So, I am doing a bunch of things parsing an XML from 1 server, writing stuff into another server and then updating the mssql db! The whole process appeared to run smoothly until I ran the script from the terminal for the sake of FUN!
When I run it from the terminal, it throws in a bunch of warnings like:
PHP Warning: mssql_query(): message: Incorrect syntax near 's'. (severity 15) in
/Volumes/Data/Users/username/Desktop/createXML.php on line 375
PHP Warning: mssql_query(): General SQL Server error: Check messages from the SQL
Server (severity 15) in /Volumes/Data/Users/username/Desktop/createXML.php on line 375
PHP Warning: mssql_query(): message: Unclosed quotation mark after the character
string ';'. (severity 15) in /Volumes/Data/Users/username/Desktop/createXML.php on line 375
PHP Warning: mssql_query(): General SQL Server error: Check messages from the SQL
Server (severity 15) in /Volumes/Data/Users/pdwivedi/Desktop/createXML.php on line 375
PHP Warning: mssql_query(): Query failed in /Volumes/Data/Users/username/Desktop
/createXML.php on line 375
Here is line 375:
$query = mssql_query("UPDATE table_name SET C_ITP_STATUS = '".$ITP_Status."',
C_ITP_ERRORS = '". $ITP_Error ."' WHERE id = '".$ID."';");
The funny thing is that the query executes and I have an updated DB. But, it still shows these warnings when run from terminal. And I WANT TO get rid of them!
I MUST user MS SQL!!
Have tried looking around for solutions, but people hardly use MS SQL with mySQL being so much better (at least in terms of being widely used). Any help?
FUNNY THING: When I ONLY connect to the DB and perform this query in a new php script, it works fine and there are no warnings. Not sure why its like this!
RESOLVED:
I didnt care to test my input parameters (pretty lame) in to the string BECAUSE I was super confident about what I was doing! ALWAYS ESCAPE SPECIAL CHARS no matter how confident you are (just shouting out loud)!!
It sounds to me like one of your input strings might contain a quote, and this is messing up the query. Your errors also indicate this. You should always treat all possible user input as tainted, and make it a habit to sanitize them every time, even if you don't think you need to.
I created a new php script and hard coded the 3 parameters and the query runs fine!
This also leads me to believe that there is a quote or special character somewhere in your variables that is messing up the query. You would want to use mysql_real_escape_string() to correct this.
$ITP_Status = mysql_real_escape_string($ITP_Status);
$ITP_Error = mysql_real_escape_string($ITP_Error);
$ID = mysql_real_escape_string($ID);
$query = mssql_query("UPDATE table_name SET C_ITP_STATUS = '".$ITP_Status."', C_ITP_ERRORS = '". $ITP_Error ."' WHERE id = '".$ID."';");
It should also be noted that you are using the old MySQL functions. The new MySQLi functions are the replacement, and what you should be using at a bare minimum.
You mention MS SQL. If you plan on using that, you cannot use the MySQLi functions. In that case it is recommended that you use the PDO interface, which will work for both MySQL and MS SQL. Many recommend PDO over MySQLi even if you are only using MySQL.
Related
The error is shown on this line :
$query1="UPDATE `users`
SET password=''.md5(md5(mysqli_insert_id($link).$pass)).''
WHERE id=''.mysqli_insert_id($link).'' ";
Error is as follows :
Recoverable fatal error: Object of class mysqli could not be converted to string
in /home/vhosts/nagarajhegde41.freevar.com/DiaryHome.php on line 30
You're relying in string parsing to execute code inside text but you didn't get the syntax right. My advice is that you don't even try. Packing code in strings is inconvenient to say the least. Just see how easy it gets with regular code statements:
$query1 = 'UPDATE users
SET password = ?
WHERE id = ?';
$params1 = [
md5(md5(mysqli_insert_id($link).$pass)),
mysqli_insert_id($link),
];
This way you get for free:
Simpler syntax.
Readable code.
Proper syntax highlighting and code completion in all PHP editors (even free ones).
Proper error reporting, with useful line number information.
Protection against SQL injection.
P.S. You might want to check Password Hashing Functions.
I recently switched from windows (movamp) to linux (lamp), and i have an issue (syntax error) with a query and i can't figure out why.
Here is the query and the error msg I get:
"SELECT * FROM products WHERE trash='false'"
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'false\'' at line 1SELECT * FROM products WHERE trash='false'
I always wrote my queries with that syntax, and i never had problems.
I used to run my code on windows (php 4.1.22 mysql 5.2.11) and used mysql_query() function, and the code worked just fine.
Now I use(php 7.0.8 - mysql 5.7.16) and use mysqli_query() function to execute queries
Your syntax error shows some bogus backslashes that are not present in the query, as if you are actually running this:
SELECT * FROM products WHERE trash=\'false\'
Not having even a full PHP statement to inspect we can only speculate, and my guess is that —since you are upgrading from a really ancient PHP version— you might be facing some issues with magic quotes. That "feature" no longer exists so nothing in the server can be injecting backslashes automatically so it must be your code the one that's intentionally doing it.
Said that, PHP/4 was superseded by PHP/5 in 2004 (that's like 12 years) and a lot has changed on the way to PHP/7: migration is going to be harder than just dropping the code in the new server.
Try removing the single quotes , or try reversing the single and double quotes . IF nothing works use a variable with false value.
