This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 8 years ago.
A MySQL query that I am running is throwing up the following error
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'desc = 'Enter Description Here'' at line 2
The desc is a variable '$desc' the error suggests that there is an extra ' before desc but there is nothing in the code (below) if I remove desc altogether it works fine (obviously not updating that part) its very strange, your help is greatly appreciated :-)
The code is
//Get the form data
$title = $_POST['title'];
$keywords = $_POST['keywords'];
$desc = $_POST['desc'];
//initialise connection with databse
require_once('../Connections/EliteGrooming.php');
mysql_select_db($database_EliteGrooming, $EliteGrooming);
//Execute the query
mysql_real_escape_string($title, $keywords, $desc);
$query = "
UPDATE site_settings
SET site_title = '$title', keywords = '$keywords', desc = '$desc';";
mysql_query($query) or die(mysql_error());
mysql_close();
header('Location: ../admin/site-settings.php?updated');
desc is a reserved keyword, you must escaped it with backtick
$query = "
UPDATE site_settings
SET site_title = '$title', keywords = '$keywords', `desc` = '$desc';";
but your query is vulnerable with SQL Injection, please read the article below,
How can I prevent SQL injection in PHP?
You need to escape reserved words in MySQL like desc with backticks
UPDATE site_settings
SET site_title = '$title', keywords = '$keywords', `desc` = '$desc';";
Related
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 8 years ago.
Ignoring the fact that concatenating user input into SQL strings is possibly the worst thing you can do in terms of avoiding SQL injection (this is not for a production site), what is wrong with the following SQL?
"SELECT '_id', 'email', 'password', 'salt', 'banned', 'ban_reason' FROM 'tbl_users' WHERE 'email'='" . $email . "' LIMIT 1";
I'm getting the error message:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'_id\', \'email\', \'password\', \'salt\', \'banned\', \'ban_reason\' FROM \'tb' at line 1
I'm using mysqli_real_escape_string() on it right before running the query, hence the backslashes.
I also tried enclosing everything in backticks, but the error changed then to unknown column.
Exactly where it says. "near '\'_id\'"
You use `backticks` to surround column and table names. Not 'single quotes'.
You should be escaping your variables you're inserting, not your query, and using backticks around field names
$sql = "SELECT `_id`, `email`, `password`, `salt`, `banned`, `ban_reason` FROM `tbl_users` WHERE `email`='" . mysqli_real_escape_string($email) . "' LIMIT 1";
"SELECT `_id`, `email`, `password`, `salt`, `banned`, `ban_reason` FROM tbl_users WHERE `email`='" . $email . "' LIMIT 1"
You should use ` instead of ' when selecting fields.
Came across an error i have never seen before after writing the following code:
$query= "UPDATE `Pharm_Log` SET `text` = ". $bloodtest . " WHERE `id` = " . $patientid;
$result = mysql_query($query) or die(mysql_error());
My error message was this
"You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'Pressure Test: 235/43 WHERE id = 1' at line 1"
Any one have any idea on how to fix this? would be greatly appreciated
the string literal (value of $bloodtest) must be wrap with single quotes,
$query= "UPDATE `Pharm_Log` SET `text` = '". $bloodtest . "' WHERE `id` = " . $patientid;
$result = mysql_query($query) or die(mysql_error());
As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.
How to prevent SQL injection in PHP?
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How do I handle single quotes inside a SQL query in PHP?
Greeting ,
I have a small script which is used for applications and it saves questions answer into the database. The script is given below:
while(list($QKey,$QVal) = each($AppQuestions)) {
$result2= mysql_query("
INSERT INTO forum_app_answers (AID, AppID, Question, Answer)".
" VALUES (NULL, '$AppID', '$Questions[$QKey]', '$QVal')"
) or die(mysql_error());
Now the problem is that if someone write ' character in the answer , the data doesnt get saved. For simple writing its okay . The problem is only if the answer contains ' in it. any help will be highly appreciated tx
The following error occures:
You Have An Error In Your SQL Syntax; Check The Manual That Corresponds To Your MySQL Server Version For The Right Syntax To Use Near 's GF. Channel Services')' At Line 1
Use prepared statements. Look up PDO and use prepared statements.
mysql_ is deprecated.
