Why this:
$query = "SET NAMES 'utf8'";
$query = str_replace("'", "\'", $query);
$pdo->query($query);
Would cause problem?
I'm currently getting this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'utf8\''
If I don't escape it, everything's fine, but the problem exists with further queries!
The sql you are trying to run is perfectly safe as is, it contains no user input and as such can be run without escaping.
Also you are actually escaping the delimiters of a string, not the value of the string itself.
You don't have to escape every single quote in a query, some are valid such as:
UPDATE table SET field='blah' WHERE id=10
Where field would be a varchar or similar. You would escape the quotes if they need to be part of the value of the field, such as:
UPDATE table SET field='This \'value\' uses quotes.' WHERE id=10
Hope that makes sense.
Related
Long story short, I'm trying to write a PHP code that will parse a text file into MySQL queries. Everything works fine except for the queries, which consist of UPDATE statements.
The entire code is kinda long, but if you want to see it - http://pastebin.com/xVR6ArD0
Here is just the part which is problematic :
while ($i<=$no_collumns)
{
$j = $i-1;
if (!
mysql_query
("UPDATE ResultsPredmet
SET ${parsed_collumns[$i]} = '${parsed_words[$j]}'
WHERE ${parsed_first_collumn} LIKE '${parsed_first_word}'")
)
{echo mysql_error()."\n"; break;}
// echo "\nUPDATE ResultsPredmet SET ${parsed_collumns[$i]} = '${parsed_words[$j]}' WHERE ${parsed_first_collumn} LIKE \"${parsed_first_word}\"";
$i++;
}
... where $parsed_collumns and $parsed_words are arrays of strings and $parsed_first_collumn and $parsed_first_word are strings.
I tried all combinations of quotes and escapes for the variables. I tried putting them in double quotes and escaping them, or double quotes and concatenating them, then maybe i thought it was the fact that I was comparing strings via the '=' operator so i tried with 'LIKE'. I googled for several hours and everywhere people said to use single quotation marks for variables so I tried that too and it didn't work.
In the end I echoed the queries and I get:
UPDATE ResultsPredmet SET grade = '10' WHERE name LIKE "Vildur"
UPDATE ResultsPredmet SET index = '117/2010' WHERE name LIKE "Vildur"
Updating table.
UPDATE ResultsPredmet SET grade = '6' WHERE name LIKE "NinoDoko"
UPDATE ResultsPredmet SET index = '132/2011' WHERE name LIKE "NinoDoko"
Updating table.
UPDATE ResultsPredmet SET grade = '10' WHERE name LIKE "Koco"
UPDATE ResultsPredmet SET index = '130/2011' WHERE name LIKE "Koco"
Done.
Which seem fairly fine to me. Other queries I got were the same only with the names with single quotes around them, or with no quotes or any other combinations.
The errors I get are :
Updating table.
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'index = '117/2010' WHERE name LIKE 'Vildur'' at line 1
Updating table.
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'index = '132/2011' WHERE name LIKE 'NinoDoko'' at line 1
Updating table.
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'index = '130/2011' WHERE name LIKE 'Koco'' at line 1
Apparently, the server that I'm using is MariaDB 5.5, but after a bit of research I figured it would be similar to just generic MySQL, though I might be completely off. The "Updating table." is just a random echo in my code. I've also tried the query without indenting it, still got the same errors. The values I get for grade and index are strings - or at least I hope so, since I'm getting them with explode().
index is a reserved word
UPDATE ResultsPredmet SET `index` = '10' WHERE name LIKE 'Vildur'
http://dev.mysql.com/doc/refman/4.1/en/reserved-words.html
As a novice MySQL user I tried to insert, but I just read on the MySQL documentation that you can only insert on blank rows. My UPDATE statement needs work though, and I'm not sure that I have the syntax correct.
$query3 = "UPDATE `offices` SET `scash`="$total" WHERE `officename`="$office"";
offices is the table name. scash is the row to be updated. $total is a variable pulled from a post. $office is a variable pulled from the same database. I only want to set scash to total where the officename is $office.
Parse error: syntax error, unexpected T_VARIABLE is the error I'm getting.
$query3 = "UPDATE `offices` SET `scash`='$total' WHERE `officename`='$office'";
Replace the double quotes with normal quotes in the string since double quotes are string delimiters and can't be used in the string.
And as Marc B mentioned your code might be vurnerable for SQL injections. See this post how you can avoid that.
You are going wrong at quotes
$query3 = "UPDATE `offices` SET `scash`="$total" WHERE `officename`='$office'";
Also always use LIMIT 1 if you want to update just a single row...
And sanitize your inputs before updating your row, atleast use mysqli_real_escape_string()
if you still want to use double quotes inside double quotes escape it..
your query can be modified as follows..