"SELECT * FROM `products` WHERE `trash` ='false'"
try this (though your case should also work)
also try to remove the double quotes if you are trying to run SQL query in PHPMYadmin or likes.
I would like to thank you all for your answers and your comments. You helped me figure out what the problem was : the entire query string was beeing escaped instead of only the data tha needed to ne escaped.
I feel dumb 😁 . This was obvious.
Anyway. Thank you a lot for your contibution.
I'm having a problem when trying to add a URL to a mySQL database.
The string is a URL:
http://pbs.twimg.com/profile_images/1708867059/405000_10150426314376065_707061064_8645107_703731598_n_normal.jpg
The error I get is:
Error description: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '://pbs.twimg.com/profile_images/1708867059/405000_10150426314376065_707061064_86' at line 1
It seems as though it won't allow me to add a URL, I presume there is something wrong with some of the characters but I don't know what?
My SQL is:
INSERT INTO accounts (name,consumerkey,consumersecret,pic_url) VALUES ($twitterID,$consumerkey,$consumersecret,$picture_url)"
You cannot truly solve this kind of problem by adding a few characters (like ' or ") to your bespoke sql string!
Instead, get to know the real way to write sql in php (it's like a very badly kept secret), which is to use PDO statements. This will allow you to use placehoders like (:twitterID, :consumerKey, :consumerSecret, :pictureUrl) which will accept complex variables such as urls and any of the crap users send in much more gracefully.
In the long run, this will save you a lot of trouble and time.
You need to quote string values and any other character that SQL will complain about, in this case it's the colon; see further down below.
($twitterID,$consumerkey,$consumersecret,'$picture_url')
or
('".$twitterID."','".$consumerkey."','".$consumersecret."','".$picture_url."')
if you wish to quote all the values.
Sidenote: You can remove the quotes around the variables that are integers.
I.e.:
This based on, and without seeing how the rest of your code looks like:
$picture_url = "http://pbs.twimg.com/profile_images/1708867059/405000_10150426314376065_707061064_8645107_703731598_n_normal.jpg";
The error states that it is near : - near being just that, the colon.
...right syntax to use near '://pbs.twimg.com
^ right there
You can also use:
VALUES ($twitterID, $consumerkey, $consumersecret, '" .$dbcon->real_escape_string($picture_url) . "')";
$dbcon is an example of a DB connection variable and based on mysqli_ syntax.
Something you haven't stated as to which MySQL API you are using.
Plus, your present code is open to SQL injection.
Use prepared statements, or PDO with prepared statements.
I am trying to bind parameters to an UPDATE statement using ODBC in PHP but the SQL statement is failing and I cannot for the life of me work out why. I've tried Googling but there seems to be very little info regarding using ODBC with PHP as opposed to the likes of MySQLi and PDO.
Most examples I've found with parameter binding use a SELECT statement but as far as I can tell that shouldn't make a difference. The closest answer I've found was here on stackoverflow. As far as I can see they are doing what I'm doing but I keep getting an error. Here is my code:
$updQuery = "UPDATE Demographic SET dmg_FirstName=? WHERE dmg_ID=?";
$update = odbc_prepare($connect, $updQuery);
$fname = $_POST['firstname'];
$pID = 145100007;
$updResult = odbc_execute($update, array($fname, $pID)) or die (odbc_errormsg());
Here's the error I keep getting on the above code:
Warning: odbc_execute(): SQL error: [Microsoft][ODBC Driver Manager] SQL data type out of range, SQL state S1004 in SQLBindParameter in C:\xampp\htdocs\work\ajaxdd.php on line 44
The code works when I remove the parameter binding so if worst comes to the worst I can try to sanitise the data as best I can but that's obviously not preferable.
This probably means that you're trying to insert an ID that is higher than that integer column allows. Try verifying if this is the case first. What is the type of dmg_ID? 145100007 is a rather high number so I suspect this might be the culprit.
I have no idea about PHP security, but if I add an ' to the input in my POST method form.
I'm getting the following message:
Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /usr/local/www/login.php
Is that a SQL injection? If so, how it can be abused by the "hackers" ?
That means you're vulnerable to SQL injection, and your code is not doing sufficient checking for errors.
An absolute barebones "safe" bit of code would be:
<?php
... connect to db ...
$stringval = mysql_real_escape_string($_GET['param']);
$sql = "SELECT somefield FROM sometable WHERE otherfield='$stringval'";
$result = mysql_query($sql) or die(mysql_error());
better yet is to stop using the mysql functions and switch to PDO and parameterized queries. They handle the injection problems for you automatically.
The root cause of your error message is that your query has caused a syntax error. When a query fails outright like that, mysql_query() returns a boolean FALSE value, not a statement handle.
Since you lack any kind of error checking, you blindly took that boolean false and passed it on to the fetch function, which has rightfully complained that you didn't provide a result handle.
You should escape any user input before passing it to mysql. Use the PHP function mysql_real_escape_string() to escape any user input before adding it to your query. Here is the link to PHP manual for mysql_real_escape_string()
Update: Yes, what others are saying about using prepared statements or mysqli is much better that using the mysql extension.
Here are a few links on MySQL Injection which I found:
http://www.php.net/manual/en/security.database.sql-injection.php
http://25yearsofprogramming.com/blog/2011/20110205.htm
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet