is there something wrong with mysql syntax, I believe the syntax is right though i keep getting an error there is a syntax error when i run my website
$query = "SELECT DISTINCT paycheck.jobId
FROM paycheck,users
WHERE users.email = " . $_SESSION['email'] .
"AND userId = empId";
you forgot single quote here
$query = "SELECT DISTINCT paycheck.jobId
FROM paycheck,users
WHERE users.email = '" . $_SESSION['email'] ."' AND userId = empId";
try this:
$query = "SELECT DISTINCT `paycheck`.`jobId`
FROM `paycheck`,`users`
WHERE `users`.`email` = '" . $_SESSION['email'] ."' AND `userId` = 'empId' ";
you also might want to consider escaping your query to prevent sql injections
Related
$TableName = "interns";
if ($errors == 0)
{
$SQLstring = "SELECT COUNT(*) FROM $TableName" . "WHERE email=$email";
$QueryResult = mysqli_query($DBConnect, $SQLstring);
if ($QueryResult)
{
$Row = mysqli_fetch_row($QueryResult);
if ($Row[0]>0)
{
echo "<p>The email address enterend (" . htmlentities($email) . ") is already registered.</p>\n";
++$errors;
}
}
}
What have I done wrong here, everything looks good to me. I it is kind of late and maybe I need a fresh pair of eyes. Any help would be greatly appreciated.
You're missing a space & quotes, change:
"SELECT COUNT(*) FROM $TableName" . "WHERE email=$email";
to:
"SELECT COUNT(*) FROM $TableName" . " WHERE email='$email'";
or ever more simple (no need for string concatenation):
"SELECT COUNT(*) FROM $TableName WHERE email='$email'";
Addition:
As j_mcnally suggested below, it would be a good idea to escape the $email in order to prevent a possible sql-injection attack
I need help with this code:
if (isset($_POST['aboutme'])) {
$aboutme = $_POST['aboutme'];
$aboutme = mysql_real_escape_string($aboutme);
mysql_query("UPDATE `users` SET `about_me`='" . $aboutme . "' WHERE `username`='" . $usn . "' LIMIT 1") or die(mysql_error());
}
I don't know why it doesn't work, but it does not make it to the proper cell to change it. Here is the text area:
<textarea id="aboutme" name="aboutme" rows="4" cols="50"><?php echo "$abme"; ?></textarea>
I don't know what is going one here because no errors are coming out of it.
http://gyazo.com/f36f04c014bb229c1be27cc7a9e5072f.png?1363328064
I strongly recommend to switch to mysqli.
also mysql_real_escape_string() requires an active database connection.
So you should connect to the database first or mysql_real_escape_string() will return an empty string
DEBUG :
if (isset($_POST['aboutme'])) {
$aboutme = $_POST['aboutme'];
$aboutme = mysql_real_escape_string($aboutme);
$query = "UPDATE `users` SET `about_me`='" . $aboutme . "' WHERE `username`='" . $usn . "' LIMIT 1";
mysql_query($query) or die(mysql_error());
}
print_r($query);
this will allow you to see the query and trigger will an error if the form is not posted correctlly ( Undefined variable $query).
You can run the query on mysql if it output it to see the result;
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'like = '0 +1' WHERE wall_id = '20'' at line 1
$sql = mysql_query("UPDATE wall SET like = '$nelike' WHERE wall_id = '$id' " );
if($sql)
echo "Success;
else
echo "something wrong<br/>" . mysql_error();
Why I'm getting this error message?
Your column like needs to be encapsulated in backticks because like is also a MySQL keyword.
$sql = mysql_query("UPDATE wall SET `like` = '$nelike' WHERE wall_id = '$id' " );
You'd want to apply backticks to columns with spaces in their names as well.
Also, it wouldn't be a bad idea to escape your data (if you didn't know)
$sql = mysql_query("UPDATE wall
SET `like` = '" . mysql_real_escape_string($nelike) . "'
WHERE wall_id = '" . mysql_real_escape_string($id) . "'" );
LIKE is a SQL keyword. You'll need to put it in backticks if you want to use it as a field name:
UPDATE wall SET `like` = '$nelike' WHERE wall_id = '$id'
The error was that you are using a RESERVED WORD in mysql and you didn't escape it using backtick.
