This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
MySQL - when to use single quotes, double quotes, and backticks?
i have this piece of code, i can't get to work properly.
require_once("../Packages/Connection.php");
$text = mysql_real_escape_string($_POST["articleText"]);
$method = $_POST['method'];
$articleId = $_POST['articleId'];
if($method == "update")
{
mysql_query("UPDATE Articles SET 'text'='".$text."' WHERE 'id'='".$articleId."'") or die(mysql_error());
}
It is annoying me so much,
This is the error i get - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''text'='tester2' WHERE 'id'='29'' at line 1...
Thank in advance
Why do you have 'text' in your SQL...
It should simply be text as is and thats all: (Same thing for ID)
mysql_query("UPDATE Articles SET text = '".$text."' WHERE id='".$articleId."'") or die(mysql_error());
What you might have confused the "'" with, is the backtick or "`" that escapes characters and are good for reserved keywords...
mysql_query("UPDATE Articles SET text='".$text."' WHERE id='".$articleId."'") or die(mysql_error());
try
mysql_query("UPDATE Articles SET `text`='".$text."' WHERE `id`='".$articleId."'")
First build the query, then execute it:
$sql = "UPDATE Articles SET 'text'='".$text."' WHERE 'id'='".$articleId."'";
$r = mysql_query($sql);
if (!$r) {
echo "Query: ", $sql, "\n";
echo "Error: ", mysql_error();
die();
}
This will allow you to better review what exactly you've send to the database so that you can actually check the syntax as was suggested to you by the error message.
you should use this
mysql_query("UPDATE Articles SET text ={$text} WHERE id ={$articleId}") or die(mysql_error ());
Related
This question already has an answer here:
mysqli insert error incorrect syntax [duplicate]
(1 answer)
Closed 3 years ago.
I am trying to do a small project. My task to create an update form with HTML and PHP. But I am getting this error given below:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's standard dummy text ever since the 1500s, when an unknown printer.' , exp_time' at line 1
I am using Laragon for php and HeidiSQL 9.5 for mysql server.
My database connection is okay. I can fetch data from the database using the SELECT query in the same file. I think something is wrong in my code. So please help me the code is given below:
<?php
require('auth.php');
require('db.php');
$id=$_REQUEST['id'];
$query = "SELECT * FROM experience where expid='".$id."'";
$result = mysqli_query($con,$query) or die ( mysqli_error($con));
$row = mysqli_fetch_assoc($result);
$status = "";
if(isset($_POST['new']) && $_POST['new']==1)
{
$exp_title = $_REQUEST['exp_title'];
$exp_description = $_REQUEST['exp_description'];
$exp_time = $_REQUEST['exp_time'];
$update="UPDATE experience SET exp_title='".$exp_title."' , exp_description='".$exp_description."' , exp_time='".$exp_time."'
WHERE expid='".$id."'";
mysqli_query($con, $update) or die ( mysqli_error($con));
$status = "Record Updated Successfully. </br></br>
<a href='dashboard.php'>View Updated Record</a>";
echo '<p style="color:#FF0000;">'.$status.'</p>';
}else {
?>
You need to escape the single quotes using php's str_replace, e.g.:
$exp_title = str_replace("'", "\'", $_REQUEST['exp_title']);
$exp_description = str_replace("'", "\'", $_REQUEST['exp_description']);
$exp_time = $_REQUEST['exp_time'];
$update="UPDATE experience SET exp_title='".$exp_title."' , exp_description='".$exp_description."' , exp_time='".$exp_time."'
WHERE expid='".$id."'";
However, you should really really use preparedstatements instead of concatenating strings and escaping characters, e.g.:
$exp_title = $_REQUEST['exp_title'];
$exp_description = $_REQUEST['exp_description'];
$exp_time = $_REQUEST['exp_time'];
$stmt = $conn->prepare("UPDATE experience SET exp_title= ?, exp_description = ?, exp_time = ? WHERE expid = ?");
$stmt->bind_param("types", $exp_title, $exp_description, $exp_time, $id);
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 5 years ago.
I feel nothing is wrong with the query i have. i do not understand why i getting the error.
