hey guys im trying to update my database using php ang ajax, but assuming that the textbox are dynamic thats why im trying to update the database using multiple updates with one click of a button but my fire bug says that "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '= '100' WHERE student_id = '33' AND subject_id = '2' AND school_id = '1' AND adv' at line 1 " im not pretty sure with my code because im just experimenting on how to do it in ajax with php.
PHP:
session_start();
$school_id = $_SESSION['school_id'];
$faculty_id = $_SESSION['user_id_fac'];
$subject_id = $_POST['subject_id'];
$year_grade_level = $_POST['year_level'];
$subject_handeler_id = $_POST['subject_handler_id'];
$student_grades_boy = $_POST['student_grades_boy'];
$student_grades_girl = $_POST['student_grades_girl'];
$update_grades_boys = "UPDATE registrar_grade_archive SET";
//SET status = '0' WHERE subject_id = '$subject_id'"
$vaues_girl = array();
$values_boy = array();
foreach ($student_grades_boy as $key=>$data) {
$student_id_B= $data['studnt_B_id'];
$grade_B = $data['studnt_grade_B'];
$values_boy[$key] = 'grade = \''.$grade_B.'\' WHERE student_id = \''.$student_id_B.'\' AND subject_id = \''.$subject_id.'\' AND school_id = \''.$school_id.'\' AND advisor_faculty_id = \''.$faculty_id.'\' AND subject_handler_id = \''.$subject_handeler_id.'\' ' ;
}
$values_boy = implode(', ', $values_boy);
$ready_edit_grades_boy = $update_grades_boys . $values_boy;
$save_grades_boy = mysql_query($ready_edit_grades_boy) or die(mysql_error());
please help guys. thanks in advance
Some problems here:
if $student_grades_boy contains more than 1 item, your sql will have multiple WHERE statements (you can only have 1);
you need a space between SET and the column name;
you have a serious sql injection problem;
you should switch to PDO or mysqli as the mysql_ functions are deprecated.
It appears you have no space between SET and grade.
Adding a space here should do the trick:
$update_grades_boys = "UPDATE registrar_grade_archive SET ";
If this doesn't do it, it would help tremendously if you could post the result of echo $ready_edit_grades_boy; and update your question.
try
$update_grades_boys = "UPDATE registrar_grade_archive SET ";
One space is needed after SET..
You are not escaping vars, so it could be some ' or " in your values.
http://php.net/manual/en/mysqli.real-escape-string.php
Related
if (isset($_POST['update'])) {
$column=(isset( $_POST['column']));
$type= (isset($_POST['type']));
$value= (isset($_POST['value']));
mysql_query("UPDATE `combo1` SET column = '$column', type = '$type' ,value ='$value' WHERE id = '$id'");
}
The update query is not working I am not getting what is the solution please help me to overcome this problem
You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use
near 'column = '', type = '' ,value ='' WHERE id = '20'' at line 1
isset() method returns boolean value change like this
$column = isset( $_POST['column']) ? $_POST['column']:"";
Same for others
Modify your code as follows:
if (isset($_POST['update'])) {
$column = $_POST['column'];
$type = $_POST['type'];
$value = $_POST['value'];
mysql_query("UPDATE `combo1` SET column = '$column', type = '$type' ,value ='$value' WHERE id = '$id'");
}
If you remove the isset() method (refer to this link if you want more about the isset() method) as I have given above, the texts inside $column, $type and $value are substituted directly into the update string.
Update string does not contain any syntax errors in this case. Refer to this link if you want more information.
I also recommend you read up on SQL injection, as this sort of parameter passing is prone to hacking attempts if you do not sanitize the data being used:
MySQL - SQL Injection Prevention
The error message has virtually nothing to do with the 'version'. It is a syntax error complaining about "column". That word is a reserved word. Since you seem to have called the column column, put backtics around it, just as you did for the tablename.
mysqli_query($link,"UPDATE combo1 SET column='$column',type = '$type',value='$value' WHERE id ='$id'")
or die(mysqli_error($link));
This question already has answers here:
Can a table field contain a hyphen?
