I'm trying to do an update to my database. One of the column values contains apostrophes, etc. I have used $this->db->escape in CodeIgniter around the strings that may contain such characters, but I still get the following error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'O\'Keeffe, O\'Keefe'' WHERE `survey_id` = 188' at line 1
UPDATE `survey` SET `firstname_confidence_score` = 100, `firstname_rhymes` = '''', `lastname_confidence_score` = 85, `lastname_rhymes` = ''O\'Keeffe, O\'Keefe'' WHERE `survey_id` = 188;
How do I fix this?
UPDATE:
$sql = "UPDATE `$table_name` SET `firstname_confidence_score` = $firstname_confidence_score, `firstname_rhymes` = '" . $this->db->escape($firstname_rhymes) . "', `lastname_confidence_score` = $lastname_confidence_score, `lastname_rhymes` = '" . $this->db->escape($lastname_rhymes) . "' WHERE `$primary_id` = $id;";
$result = $this->db->query($sql);
Since you are using $this->db->escape(), you are automatically adding single quotes around the data.
You query simply needs to be:
$sql = "UPDATE `$table_name`
SET `firstname_confidence_score` = $firstname_confidence_score,
`firstname_rhymes` = " . $this->db->escape($firstname_rhymes) . ",
`lastname_confidence_score` = $lastname_confidence_score,
`lastname_rhymes` = " . $this->db->escape($lastname_rhymes) .
"WHERE `$primary_id` = $id;";
You do not need the single quotes around $this->db->escape($firstname_rhymes) and so on.
UPDATE `survey` SET `firstname_confidence_score` = 100, `firstname_rhymes` = '''', `lastname_confidence_score` = 85, `lastname_rhymes` = 'O\'Keeffe, O\'Keefe' WHERE `survey_id` = 188;
You had double apostraphes around the lastname_rhymes value.
Related
I am trying to updata a database table using pq_query in PHP. I have the following code:
$q = "UPDATE tableName SET ('data1 = " . $data1 . "', data2='" . $data2 . "') WHERE user=".$user;
$success = pg_query($q);
if (!$success) {
$errormessage = pg_last_error();
echo "Error " . $errormessage;
}
I am getting the following error message:
ERROR: syntax error at or near "'data1 = '"
LINE 1: UPDATE tableName SET ('data1 = 10', data2= 20'') WHERE user=
Replace your query with this query
$q = "UPDATE tableName SET data1 = '$data1', data2='$data2' WHERE user='$user'";
Explaination: You should pass variable in single quotes('') if your query in double quotes.
You are using a lot of quotes which it is not understood by PostgreSQL, try simply this :
$q = "UPDATE tableName SET data1 = " . $data1 . ", data2=" . $data2 . " WHERE user=".$user;
Remove those single quotes !
When i update data using php mysql, got some issue, my code php code are here
$query = "UPDATE `wp_experience` SET
`exp_from` ='". $exp_from."' ,
`exp_to` = '". $exp_to."' ,
`exp_title` = '". json_encode($exp_title)."',
`exp_desc` = '". json_encode($exp_desc)."' ,
`exp_cat` = '". $exp_cat."'
WHERE `id` =".$oldid;
it will produce data like,
UPDATE wp_experience SET exp_from ='2016-01-22 00:00:00' , exp_to = '2002-11-14 00:00:00' , exp_title = '{"en":" PSA Peugeot Citroën Automobiles, Mulhouse (F-68)","fr":"Technical Directué - FRENCH","de":"Responsable d'unité de maintenance"}', exp_desc = '{"en":"
Test</p>","fr":"
Test</p>","de":"
H</p>"}' , exp_cat = '18' WHERE id =28
i got this issue,
1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'unité de maintenance"}', exp_desc = '{"en":"
Test</p>","fr":"
Test</p' at line 1
How to fix this issue??
Some of your embedded strings breaks your query, so either use mysqli_real_escape_string() or prepared SQL statements:
$query = "
UPDATE
wp_experience
SET
exp_from = '" . $exp_from . "' ,
exp_to = '" . $exp_to . "' ,
exp_title = '" . mysqli_real_escape_string($con, json_encode($exp_title)) . "',
exp_desc = '" . mysqli_real_escape_string($con, json_encode($exp_desc)) . "' ,
exp_cat = '" . mysqli_real_escape_string($con, $exp_cat) . "'
WHERE
id = " . $oldid;
My query was:
$query = "UPDATE shop.titem SET
item = $nitem, comment = $comment visible = $visible
WHERE titem.item =$item;";
And the error I get is:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'visible = 1 WHERE titem.item =lolipop' at line 2
I noticed that new version of MySQL doesn't really care about the hyphens so I chose to omit that. However, it gives me the same errors even though I use them for the variables.
Help please.
You are missing a commaafter $comment and quotes around string value:
try
$query = "UPDATE shop.titem SET
item = '$nitem', comment = '$comment', visible = '$visible'
WHERE titem.item ='$item'";
Remove the semicolon after $item; inside the query and use '' for the string values
Much better way to write the SQL query is :-
$query = "UPDATE shop.titem SET item = '" . $nitem . "', comment = '" . $comment . "', visible = '" . $visible . "' WHERE titem.item = $item";
Also, I guess it should be shop.item instead of shop.titem.
I have written a PHP class which will update 4 fields of a certain row in a table. The row is decided by a session var 'user' (which is unique). It's not working, but i'm not sure if it is because of the query or the class itself. So i'm first gonna ask you guys if there are any errors in this query (there probaply are) and when the query is correct, i'll see if the class itself has errors as well.