After connecting with $dbh = new PDO(),
$sql = 'sql';
$stmt = $dbh->prepare($sql);
$stmt->execute($params);
do the following:
$QVal = $mysqli->real_escape_string($QVal);
$query = "INSERT INTO forum_app_answers (AID, AppID, Question, Answer)
VALUES (NULL, '$AppID', '$Questions[$QKey]', '$QVal')";
// $mysqli is previously defined
$mysqli->query($query);
if ($mysqli->errno !=0){
printf("you have an error in your query %s", $mysqli->error);
}
You may try:
while(list($QKey,$QVal) = each($AppQuestions)) {
$result2= mysql_query("
INSERT INTO forum_app_answers
(AID, AppID, Question, Answer)". "
VALUES (
NULL,
'$AppID',
'$Questions[$QKey]',
'". mysql_real_escape_string($QVal). "')
") or die(mysql_error());
Without mysql_real_escape_string() your script also has huge security issues.
I'm creating and then editing a row in a table, however my edit mysql query in php is giving me an error that I can't figure out. Any help?
The creation query:
$query = "INSERT INTO timelines (
id, event_name, event_date, date_created, attendee_count, attendee_names, maximum_attendees, creator_id, creator_name, price, thumbnail
) VALUES (
'{$timelineID}', '{$event_name}', '{$event_date}', '{$date_created}', '{$attendee_count}', '{$attendee_names}', '{$maximum_attendees}', '{$creator_id}', '{$creator_name}', '{$price}', '{$thumbnail}'
)";
The edit query:
$query = "UPDATE timelines SET
event_name = '{$event_name}',
event_date = '{$event_date}',
maximum_attendees = '{$maximum_attendees}',
price = '{$price}',
thumbnail = '{$thumbnail}',
WHERE id = {$timelineID}";
Error:
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'WHERE id =' at line 8
you have an extra comma before the WHERE clause. just remove it and it will work fine.
thumbnail = '{$thumbnail}',
^ here
WHERE ...
final query,
$query = "UPDATE timelines SET
event_name = '{$event_name}',
event_date = '{$event_date}',
maximum_attendees = '{$maximum_attendees}',
price = '{$price}',
thumbnail = '{$thumbnail}'
WHERE id = {$timelineID}";
Your query is vulnerable with SQL INJECTION, please read the article below to learn how to protect from it.
How can I prevent SQL injection in PHP?
I have this query:
$FullName = mysql_real_escape_string($_REQUEST['name']);
$EmailAdd = mysql_real_escape_string($_REQUEST['email_address']);
$City = mysql_real_escape_string($_REQUEST['city']);
$State = mysql_real_escape_string($_REQUEST['state']);
$SqlEInsert= "INSERT INTO `td_email` VALUES ((SELECT ownerid FROM 'td_events' where event_id = '$EvID'),'$EmailAdd','$FullName', '$City' ,'$State')";
$RsEmail = mysql_query($SqlEInsert) or die('Error :' . mysql_error());
but I'm getting the following error when I run the application
Error :You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''td_events' where event_id = '394'),'email#hotmail.com','Full Name', 'Atl' at line 1
You don't need ' for the table name when you want to use quotes then you have to use `
$SqlEInsert= "INSERT INTO td_email VALUES ((SELECT ownerid FROM td_events WHERE event_id = '$EvID'),'$EmailAdd','$FullName', '$City' ,'$State')";
And please take a look at SQL Injections and Security
$SqlEInsert= "INSERT INTO td_email VALUES ((SELECT ownerid FROM td_events WHERE event_id = '".(int)$EvID."'),'".mysql_real_escape_string($EmailAdd)."','".mysql_real_escape_string($FullName)."', '".mysql_real_escape_string($City)."' ,'".mysql_real_escape_string($State)."')";
The td_event is a field name rather than a value. Escape it with an apostrophe.
$SqlEInsert= "INSERT INTO `td_email` VALUES ((SELECT ownerid FROM `td_events` where event_id = '$EvID'),'$EmailAdd','$FullName', '$City' ,'$State')";
Make sure your values are escaped. You can run them through: mysql_real_escape_string() to do so.