(2 answers)
Closed 6 years ago.
The error is:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '360-16s (pa_name, hd1, hd1_c, sf2, sf2_c, cc3, cc3_c, l4, l4_c, dsd5, dsd5_c, mt' at line 1
The script is:
<?php
include("../Includes/e360Vars.php");
include("../Includes/dbOpen1.php");
$pa_name = mysql_real_escape_string($_POST['pa_name']);
$hd1 = mysql_real_escape_string($_POST['hd1']);
$hd1_c = mysql_real_escape_string($_POST['hd1_c']);
$sf2 = mysql_real_escape_string($_POST['sf2']);
$sf2_c = mysql_real_escape_string($_POST['sf2_c']);
$cc3 = mysql_real_escape_string($_POST['cc3']);
$cc3_c = mysql_real_escape_string($_POST['cc3_c']);
$l4 = mysql_real_escape_string($_POST['l4']);
$l4_c = mysql_real_escape_string($_POST['l4_c']);
$dsd5 = mysql_real_escape_string($_POST['dsd5']);
$dsd5_c = mysql_real_escape_string($_POST['dsd5_c']);
$mt6 = mysql_real_escape_string($_POST['mt6']);
$mt6_c = mysql_real_escape_string($_POST['mt6_c']);
$p_p7 = mysql_real_escape_string($_POST['p_p7']);
$p_p7_c = mysql_real_escape_string($_POST['p_p7_c']);
$ip8 = mysql_real_escape_string($_POST['ip8']);
$ip8_c = mysql_real_escape_string($_POST['ip8_c']);
$m_i9 = mysql_real_escape_string($_POST['m_i9']);
$m_i9_c = mysql_real_escape_string($_POST['m_i9_c']);
$act10 = mysql_real_escape_string($_POST['act10']);
$act10_c = mysql_real_escape_string($_POST['act10_c']);
$gf11 = mysql_real_escape_string($_POST['gf11']);
$gf11_c = mysql_real_escape_string($_POST['gf11_c']);
$i12 = mysql_real_escape_string($_POST['i12']);
$i12_c = mysql_real_escape_string($_POST['i12_c']);
$isp13 = mysql_real_escape_string($_POST['isp13']);
$isp13_c = mysql_real_escape_string($_POST['isp13_c']);
$se14 = mysql_real_escape_string($_POST['se14']);
$se14_c = mysql_real_escape_string($_POST['se14_c']);
$br15 = mysql_real_escape_string($_POST['br15']);
$br15_c = mysql_real_escape_string($_POST['br15_c']);
$paos16 = mysql_real_escape_string($_POST['paos16']);
$paos16_c = mysql_real_escape_string($_POST['paos16_c']);
$sob17 = mysql_real_escape_string($_POST['sob17']);
$sob17_c = mysql_real_escape_string($_POST['sob17_c']);
$cs18 = mysql_real_escape_string($_POST['cs18']);
$cs18_c = mysql_real_escape_string($_POST['cs18_c']);
$ms19 = mysql_real_escape_string($_POST['ms19']);
$ms19_c = mysql_real_escape_string($_POST['ms19_c']);
$ate20 = mysql_real_escape_string($_POST['ate20']);
$ate20_c = mysql_real_escape_string($_POST['ate20_c']);
$sywtww21 = mysql_real_escape_string($_POST['sywtww21']);
$sywtww21_c = mysql_real_escape_string($_POST['sywtww21_c']);
$name2 = mysql_real_escape_string($_POST['Name2']);
$position = mysql_real_escape_string($_POST['Position']);
$sql = "INSERT INTO 360-16s (pa_name, hd1, hd1_c, sf2, sf2_c, cc3, cc3_c, l4, l4_c, dsd5, dsd5_c, mt6, mt6_c, p_p7, p_p7_c ,ip8, ip8_c, m_i9,
m_i9_c, atc10, atc10_c, gf11, gf11_c, i12, i12_c, isp13, isp13_c, se14, se14_c, br15, br15_c,paos16, paos16_c, sob17, sob17_c, cs18, cs18_c,
ms19, ms19_c, ate20, ate20_c, sywtww21, sywtww21_c, name2, position) VALUES ('$pa_name', '$hd1', '$hd1_c', '$sf2', '$sf2_c', '$cc3', '$cc3_c',
'$l4', '$l4_c', '$dsd5', '$dsd5_c', '$mt6', '$mt6_c', '$p_p7', '$p_p7_c', '$ip8', '$ip8_c', '$m_i9', '$m_i9_c', '$atc10', '$atc10_c', '$gf11',
'$gf11_c', '$i12', '$i12_c','$isp13', '$isp13_c', '$se14', '$se14_c', '$br15', '$br15_c', '$paos16', '$paos16_c', '$sob17', '$cs18', '$cs18_c',
'$ms19', '$ms19_c', '$ate20', '$sywtww21', '$sywtww21_c', '$name2', '$position')";
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
I have been unable to locate the problem area, so another set of eyes would help. And yes, I have attempted to use mysqli instead of MySQL however, this produces a different set of errors.