I already tried to remove the single quote on query but its still the same.
here's m code
ERROR
Couldn't enter data: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'Hills, price='393787', sqmw='218', sqml='218', sqm='47524', income='3773773' at line 1
UPDATED thanks
PHP CODE MYSQL
require 'connection.php';
$conn = Connect();
$id= $conn->real_escape_string($_POST['id']);
$descr= $conn->real_escape_string($_POST['descr']);
$price= $conn->real_escape_string($_POST['price']);
$sqmw= $conn->real_escape_string($_POST['sqmw']);
$sqml= $conn->real_escape_string($_POST['sqml']);
$sqm = $sqmw * $sqml;
$income= $conn->real_escape_string($_POST['income']);
$statuss= $conn->real_escape_string($_POST['statuss']);
$query = " UPDATE wentwrong SET descr='$descr',
price='$price',
sqmw='$sqmw',
sqml='$sqml',
sqm='$sqm',
income='$income',
statuss='$statuss'
WHERE id='$id' ";
$success = $conn->query($query);
if (!$success) {
die("Couldn't enter data: ".$conn->error);
}
echo '<script language="javascript">';
echo 'alert("Edit Successfully!")';
echo '</script>';
echo '<script language="javascript">';
echo 'window.location.href = "http://google.com"';
echo '</script>';
$conn->close();
?>
You're missing quotes around a constant. Where you have
$query = " UPDATE wentwrong SET descr=$descr, /*wrong*/
you should have
$query = " UPDATE wentwrong SET descr='$descr',
The tricks to troubleshooting this kind of thing.
read error messages carefully. Then read them again.
believe the error messages. You're working with systems that have been around for a couple of decades. They aren't throwing random bogus errors any more.
In the case of MySQL's syntax error message, it shows you the erroneous query, starting with the first character it could not understand.
My test code is:
<?php
$connessione = mysql_connect("***", "***", "***");
mysql_select_db("***", $connessione);
$risultato = mysql_query("SELECT * FROM servem_vote", $connessione);
if(mysql_query("INSERT INTO servem_vote (uid,lastvote) VALUES ($uid,now()) ON DUPLICATE KEY UPDATE lastvote=now();
")) {
header('location:/home.php'); }
else {
echo "Error: " . mysql_error(); }
mysql_close($con);
?>
Error: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'now()) ON DUPLICATE KEY UPDATE lastvote=now()' at line 1
DB:
http://prntscr.com/ef7544
Where am I doing wrong?
You are missing $uid in the code you shared. You don't set that value anywhere but you attempt to use it as part of your INSERT query.
If it's coming from form data, grab it from $_REQUEST superglobal variable before attempting to use it:
$uid = $_REQUEST['uid']
If it's NOT an integer in the MySQL table, you need to wrap it in single quotes as part of your statement.
INSERT INTO servem_vote (uid,lastvote) VALUES ('$uid',now())
ON DUPLICATE KEY UPDATE lastvote=now();
I don't know what purpose this line serves:
$risultato = mysql_query("SELECT * FROM servem_vote", $connessione);
You don't seem to do anything with the result set from this query.
MOST IMPORTANTLY: As many others have commented you need to be sanitizing your data and you should be relying on PDO or mysqli* functions to safely interact with your database. See answers here
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 7 years ago.
i want to insert some lines of text(paragraph) in database that is coming from wikipedia page..but mysql is showing this error when i try to insert the data in db:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's capital." can anyone help me to fix this problem..
here is what i have done so far...
<?php
$loc=$_POST["new"];
$url1 ="https://en.wikipedia.org/w/api.php?format=json&action=query&prop=extracts&exintro=&explaintext=&titles=".$loc;
$opf = file_get_contents($url1);
$data = json_decode($opf, true);
$titles = array();
foreach ($data['query']['pages'] as $page) {
$des = $page['extract'];
}
$con = mysql_connect("localhost","root","");
if (!$con) {
die('Could not connect: ' . mysql_error());
}
mysql_select_db("location", $con);
$url = "http://upload.wikimedia.org/wikipedia";
echo $sql="INSERT INTO `search`(`id`, `name`, `text`) VALUES ('$loc', '$des');";
mysql_query($sql) or die(mysql_error());
echo "1 record added";
mysql_close($con);
?>
Ideally you should escape data before entering it into a database. The problem you have is the apostrophe is ending the SQL query on '$loc' so the query actually reads:
... VALUES ('Giant's Capital',
Syntax highlight should indicate why that's a problem :)
Use something like: mysql_real_escape_string() to escape your $_POST data before inputting.
