If i try this is doesn't work:
<?php
include ($_SERVER['DOCUMENT_ROOT'] . '/contact/config.inc.php');
$hash = hash('md5', $_POST["password"]);
$connection = mysql_connect($host, $user, $password);
mysql_select_db($database, $connection);
mysql_query("UPDATE data
SET password=" . $hash .
"WHERE id=" . $_POST["id"]);
mysql_close($connection);
?>
The data just won't show up in the database. I tried setting the hash and id to a fixed value, still didn't work. I am sure the database connection works, as it works in other scripts. And all variables show up correctly when i echo them.
I'm new to PHP and MySQL.
Try adding quotes surrounding the values,
mysql_query("UPDATE data SET password='" . $hash . "' WHERE id='" . $_POST["id"] . "'") ;
Note: Mysql extensions are deprecated. Please use Mysqli_* or PDO extensions.
The reason why, is because you are escaping your query incorrectly, you are missing the quotes around your variables.
Change this:
mysql_query("UPDATE data
SET password=" . $hash .
"WHERE id=" . $_POST["id"]);
To This:
mysql_query("UPDATE data
SET password='" . $hash .
"' WHERE id='" . $_POST["id"] ."'");
and whilst typing this, I noticed you did not go back into your query to close your escape.
Notice I have added quotes and went back into the query to close the quotes.
Related
I'm making a website to connect to MySQL, but I've this function to update a SQL column in php:
<?php
function insert_db($table, $id, $value, $id2, $value2){
$con = mysql_connect($server, $user_name, $password);
$db_found = mysql_select_db($database);
if ($db_found){
mysql_query(" UPDATE ".$table." SET ".$id."='".$value."' WHERE ".$id2." = '".$value2."'); //this doesn't work!
mysql_close($con);
}
else {
print "Database not found!";
mysql_close($con);
}
}
?>
But this function doesn't work! Please help me! And is there a better way of doing this instead of "mysql_query()"?
You can kinda answer your own question looking at the StackOverflow syntax highlights. You're missing a closing quote in the SQL statement. As for a better way, I always put my SQL into a variable first. It helps catch these kinds of things. Also, you're not sanitizing anything here in your function. I hope you're doing something elsewhere to prevent SQL injection.
I would NOT create your DB connection inside a function. You're creating a connection, executing ONE query, and then closing it. That's a lot of overhead for one function. I would pass your connection into your function and use it like that.
function insert_db($con, $table, $id, $value, $id2, $value2){
$sql = "UPDATE " . $table . "
SET " . $id . "='" . $value . "'
WHERE " . $id2 . " = '".$value2."'";
mysqli_query($con, $sql);
}
you are missing a closing quote " at the end of your mysql_query().
your variables $server, $user_name, $password and $database do not exist inside your function. If you set it outside the function you have to import them with global $server, $user_name, $password, $database before you can use them.
The mysql_* functions are becoming deprecated. Don't write new code with them, use mysqli_* or PDO objects.
It is showing parsing error on line 17 I have thoroughly checked it but unable to find error.So how do I fix this error.it is insert_city_query.php
<?php
include('../../Connections/autodealers.php');
//error_reporting(0);
$cityname=$_POST['cityname'];
$cityorder=$_POST['cityorder'];
$status=$_POST['status'];
if($status="Enabled")
$status=1;
else
$status=0;
$query = "INSERT INTO ".$db_prefix."city (cityname,cityorder,status) values
(
'" . addslashes($cityname) . "' ,
'" . addslashes($cityorder) . "' ,
'" . addslashes($status) . " '
WHERE LCASE='strtolower($_REQUEST['cityname'])')";
echo $query;
$result=mysql_query($query);
if(!$result)
{
die ('ERROR: '.mysql_error());
header("Location: " .$base_url. "admin/city_insert.php" );//if query fails
}
else
{
header("Location: " .$base_url. "admin/cities.php" );//if query suceeds
}
mysql_close($autodealers);
?>
Change your query to,
$query = "INSERT INTO ".$db_prefix."city (cityname,cityorder,status) values
('" . addslashes($cityname) . "' ,
'" . addslashes($cityorder) . "' ,
'" . addslashes($status) . " '
WHERE LCASE='" . strtolower($_REQUEST['cityname']) . "')";
Note: Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.
Warning: The query is vulnerable with SQL Injection if the value (s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it.
How to prevent SQL injection in PHP?
You do not use strtolower() as a function.
You should change this line:
WHERE LCASE='strtolower($_REQUEST['cityname'])')";
to
WHERE LCASE='".strtolower($_REQUEST['cityname'])."')";
I am fetching some string from facebook , but i dont know whitch encoding in string . I need to convert this string into utf8 before inserting into database table . Getting this error message.
Here is my php code.
$email = (isset($this->_userinfo['email']) ? $this->_userinfo['email'] : '');
$fname = $this->_userinfo['first_name'];
$lname = $this->_userinfo['last_name'];
$name = $this->_userinfo['name'];
$sql = 'INSERT INTO users '
. '(fbid, fbuid, fullname, userlevel, email, name, sirname) '
. 'VALUES("'
. $this->_fbid . '","'
. $fbuid . '","'
. $name . '","'
. $userlevel . '","'
. $email . '","'
. $fname . '","'
. $lname . '")';
did you try this code ?
mysql_query('set names utf8');
You might want to take a look at this question:
Detect encoding and make everything UTF-8
especially the second answer by Sebastian Grinoli
He wrote a class (and offers the link to it) which would correctly encode Windows Extended ASCII to UTF8 and also correct UTF8 if necessary.