$query3 = "UPDATE `offices` SET `scash`=\"$total\" WHERE `officename`=\"$office\"";
My code is
$user_query = '
UPDATE
users
SET
`password`="$password",
`email`="$email",
`position`="$position",
WHERE
`username`=".$uname."';
$user_result = mysql_query($user_query, $connection);
confirm_query($user_result);
When I run this query it gives me an error:
Database query failed: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE username=".$uname."' at line 7
Can any body help me resolve this error?
Your query is in single quotes, so the variables aren't parsed. As you can see in error, the string is literally
`username`=".$uname."
You need to either use double quotes around the enitre thing, to parse variables correctly.
$user_query = "
UPDATE
users
SET
`password`='$password',
`email`='$email',
`position`='$position'
WHERE
`username`='$uname'";
Or correctly use the string concatanation operator, ..
$user_query = '
UPDATE
users
SET
`password`="'.$password.'",
`email`="'.$email.'",
`position`="'.$position.'"
WHERE
`username`="'.$uname.'"';
As others have noted, there's also an extra , after postion="$position".
Remove the comma , before the WHERE clause
Just change quotes, and better escape data with DB driver funcs like mysql_real_escape_string()
Difference between quotes: https://stackoverflow.com/a/3446286/765634
Escaping: http://php.net/mysql_real_escape_string
Complete query:
$user_query = <<<SQL
UPDATE
users
SET
`password`="{$password}",
`email`="{$email}",
`position`="{$position}",
WHERE
`username`="{$uname}"
SQL;
There is a trailing comma between position="$position", and the where clause. Remove the comma just before the where clause.
UPDATE
users
SET
`password`="$password",
`email`="$email",
`position`="$position"
WHERE
`username`=".$uname."';
You had a trailing , after position
You have an extra comma after position="$position". Remove that.
Effectively, what I am attempting to do is enter a string similar to this string
into MySQL (it's one line, made into two for readability)
fill:#0000ff;fill-rule:evenodd;stroke:#000000;stroke-width:1px;
stroke-linecap:butt;stroke- linejoin:miter;stroke-opacity:1
MySQL allows me to INSERT the string into the field using phpMyAdmin and phpMyAdmin adds the field as (again one line, made into two for readability):
('fill:#0000ff;fill-rule:evenodd;stroke:#000000;stroke-width:1px;stroke-
linecap:butt;stroke-linejoin:miter;stroke-opacity:1'' in ''field list')
With my PHP code I attempted to add the in field list part to my code as follows
$rectangle_array[$rstyle] = $rectangle_array[$rstyle] . "' in ''field list'";
$mysql_rectangle_table_entry = "INSERT INTO $mysql_table VALUES
($rectangle_array[$rstyle], 'rect',
$rectangle_array[$rid], $rectangle_array[$rwidth],
$rectangle_array[$rheight], $rectangle_array[$rx],
$rectangle_array[$ry])";
$run = mysql_query($mysql_rectangle_table_entry) or die(mysql_error());
And upon running the code I receive the following error.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':#0000ff;fill-rule:evenodd;stroke:#000000;stroke-width:1px;stroke-linecap:butt;s' at line 1
What can I do to make this work?
As noted in the comments…
You could use mysql_real_escape_string() to escape any MySQL special characters before insertion.
For example:
$sql = "INSERT INTO my_table (string_column) VALUES ('" . mysql_real_escape_string($string) . "')";
Another option is to use Prepared Statements with PHP's MySQLi or PDO.
You might want to have a look either at prepared statements or mysql_real_escape_string to escape special characters that might break your INSERT.
I am coming across a problem when deleting data from my SQL data. I have tried various versions of my statement but to no avail. Below is the error I am presented with and the statement I am using.
$sql = "DELETE FROM `saved_holidays` WHERE (subscriberID= $user AND title= $check_value)";
//connect to database then execute the SQL statement.
$db->exec($sql);
and the error message is:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an
error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '#xml119.com AND
title= Luxurious Jamaican holidays | 40% Discount On Accommodati' at
line 1
I can see that the correct data is being passed but the syntax is wrong. Can anyone help?
$check_value is a string, so you have to enclose it in ' in your query like this:
title = '$check_value'
For security purposes, you should also use mysql_real_escape_string on all string parameters you have. Or even better, use prepared statements: http://php.net/manual/en/pdo.prepared-statements.php
You need to put quotations around your variables. It doesn't like spaces.
Depending on the server you are using (MySQL or MSSQL) you have to use backticks, single quotes, or double quotes:
DELETE FROM saved_holidays WHERE (subscriberID="$user" AND title="$check_value")
Also, if you are using PDOs, you should consider using prepared statements:
$statment = $conn->prepare("DELETE FORM saved_holidays WHERE (subscriberID=? AND title=?)"); //$conn has to be your connection ceated by doing new PDO(...connection string...)
$statment->execute(array($user, $check_value));
Amit is correct your statement should look like this;
$sql = "DELETE FROM `saved_holidays` WHERE (subscriberID= '$user' AND title= '$check_value')";
the variable is a string so must be enclosed in single quotes.
This should then work for you.