$sql = mysql_query("UPDATE wall SET like = '$nelike' WHERE wall_id = '$id' " );
should be written as
$sql = mysql_query("UPDATE wall SET `like` = '$nelike' WHERE wall_id = '$id' ");
//$type has value of "Hello+World"
$type = $_POST['series'];
$sql = "select max(id) from TABLE_NAME where type = " . $type;
$result = sybase_query ($sql, $db_ro_conn) or die(db_error("query failed $sql"));
$row = sybase_fetch_row($result)
I get the error "incorrect syntax near "=". y15, procedure N/A in the $sql line.
What are the possible reasons why this is happening? Somehow it doesn't work. Would appreciate any help, thanks!
Put quotes around your $type like this:
$type = $_POST['series'];
$sql = "select max(id) from TABLE_NAME where type = '" . $type. "'";
$result = sybase_query ($sql, $db_ro_conn) or die(db_error("query failed $sql"));
$row = sybase_fetch_row($result)
Let me start with this. ALWAYS escape POST/GET values in your query!
The error is probably caused by $type is string and not quoted. Try changing $sql to
$sql = "select max(id) from TABLE_NAME where type = '" . $type."'";
You are not quoting the value:
$type = str_replace("'", "''", $_POST['series']);
$sql = "select max(id) from TABLE_NAME where type = '" . $type . "'";
I wrote this query:
$query = "UPDATE encodage_answer
SET Answer = geir
WHERE encodage_question_ID = 128
AND encodage_ID = 305
AND Extra = NULL";
$insert = mysql_query($query, $connection) or die(mysql_error());
But if I run this code I always get the same error:
Unknown column 'geir' in 'field list'
It's probably me but I think I am not saying geir is a column/field; what's the issue?
When I run this query directly in my PHPMyAdmin it works great.
Update: Full code:
The answer exists, $Extra variable is Null
$AnswerExists = answer_exists($Question_ID, $encodage_ID, $Extra);
if($AnswerExists <> ""){
if($Answer != NULL){
$correctAnswer = mysql_prep($Answer);
if($Extra != NULL){
$query = "UPDATE `encodage_answer` SET `Answer` = '" . mysql_prep($Answer) . "' WHERE `ID` = '" . $AnswerExists . "'";
$insert = mysql_query($query, $connection) or die(mysql_error());
$query2 = "UPDATE `encodage_answer` SET `Extra` = '" . $Extra . "' WHERE `ID` = '" . $AnswerExists . "'";
$insert = mysql_query($query2, $connection) or die(mysql_error());
}else{
$querytest = "UPDATE `encodage_answer` SET Answer = " . $Answer . " WHERE ID = " . $AnswerExists;
$insert = mysql_query($querytest, $connection) or die(mysql_error());
}
}
}
function answer_exists($Question_ID, $encodage_ID, $Extra){
global $connection;
$trfa = false;
echo $Question_ID . " - " . $encodage_ID . "<br />";
if($Extra <> ""){
$query = "SELECT *
FROM encodage_answer
WHERE encodage_ID = {$encodage_ID} AND encodage_question_ID = {$Question_ID} AND Extra = {$Extra}";
}else{
$query = "SELECT *
FROM encodage_answer
WHERE encodage_ID = {$encodage_ID} AND encodage_question_ID = {$Question_ID}";
}
Try putting single quotes around geir. By not quoting the string you want to set the column to, the SQL backend thinks you want to set the value of the Answer column to the value of the geir column. Since the geir column doesn't exist in your table, it throws an error.
Edit: I suspect that PHPMyAdmin has some kind of SQL statement filtering to catch cases like this, and automatically puts quotes around the string for you.
Thanks for the help to everyone! I'm changing all queries to a safer format! SQL-Injection treats are no longer an issue! Thanks for the tip!
Concerning my question:
I'am a complete idiot! After searching for a solution for 20 hours I found my error! The error was for another query. I'm very sorry for wasting your time but I'm a newbie (ergo, the sql-injection issue), so I hope I am allowed to make a few mistakes.
Thanks
Jens