As a novice MySQL user I tried to insert, but I just read on the MySQL documentation that you can only insert on blank rows. My UPDATE statement needs work though, and I'm not sure that I have the syntax correct.
$query3 = "UPDATE `offices` SET `scash`="$total" WHERE `officename`="$office"";
offices is the table name. scash is the row to be updated. $total is a variable pulled from a post. $office is a variable pulled from the same database. I only want to set scash to total where the officename is $office.
Parse error: syntax error, unexpected T_VARIABLE is the error I'm getting.
$query3 = "UPDATE `offices` SET `scash`='$total' WHERE `officename`='$office'";
Replace the double quotes with normal quotes in the string since double quotes are string delimiters and can't be used in the string.
And as Marc B mentioned your code might be vurnerable for SQL injections. See this post how you can avoid that.
You are going wrong at quotes
$query3 = "UPDATE `offices` SET `scash`="$total" WHERE `officename`='$office'";
Also always use LIMIT 1 if you want to update just a single row...
And sanitize your inputs before updating your row, atleast use mysqli_real_escape_string()
if you still want to use double quotes inside double quotes escape it..
your query can be modified as follows..
$query3 = "UPDATE `offices` SET `scash`=\"$total\" WHERE `officename`=\"$office\"";
Related
I fetch some values from a database and display them on some textfields. When I change one specific value and try to store it back to the database, it's done properly. But when I try to do the same with any other value from any other textfield, I get the error "syntax error at or near where". Any thoughts?
'UPDATE table1 SET "intcolumn"='. $value .', "stringcolumn"=\''. $value2.'\''.' WHERE "column2"='.$value3);
Update on intcolumn is done properly. On stringcolumn I get the error, even if I update only stringcolumn
Changing your apostrophes to quotes and putting your values inside delimiters will help readability.
This should make debugging easier, and easier to spot rather than having to escape characters etc.
pg_query($db, "UPDATE table1 SET intcolumn={$value}, stringcolumn='{$value2}' WHERE column2={$value3}");
A better approach would be to use pg_query_params and let postgres worry about escaping characters, and will stop injection attacks.
$params = array($value, $value2, $value3);
pg_query_params($db, "UPDATE table1 SET intcolumn=$1, stringcolumn=$2 WHERE column2=$3", $params);
Why this:
$query = "SET NAMES 'utf8'";
$query = str_replace("'", "\'", $query);
$pdo->query($query);
Would cause problem?
I'm currently getting this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'utf8\''
If I don't escape it, everything's fine, but the problem exists with further queries!
The sql you are trying to run is perfectly safe as is, it contains no user input and as such can be run without escaping.
Also you are actually escaping the delimiters of a string, not the value of the string itself.
You don't have to escape every single quote in a query, some are valid such as:
UPDATE table SET field='blah' WHERE id=10
Where field would be a varchar or similar. You would escape the quotes if they need to be part of the value of the field, such as:
UPDATE table SET field='This \'value\' uses quotes.' WHERE id=10
Hope that makes sense.
My code is
$user_query = '
UPDATE
users
SET
`password`="$password",
`email`="$email",
`position`="$position",
WHERE
`username`=".$uname."';
$user_result = mysql_query($user_query, $connection);
confirm_query($user_result);
When I run this query it gives me an error:
Database query failed: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE username=".$uname."' at line 7
Can any body help me resolve this error?
Your query is in single quotes, so the variables aren't parsed. As you can see in error, the string is literally
`username`=".$uname."
You need to either use double quotes around the enitre thing, to parse variables correctly.
$user_query = "
UPDATE
users
SET
`password`='$password',
`email`='$email',
`position`='$position'
WHERE
`username`='$uname'";
Or correctly use the string concatanation operator, ..
$user_query = '
UPDATE
users
SET
`password`="'.$password.'",
`email`="'.$email.'",
`position`="'.$position.'"
WHERE
`username`="'.$uname.'"';
As others have noted, there's also an extra , after postion="$position".