$loc = mysql_real_escape_string($_POST['new']);
Doesn't explain why it should work
You have 3 fields and 2 values.
doesn't fix their error
Yes, it does.
uses obsolete code, and is wide open to SQL injections
It isn’t my code. I am adapting OPs code, I am not trying to write it from scratch. Also, I guess, you forgot to mention that mysql function is deprecated since 5.5
Further, although the fact that the code is SQL injectable is good to mention it does not in my opinion constitute an actual answer. It's a comment at best. ie. "hey btw did you know you misspelled a word?" or some such. An editorial nitpick. If questions are going to be closed as duplicates of SQL injection questions then 80% of the questions here would have to be closed as dupes.
If the OPs wants to know about SQL injection please refer to this site
Oh, btw,this is the code:
<?php
$loc=$_POST["new"];
$url1 ="https://en.wikipedia.org/w/api.php?format=json&action=query&prop=extracts&exintro=&explaintext=&titles=".$loc;
$opf = file_get_contents($url1);
$data = json_decode($opf, true);
$titles = array();
foreach ($data['query']['pages'] as $page) {
$des = $page['extract'];
}
$con = mysql_connect("localhost","root","");
if (!$con) {
die('Could not connect: ' . mysql_error());
}
mysql_select_db("location", $con);
$url = "http://upload.wikimedia.org/wikipedia";
echo $sql="INSERT INTO `search`(`name`, `text`) VALUES ('$loc', '$des');";
mysql_query($sql) or die(mysql_error());
echo "1 record added";
mysql_close($con);
?>
I'm a beginner and trying to get a handle on php. I have been getting a syntax error that I can't seem to solve. I'll show you the code below and some of the fixes I've tried. If anyone has another idea that would be wonderful. Thank you:)
$subject_set = mysql_query("SELECT * FROM subjects", $connection);
if(!$subject_set){
die("Database query failed: " . mysql_error());
}
while($subject = mysql_fetch_array($subject_set)) {
echo "<li> {$subject['menu_name']} </li>";
}
$page_set = mysql_query("SELECT * FROM pages WHERE id_subjects = {$subject["id"]}", $connection);
if(!$page_set){
die("Database query failed: " . mysql_error());
}
echo "<ul class='pages'>";
while($page = mysql_fetch_array($page_set)) {
echo "<li> {$page['menu_name']} </li>";
}
echo "</ul>";
I get: Database query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near " at line 1
I know the problem is at {$subject["id"]} because I got content back and no error when I put "WHERE id_subjects = 1". I've tried:
{$subject['id']}
{$subject[\"id\"]}
But have gotten the same error...
try
$page_set = mysql_query("SELECT * FROM pages WHERE id_subjects = '".$subject["id"]."'", $connection);
if(!$page_set){
die("Database query failed: " . mysql_error());
}
BTW. you should really move away from mysql_* functions. They are being deprecated, move to PDO or mysqli_*, which are a lot safer as well (you are now vulnerable to sql injection)
If you read back to your post, you can clearly see what's going wrong here.
"SELECT * FROM pages WHERE id_subjects = {$subject["id"]}"
As you can see "id" is not connected to the rest of the rest. That is because with the " you close the string.
To fix this simply use
"SELECT * FROM pages WHERE id_subjects = " . $subject["id"]
Or if you really want to put the variable within the string you can use a single quoted string for the key:
"SELECT * FROM pages WHERE id_subjects = {$subject['id']}"
Personally I am a fan of the first solution. But that is just my opinion.
Well when the while loop finishes looping through, it will have exhausted all the results. $subject['id'] won't have any information simply because $subject no longer has any more entries.
I'm guessing you want to list all the subjects first, then all the pages underneath each subject.
Using mySQL isn't going to be pretty but here's what you want to do. (As Bono said use PDO or mysqli, but here's a solution in psuedocode that will work with mySQL).
loop through first query
print subject name
select pages using subject id
loop through pages under that subject id
print page names
You don't need any quotes when inside a quoted string, just use
"SELECT * FROM pages WHERE id_subjects = {$subject[id]}"