if requested.
Thanks.
It should be
$item = mysql_query("SELECT * FROM knightG_{$shop['ItemCategory']}s WHERE
ItemId='{$shop['ItemId']}' ORDER BY ItemLevel ASC") or die (mysql_error());
instead. Inside of double string variable interpolation you must obmit the quotes around array indexes.
This is not valid if using braces surrounding arrays within strings allows constants, so you've got to use single quotes in your case. It may seem odd, but it's valid.
Better would be to move from the deprecated mysql_* functions to PDO or mysqli and use prepared statements with placeholders to bind inut values to. This will not take care of the problem of input parameters in identifiers for the names of columns or tables (the first input substitution here).
$sql = "SELECT * FROM knightG_{$shop['ItemCategory']}s";
$sql.= " WHERE ItemId='".$shop["ItemId"]."'";
$sql.= " ORDER BY ItemLevel ASC";
$item = mysql_query($sql) or die (mysql_error());
You should make sure though that your variables are safe from mysql injections.
Also I would advice to use PDO instead of the mysql extension. It is deprecated.
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
I'm trying to test out some basic functionality, but I'm stuck on something that I don't think I should be stuck on. My db connection is good and tested in the lines before, but the execution of a simple SQL query returns "Error in the consult..You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''classes'' at line 1"
// define query
$query = "SELECT * FROM 'classes'";
# execute the query.
$result = $db_connection->query($query) or die("Error in the consult.." . mysqli_error($db_connection));
The table name 'classes' isn't a reserved term, and I get the same error if I test against any of the other tables. Am I missing something obvious?
Use ticks around the "classes" in your query:
// define query
$query = "SELECT * FROM `classes`";
# execute the query.
$result = $db_connection->query($query) or die("Error in the consult.." . mysqli_error($db_connection));