Remove the comma , before the WHERE clause
Just change quotes, and better escape data with DB driver funcs like mysql_real_escape_string()
Difference between quotes: https://stackoverflow.com/a/3446286/765634
Escaping: http://php.net/mysql_real_escape_string
Complete query:
$user_query = <<<SQL
UPDATE
users
SET
`password`="{$password}",
`email`="{$email}",
`position`="{$position}",
WHERE
`username`="{$uname}"
SQL;
There is a trailing comma between position="$position", and the where clause. Remove the comma just before the where clause.
UPDATE
users
SET
`password`="$password",
`email`="$email",
`position`="$position"
WHERE
`username`=".$uname."';
You had a trailing , after position
You have an extra comma after position="$position". Remove that.
I am trying to update two columns without deleting the entire row. Here is what I am using:
$sql='update users set token='',timestamp='' where token=?';
$stmt=$db_con->stmt_init();
$stmt->prepare($sql_3);
$stmt->bind_param('s',$token);
$stmt->execute();
However, it gives me this error: T_CONSTANT_ENCAPSED_STRING. Now the query works fine when I use it through the MySQL CLI as update users set token='',timestamp='' where token='blahblah'; How can I get around this?
Use this
$sql="update users set token='',timestamp='' where token=?";
You can find more info here how to escape a string.
http://php.net/manual/en/language.types.string.php
you should be using.
$sql="update users set token='',timestamp='' where token=?";
notice the double quote (") on start and end of the string.
since you are using multiple single quotes in your string PHP does not understand this, and will throw an error. you need to tell php to escape the quote. you can do it in two ways.
1) By using PHP's \ escape character infront of the quote.
'update users set token=\'\',timestamp=\'\' where token=?';
2) use double quote for the string instead of single quote.
"update users set token=\'\',timestamp=\'\' where token=?";
both should work.
Here i would like to inform you that as query was in single quotes and you have used single quotes more than one time in the query string. PHP will accept string from first quote to next quote, thats why you getting error but in command line this do not generate error
$sql='update users set token='',timestamp='' where token=?'; to
$sql="update users set token='',timestamp='' where token=?";
been learning php for 3 weeks now and i find myself with a simple error that does not make sense:
I cant see what is wrong with this code.
Could someone please point me to why this is happening.
Its a simple insert and set sql query which is like this:
code:
$insertresults = "UPDATE usage SET message='".$message."',islive='".$islive."' WHERE id=1";
$insertresults_doit = mysql_query($insertresults) OR die(mysql_error());
the error i am getting is this:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'usage SET message='hello',islive='0' WHERE id=1' at line 1
as you can see, the variables are correct and to what i can see the sql string is correct also.
Thanks
Your table name, usage, is actually a reserved word in MySQL. You'll have to quote it with backticks:
UPDATE `usage` SET ...
$insertresults = "UPDATE usage SET message=$message,islive=$islive WHERE id=1";
$insertresults_doit = mysql_query($insertresults) OR die(mysql_error());
You don't need to wrap the variables the way you did, give this a try :) Taking a look at that error shows you the extra ' surrounding the column names - you don't want that.
Try removing the quotes from $islive
Check whether you have a single quote in the variable values. It is always better to escape it before using in the sql statement
$message=addslashes($message);
$islive=addslashes($islive);
$insertresults = "UPDATE usage SET message='".$message."',islive='".$islive."' WHERE id=1";
$insertresults_doit = mysql_query($insertresults) OR die(mysql_error());
Assuming both the columns are of varchar type
"UPDATE usage SET message='{$message}',islive='{$islive}' WHERE id=1" – Nick 21 mins ago
#Nick i still get the exact same error if i use braces and even if i do not use the ' on int's the message is a message and the islive is either a 0 or a 1. – Robert 6 mins ago
#Robert, have you made sure $message and $islive has been properly escaped? use: addslashes() or mysql_real_escape_string()
moved to answer (grew)