Query:
UPDATE tblRegistratie(lengte, gewicht, bmi geluk) WHERE `gebruikersnaam` = '" . $_SESSION['regain-user'] . "'
VALUES(
'".mysqli_real_escape_string($conn, $this->Lengte_update)."',
'".mysqli_real_escape_string($conn, $this->Gewicht_update)."',
'".mysqli_real_escape_string($conn, $this->BMI_update)."',
''".mysqli_real_escape_string($conn, $this->Geluk_update)."',
);
The quotes look funny here, but I think your problem is a trailing comma , after the last param:
''".mysqli_real_escape_string($conn, $this->Geluk_update)."',
^^^^^
Last line:
''".mysqli_real_escape_string($conn, $this->Geluk_update)."',
^^//fix the double qoute and make it single '
This is what an UPDATE query should look like.
UPDATE tblRegistratie
SET lengte=mysqli_real_escape_string($conn, $this->Lengte_update),
gewicht=mysql...etc
`bmi geluk`=...etc
WHERE `gebruikersnaam` = '" . $_SESSION['regain-user'] . "'
Yours looks nothing like that.
The correct syntax for UPDATE in MySQL would be something like::
$sql = "UPDATE tblRegistratie SET
lengte = '".mysqli_real_escape_string($conn, $this->Lengte_update)."',
gewicht = '".mysql_real_escape_string($conn, $this->Gewicht_update)."',
bmi = '".mysql_real_escape_string($conn, $this->BMI_update)."',
geluk = '".mysqli_real_escape_string($conn, $this->Geluk_update)."'
WHERE gebruikersnaam = '". $_SESSION['regain-user'];
You need to have your where clause after the values you're setting. Also, it sounds like you have some punctuation issues.
Consider the following rewrite for general easier-to-read goodness:
$query = 'UPDATE tblRegistratie
SET `lengte` = "' . mysqli_real_escape_string($conn, $this->Lengte_update) . '",
`gewicht` = "' . mysqli_real_escape_string($conn, $this->Gewicht_update) . '",
`bmi` = "' . mysqli_real_escape_string($conn, $this->BMI_update) . '",
`geluk` = "' . mysqli_real_escape_string($conn, $this->Geluk_update) . '"
WHERE `gebruikersnaam` = "' . $_SESSION['regain-user'] . '"
';
Also, functions like sprintf() can be your friend. :)
$query = sprintf('UPDATE `tblRegistratie`
SET `lengte` = "%s",
`gewicht` = "%s",
`bmi` = "%s",
`geluk` = "%s"
WHERE `gebruikersnaam` = "%s";',
mysqli_real_escape_string($conn, $this->Lengte_update),
mysqli_real_escape_string($conn, $this->Gewicht_update),
mysqli_real_escape_string($conn, $this->BMI_update),
mysqli_real_escape_string($conn, $this->Geluk_update),
$_SESSION['regain-user']
);
PHP
On the last line you have two initial single quotes.
Fix:
''".mysqli_real_escape_string($conn, $this->Geluk_update)."',
becomes
'".mysqli_real_escape_string($conn, $this->Geluk_update)."',
MySQL
Additionally, your UPDATE syntax appears to be completely invalid. Have a read through the documentation.
I wrote this query:
$query = "UPDATE encodage_answer
SET Answer = geir
WHERE encodage_question_ID = 128
AND encodage_ID = 305
AND Extra = NULL";
$insert = mysql_query($query, $connection) or die(mysql_error());
But if I run this code I always get the same error:
Unknown column 'geir' in 'field list'
It's probably me but I think I am not saying geir is a column/field; what's the issue?
When I run this query directly in my PHPMyAdmin it works great.
Update: Full code:
The answer exists, $Extra variable is Null
$AnswerExists = answer_exists($Question_ID, $encodage_ID, $Extra);
if($AnswerExists <> ""){
if($Answer != NULL){
$correctAnswer = mysql_prep($Answer);
if($Extra != NULL){
$query = "UPDATE `encodage_answer` SET `Answer` = '" . mysql_prep($Answer) . "' WHERE `ID` = '" . $AnswerExists . "'";
$insert = mysql_query($query, $connection) or die(mysql_error());
$query2 = "UPDATE `encodage_answer` SET `Extra` = '" . $Extra . "' WHERE `ID` = '" . $AnswerExists . "'";
$insert = mysql_query($query2, $connection) or die(mysql_error());
}else{
$querytest = "UPDATE `encodage_answer` SET Answer = " . $Answer . " WHERE ID = " . $AnswerExists;
$insert = mysql_query($querytest, $connection) or die(mysql_error());
}
}
}
function answer_exists($Question_ID, $encodage_ID, $Extra){
global $connection;
$trfa = false;
echo $Question_ID . " - " . $encodage_ID . "<br />";
if($Extra <> ""){
$query = "SELECT *
FROM encodage_answer
WHERE encodage_ID = {$encodage_ID} AND encodage_question_ID = {$Question_ID} AND Extra = {$Extra}";
}else{
$query = "SELECT *
FROM encodage_answer
WHERE encodage_ID = {$encodage_ID} AND encodage_question_ID = {$Question_ID}";
}
Try putting single quotes around geir. By not quoting the string you want to set the column to, the SQL backend thinks you want to set the value of the Answer column to the value of the geir column. Since the geir column doesn't exist in your table, it throws an error.
Edit: I suspect that PHPMyAdmin has some kind of SQL statement filtering to catch cases like this, and automatically puts quotes around the string for you.
Thanks for the help to everyone! I'm changing all queries to a safer format! SQL-Injection treats are no longer an issue! Thanks for the tip!
Concerning my question:
I'am a complete idiot! After searching for a solution for 20 hours I found my error! The error was for another query. I'm very sorry for wasting your time but I'm a newbie (ergo, the sql-injection issue), so I hope I am allowed to make a few mistakes.
Thanks
Jens