Any assistance would be appreciated.
Check your table name convention it must be like 360_16s
Read the naming convention, http://dev.mysql.com/doc/refman/5.7/en/identifiers.html.
Check your table name or try to rename from 360-16s to 360_16s then escape it 360_16s and also escape your mysql field
If you want to use the Table Name "360-16s" then you should escape the attribute name with ` characters
The Character - is an invalid Character for the Table Name, unless you escape it.
I suggest you wrap all columns and table names in these characters.
Example:
$sql = "INSERT INTO `360-16s` (`pa_name`, `hd1`...
I have a record that needs to be updated. If the update is successful, then it should insert record into three different tables. I did it with the code below,but one of the table(tab_loan_targetsave)is not inserting.I need a third eye to looked into this, as I have had a lot of pain in fathoming where the problem lies.
Pls i need assistance.Also, I welcome better approach if possible.
<?php
if(isset($_POST["savebtn"])){
$custNo = $_POST["custid"];
$transDate = $_POST["transDate"];
$grpid = $_POST["custgrp"];
$contAmount =$_POST["amtCont"];
$amount = $_POST["amount"];
$disAmount =$_POST["disbAmt"];
$savAmount =$_POST["savAmt"];
$intAmount =$_POST["intAmt"];
$postedBy = $_SESSION["staffid"];
//$preApproved =$_POST["preAmount"];
$loanRef = $_POST["refid"];
$st = "Approved";
$appDate = date("Y-m-d H:i:s");
$appBy = $_SESSION['staffid'];
$counter = 1;
$locate = $_SESSION['location'];
$insure = $_POST["insuAmt"];
$dis = $_POST["DisAmt"];
$update = mysqli_query($connection,"UPDATE tab_loan_request SET approval_status='$st',approvalDate='$appDate',approvedBy='$appBy',loanRef='$loanRef' WHERE custid='$custNo' AND RepayStatus='1'");
if($update && mysqli_affected_rows($connection)>0){
$insertTar = mysqli_query($connection,"INSERT INTO tab_loan_targetsave(custid,grpid,transactionDate,loanRef,savingAmt,status,postedBy,location,appStatus)
VALUES('$custNo','$grpid','$transDate','$loanRef,'$savAmount','Cr','$postedBy','$locate','1')");
$insertInt = mysqli_query($connection,"INSERT INTO tab_loan_interest(custid,requestAmt,transactionDate,interestFees,postedBy,loanRef,InsuranceFees,DisasterFees)VALUES(
'$custNo','$amount','$transDate','$intAmount','$postedBy','$loanRef','$insure','$dis')");
//if($insertInt){
//}if($insertTar){
$insertSav = mysqli_query($connection,"INSERT INTO tab_loan_saving(custid,grpid,transactionDate,loanRef,loanAmount,savingAmt,status,postedBy,location,appStatus)
VALUES('$custNo','$grpid','$transDate','$loanRef','$amount','0','Cr','$postedBy','$locate','1')");
}//first if
if($insertSav){
echo "<span style='font-weight:bold;color:red;'>"." Application Approval is successful!"."</span>";
}else{
//Unable to save
echo "<span style='font-weight:bold;color:black;>"."Error! Application Approval not Successful!"."</span>";
}
}else{
$custid = "";$saving=0.00;$st="";
$transDate = "";
$grpid = "";
$amount = "";
$postedBy = "";$loanRef="";
}
?>
"#Fred: See the error generated when i used mysqli_error($connection). Could you please interprete this: ErrorMessage: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1000.00','Cr','SPL002','Ojo','1')' at line 2 – Dave"
Seeing the error generated by the suggestion I've given you to check for errors.
