Came across an error i have never seen before after writing the following code:
$query= "UPDATE `Pharm_Log` SET `text` = ". $bloodtest . " WHERE `id` = " . $patientid;
$result = mysql_query($query) or die(mysql_error());
My error message was this
"You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'Pressure Test: 235/43 WHERE id = 1' at line 1"
Any one have any idea on how to fix this? would be greatly appreciated
the string literal (value of $bloodtest) must be wrap with single quotes,
$query= "UPDATE `Pharm_Log` SET `text` = '". $bloodtest . "' WHERE `id` = " . $patientid;
$result = mysql_query($query) or die(mysql_error());
As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.
How to prevent SQL injection in PHP?
Related
I get an error with my PHP code when updating the table patient. I cannot find the problem.
Here is my error:
Verification Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' at line 1
<?php
$edit = mysql_query("UPDATE `patient` SET `date`='$date', `fname`='$fname', `lname`='$lname', `birthday`='$dob', `address`='$address', `work`='$work', `civil`='$civil', `gender`='$sex', `btype`='$bloodtype', `height`='$hgt', `weight`='$wgt', `fallergy`='$fallergy', `mallergy`='$mallergy' WHERE `patientid`='$vara'");
$result = mysql_query($edit) or die("Verification Error: " . mysql_error());
You are calling mysql_query twice; the second time you pass the result, of the first call, into it as an argument. That is not how mysql_query works. The SQL should just be a string:
$edit = "UPDATE `patient` SET `date`='$date', `fname` ...";
$result = mysql_query($edit) or die("Verification Error: " . mysql_error());
We cannot see the rest of your code, so we do not know if there are more problems, but this should fix the problem in your question.
My Code looks like below.
$var = 'ID="'. mysql_real_escape_string($data[0]).'" AND SYS="'.mysql_real_escape_string($data[2]). '" AND TITLE="'.mysql_real_escape_string($data[1]).'"';
$sql = 'SELECT * FROM `table_name` WHERE '. $var;
$result = mysql_query($sql);
In the where condition, TITLE when using a single quote(') I am facing the below error even though the mysql_real_escape_string() function is being used.
The error thrown is
Resource id #5You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Created', 'Test', 'Test', '0000-00-00 00:00:00', ' at line 25
after your dumping looks like you have problem with apostroph
you may change your quotes like that
$var = "ID='". mysql_real_escape_string($data[0])."' AND SYS='".mysql_real_escape_string($data[2]). "' AND TITLE='".mysql_real_escape_string($data[1])."' ";
$sql = "SELECT * FROM `table_name` WHERE ". $var;
$result = mysql_query($sql);
$finalvar=stripslashes($var);
$sql = 'SELECT * FROM table_name WHERE '. $finalvar;
Try dumping your SQL query in its compete form right before it is sent.
You'll be able to spot the error that way.
my code below
$count++;
$yesstring = 'MATCH';
echo $count . '. RESULT ' . $idcheck . ': ' . $phonecheck . ' was matched. <br />';
$matchquery = sprintf("UPDATE `list` SET match = `%s` WHERE homephone = `%s` LIMIT 1",
mysql_real_escape_string($yesstring),
mysql_real_escape_string($phonecheck));
$matchresult = mysql_query($matchquery);
if (!$matchresult) {
die("Invalid query: " . mysql_error());
}
and this is my error
Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'match = MATCH WHERE homephone = (999) 999-9999 LIMIT 1' at line 1
any help would be appreciated
match is a reserved word in MySQL. Escape it with backticks:
UPDATE `list` SET `match` = ...
You're using backticks when you should be using regular quotes. Backticks are reserved for escaping table or column names:
INSERT INTO `foo` VALUES ('value')
Although you're properly escaping your SQL, calling mysql_real_escape_string can prove to be a constant nuisance. Switching to mysqli or PDO would make writing correct SQL a lot easier in the long-run.
I believe I have a simple syntax problem in my SQL statement. If I run this code, I get an error in the database query.
$user = $_GET['linevar'];
echo $user; // testing - url variable echos correctly
$sql = "SELECT * FROM `userAccounts` WHERE `name` = $user";
$result = mysql_query($sql) or die("Error in db query");
If I replace $user in the $sql string with 'actualName' or a known record in my table, the code works fine. Am I using the $ variable incorrectly in the SQL string?
You need to surround the value that you're getting from $user with quotes, since it's probably not a number:
$sql = "SELECT * FROM `userAccounts` WHERE `name` = '$user'";
Just as a note, you should also read up on SQL injection, since this code is susceptible to it. A fix would be to pass it through mysql_real_escape_string():
$user = mysql_real_escape_string( $_GET['linevar']);
You can also replace your or die(); logic with something a bit more informative to get an error message when something bad happens, like:
or die("Error in db query" . mysql_error());
You need escape the get input, then quote it.
// this is important to prevent sql injection.
$user = mysql_real_escape_string($_GET['linevar']);
$sql = "SELECT * FROM `userAccounts` WHERE `name` = '$user'";
This should work:
$sql = "SELECT * FROM `userAccounts` WHERE `name` = '" . $user . "'";
Whats wrong with my code?
Basically what I'm trying to do is add a number and update a field in the sql with what is connected to the variable. But since steamids look like this STEAM_0:0:123123123 or STEAM_0:1:123123123 I get this
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':0:14166834' at line 1
This is just for learning, so I know my code has useless echos, but its just to see it being added and making sure i was doing it correctly anyways
addmoney.php
<?php
include("inc/config.php");
$mysteamid=mysql_real_escape_string($_POST['mysteamid']);
$sql = "SELECT * FROM $tbl_name WHERE steamid='$mysteamid'";
$result=mysql_query($sql);
$cash=mysql_result($result, 0, 'cash'); // outputs 7th
echo $cash;
$newcash= $cash + "10000";
echo "\n";
echo $newcash;
mysql_query("UPDATE $tbl_name SET `cash` = $newcash WHERE `steamid` = $mysteamid") or die(mysql_error());
?>
index.php contains a working formdata its not really required with the error in my code.
my main problem is this line from addmoney.php which is
$mysql_query("UPDATE $tbl_name SET `cash` = $newcash WHERE `steamid` = $mysteamid") or die(mysql_error());
As your steamid field in your DB is a string (it seems to be, as possible values are STEAM_0:0:123123123 and STEAM_0:1:123123123), you must use quotes arround the value :
mysql_query("UPDATE $tbl_name SET `cash` = $newcash WHERE `steamid` = '$mysteamid'");
Using mysql_real_escape_string() is necessary, as it escapes quotes inside the variable you pass it as a parameter -- but you still have to put quotes arround the string, in your SQL queries.
In the first query you surrounded your $mysteamid value with simple quotes, and in the second query you didn't. If the steamid is a string type, you need to surround the value with quotes, like
"UPDATE $tbl_name SET `cash` = $newcash WHERE `steamid` =' $mysteamid'"