A really handy tool to have when you are in the UTF8 land :)
Take a look at utf8_encode to do this for you. Keep in mind this will only work if your data is actually UTF-8 encoded. Unfortunately there is no way to just look at the string and see what encoding it's using.
enter link description here
For me works following code:
$mysqli = mysqli_connect( ... );
mysqli_query( $mysqli, 'SET NAMES "utf8" COLLATE "utf8_general_ci"' );
or just:
mysqli_set_charset( $mysqli, 'utf8' );
Regards, good luck!
I have my code below to update a my MySQL database, it's running but is not updating the database when I check rcords using phpmyadmin. plae hlp me.
$database = "carzilla";
$con = mysql_connect("localhost","root","");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
$manufacturerTable = $_POST[vehicleManufacturer];
$numberToSearch = $_POST[vehicleIdNo];
$engineType = $_POST[engineType];
$engineCC = $_POST[engineCC];
$year = $_POST[year];
$numberofDoors = $_POST[numberofDoors];
$tireSize = $_POST[tireSize];
$chasisNumber = $_POST[chasisNumber];
$vehicleMake = $_POST[vehicleMake];
$price=$_POST[price];
mysql_select_db("$database", $con);
$sql = mysql_query("UPDATE $manufacturerTable SET username='vehicleMake',
engineType='$engineType', engineCC='$engineCC', year='$year', chasisNo='$chasisNumber', numberOfDoors='$numberofDoors' ,numberOfDoors='$numberofDoors', tireSize='$tireSize', price='$price' WHERE `index` ='$id'");
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo 'record has been successfuly';
mysql_close($con);
?>
Take a good look at your query. You are referring to PHP variables in several different fashions in the same statement. In the query $manufacturerTable is just $manufacturerTable, you encase a few others in single quotes, some of which you remove the $ from, others you do not. I know I preach this far too often, but you should really look into using prepared statements. They take all the guess work out of using variables in your queries, and they prevent you from being victimized by injection hacks. But the short answer here is that you are not referencing your variables correctly in the query.
Sometimes putting the variables directly in the syntax can cause issues. Have you tried to use concatenation for the query.
$query = "UPDATE ".$manufacturerTable." SET username='vehicleMake', engineType='."$engineType."', engineCC='".$engineCC."', year='".$year."', chasisNo='".$chasisNumber."', numberOfDoors='".$numberofDoors."' ,numberOfDoors='".$numberofDoors."', tireSize='".$tireSize."', price='".$price."' WHERE index =".$id;
$sql = mysql_query($query); # this should be put in the if else
If index is number based you do not need the '' surrounding it. Plus is username='vehicleMake' or is it a variable. if it is a variable, add the $ or use concatenation like the rest. Your SQL check should be something like follows.
if (mysql_query($query))
{
echo 'record has been successfuly';
} else {
die('Error: ' . mysql_error() . ' | ' . $query);
}
The reason you export the query is so you can try it manually to make sure it works and what error you may be getting. phpMySQL can show a different error then the mysql_error() at times
Plus you should be escaping all input that is user entered using mysql_escape_string() or mysql_real_escape_string()
I seem to be missing something quite fundamental here and yet my code doesn't seem to be any different to any of the numerous online tutorials that I have looked at.
What I would like is for someone to look at this and say....Oh you have forgotten to...etc;
This is what I have on a separate update page which is intended to perform the update then cycle back to the main admin page:
require_once('../Connections/MyConn.php');
$sql_statement = "UPDATE skyscrapers SET ";
$sql_image = "Ad_image = '" . $_REQUEST['image'] . "', ";
$sql_expire = "Ad_Expires = '" . $_REQUEST['expire'] . "'";
$result = mysql_query($sql_statement . $sql_image . $sql_expire . " WHERE Ad_ID=" . $_REQUEST['ADID']);
if (!$result) {
echo("<p>Error performing query: " . mysql_error() . "</p>");
exit();
}
mysql_close ($MyConn);
header("location:Admin_skyscrapers.php");
However when I run this I get the following error:-
"Error performing query: No database selected"
Well, haven't I selected the database in the connection script which already works everywhere else?
I realise the code isn't very pretty and I am being naughty using the url to pass variables at the moment - I do promise to change this when I get it to work :)
So, any pointers would be helpful, thanks in advance.
Edit to add...
This is the connection script with the sensitive stuff redacted:-
# FileName="Connection_php_mysql.htm"
# Type="MYSQL"
# HTTP="true"
$hostname_MyConn = "*************.co.uk";
$database_MyConn = "db**********";
$username_MyConn = "dbo*********";
$password_MyConn = "*****";
$MyConn = mysql_pconnect($hostname_MyConn, $username_MyConn, $password_MyConn) or trigger_error(mysql_error(),E_USER_ERROR);
This may or may not be declared in your MyConn.php but all you need is a line:
mysql_select_db($db_name);
Where $db_name is the name of your database.
This should come before you attempt to execute the query.
For DB select you have to add mysql_select_db(DatabaseName); or
$dbconn=mysql_select_db($dbname,$MyConn);in MyConn.php
For update in Database you have to use connection variable which is in MyConn.php i.e.$MyConn as follows
$result = mysql_query($sql_statement . $sql_image . $sql_expire . " WHERE Ad_ID=" . $_REQUEST['ADID'],$MyConn);
or
$result = mysql_query($sql_statement . $sql_image . $sql_expire . " WHERE Ad_ID=" . $_REQUEST['ADID'],$dbconn);
respectively
Hope It Helps!!!!!!!