You're missing a quote here '$loanRef
in your query:
VALUES('$custNo','$grpid','$transDate','$loanRef , '$savAmount'...
^ right there
I suggest to escape all of your incoming data.
I.e.:
$var = mysqli_real_escape_string($connection, $_POST['var']);
and apply that same logic to all your POST arrays.
Plus, as I stated; make sure you started the session, since there is no mention of that in your question and session_start(); wasn't included in your posted code.
The session needs to be started inside all pages using sessions.
Using a prepared statement will is better.
http://php.net/manual/en/mysqli.prepare.php
http://php.net/manual/en/pdo.prepared-statements.php
which is what you really should be using.
Additional references:
http://php.net/manual/en/mysqli.error.php
http://php.net/manual/en/function.error-reporting
Also make sure there aren't any constraints in your table(s).
Dude make sure you properly escape your variables http://php.net/manual/en/mysqli.prepare.php
i would check the Table Name! make sure it is case sesntive, also just wondering if you could do something to your database design? It seems a lot of duplicate data is going into your tables. Think about a better way to organise and store that data
I got where the error is emanting from . Just because I forgot to add a single quote to one of the values. ie missing the quote- near $loanRef. No closing string. Anyway, I was able to detect that through the error message stated parameter as adviced by Fred nad Mark. Correct
$insertTar = mysqli_query($connection,"INSERT INTO tab_loan_targetsave(custid,grpid,transactionDate,loanRef,savingAmt,status,postedBy,location,appStatus)
VALUES('$custNo','$grpid','$transDate','$loanRef','$savAmount','Cr','$postedBy','$locate','1')");
Thank you all.
I've tried this query with both commas and "AND" statements as pictured below. I get a syntax error
Something went wrong.You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'are available 24/7 by phone and email to answer any questions and to assist you ' at line 1
every time I try this query:
$sql = mysql_query("UPDATE general
SET bookabandheading = $_POST[bookabandheading
AND bookaband = $_POST[bookaband]
AND contactus = $_POST[contactus]
AND aboutuslisten = $_POST[aboutuslisten]
AND contactusheading = $_POST[contactusheading]
AND nightclubsheading = $_POST[nightclubsheading]
AND acousticheading = $_POST[acousticheading]
AND schoolsheading = $_POST[schoolsheading]
AND privateheading = $_POST[privateheading]
AND concertsheading = $_POST[concertsheading]
AND festivalsheading = $_POST[festivalsheading]
AND submissions = $_POST[submissions]
AND interns = $_POST[interns]
AND managementbio = $_POST[managementbio]
AND latestnews = $_POST[latestnews]
AND artistofthemonth = $_POST[artistofthemonth]
AND artistofthemonthphoto = $_POST[artistofthemonthphoto]
AND artistofthemonthid = $_POST[artistofthemonthid]
AND listentoourartists = $_POST[listentoourartists]
AND musicianswanted = $_POST[musicianswanted]
AND aboutus = $_POST[aboutus]
AND bshowcases = $_POST[bshowcases]
AND bandavails = $_POST[bandavails]");
The query worked in a different database on another VPS, but I just migrated servers and it no longer works. Any help is greatly appeciated!
While the main problem is that you missed the closing bracket after bookamandheading, still I would like to advise you to refactor this request for example like this:
$keys = array("bookabandheading", "bookaband", "contactus", "aboutuslisten",
"contactusheading", "nightclubsheading", "acousticheading",
"schoolsheading", "privateheading", "concertsheading",
"festivalsheading", "submissions", "interns", "managementbio",
"latestnews", "artistofthemonth", "artistofthemonthphoto",
"artistofthemonthid", "listentoourartists", "musicianswanted",
"aboutus", "bshowcases", "bandavails");
$set = array();
foreach ($keys as $key) {
$set[] = sprintf(" %s = '%s' ", $key, mysql_escape_string($_POST[$key]));
}
$sql = mysql_query("UPDATE general SET " . implode(", ", $set));
It is much easier to maintain and also a bit more secure by escaping the input.
Update: add where statement example
$where = array();
$where[] = sprintf(" some_string = '%s' ", mysql_escape_string($some_string));
$where[] = sprintf(" some_integer = %d ", $some_integer);
$where = " WHERE " . implode(" AND ", $where);
$sql = mysql_query("UPDATE general SET " . implode(", ", $set) . " " . $where);
I see 3 things wrong with this:
Raw POST data in your query - at the very least user mysql_real_escape_string
The parameters look like strings so should have quotes around them
There's no WHERE option, so you'll update every row in that table
You have a few errors:
Syntax error. Change
$_POST[bookabandheading to $_POST[bookabandheading]
This is also incredibly prone to SQL injections. You should be using mysqli, but if you are set on mysql (which is deprecated as of 5.5.0), you should escape each $_POST variable using mysql_real_escape_string().
Each $_POST variable needs to bee parameterized using quotes a well. So, an example:
$_POST['bookabandheading'] (do this for all $_POST variables)
$_POST[bookabandheading
change to
$_POST[bookabandheading]
I am working on a website where an administrator can edit a schedule that they already created. They can click on any item on the schedule to edit it. For example, they can click on the shift start time and then it directs them to a page where they can update the value.
Unfortunately, I have not been able to get this to work for every value. It seems to be that the text values are working just fine, but I am getting a syntax error when it is a number.
Here is what I am using to update:
$type = $_GET['type'];
$value = $_GET['value'];
$week = $_GET['week'];
$newval = $_POST['newval'];
if(strlen($newval) > 0)
{
include '../dbinfo.php';
$type = $mysqli->real_escape_string($_POST['type']);
$week = $mysqli->real_escape_string($_POST['week']);
$tablename = $mysqli->real_escape_string("cs" . $_SESSION['squadron']);
$newval = $mysqli->real_escape_string($newval);
if((is_numeric($newval)))
{
$sql = "UPDATE $tablename SET $type=$newval WHERE week=$week";
}
else
{
$sql = "UPDATE $tablename SET $type='$newval' WHERE week=$week";
}
if($result = $mysqli->query($sql))
{
echo "Your specififed changed was completed successfully!<br>";
echo "<a href='edit.php?week=" . $week . "'>Continue editing</a>";
}
else
{
echo mysqli_error($result);
}
}
Changing a string results in the sql statement:
UPDATE cs14 SET shift_1_name='Test' WHERE week=1 (this works)
Changing a number results in the sql statement:
UPDATE cs14 SET shift_ 1_starttime=940 WHERE week=1 (this doesn't work)
It is giving me the MySQL error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1_starttime=940 WHERE week=1' at line 1
I have already researched this error, and I have checked the syntax over and over again. It doesn't work in phpmyadmin either. I have no idea what to check next!
Can anyone help me out with my syntax here??? Thanks!
At the numeric update query put quotes around,
$sql = "UPDATE $tablename SET $type='$newval' WHERE week='$week'";
The $type variable contains a space. Remove the space from it.
More specifically "shift_ 1_starttime" contains a space. Wherever your setting $type to "shift_ 1_starttime" remove the space from it. Or if thats how it is defined in the database surround it with backticks `
$sql = "UPDATE $tablename SET `$type`='$newval' WHERE week=$week";