mysql_query($sqlQ, $connection);
mysql_query("DELETE FROM Leaderboards WHERE UserName=" . $row['UserName'] . " LIMIT 1", $connection);
echo("Success3");
Table Information is comprised of: {UserName, Cash, Assets}.
$row['UserName'] has data as $row['Assets'] has data, INSERT works via query, yet it does not delete the row from the db table.
Tell me what I am doing wrong, this is the first time I worked with PHP & MySQL so I have no idea what I am doing.
Is UserName a string? You're missing quotes.
mysql_query("DELETE FROM Leaderboards WHERE UserName='" . $row['UserName'] . "' LIMIT 1", $connection);
All mysql_* functions are deprecated and will be removed in a future version of PHP. You should use an alternative.
You must escape the data used in a query. Using MySQLi functions, your code would be:
mysqli_query($sqlQ, $connection);
mysqli_query("DELETE FROM Leaderboards WHERE UserName='" . mysqli_real_escape_string($connection, $row['UserName']) . "' LIMIT 1", $connection);
echo("Success3");
You are also missing quotes around the username.
I recommand not to, but if you really want to use mysql_* functions, then use:
mysqli_query("DELETE FROM Leaderboards WHERE UserName='" . mysql_real_escape_string($row['UserName']) . "' LIMIT 1", $connection);
Related
Uggh, I've had a few beers and I just can't seem to progress.
I'm teaching myself a bit of PHP with MySQL (just because) and this one line just has me stumped:
$user = $mysqli->query ("SELECT id FROM members WHERE username = " . $_SESSION['user_name'] . " LIMIT 1");
I'm sure it's something completely stupid but I need to have the '$_SESSION['user_name']' passed with quotes around it.
Look, I know its a stupid question, apologies in advanced but I can't even get the right Google terms to find what I'm after... sad I know!\
I've tried all combinations of slash escaping and single / double quotes... please help!
You should use prepared statements :)
$stmt = $mysqli->prepare("SELECT id FROM members WHERE username = ? LIMIT 1");
$stmt->bind_param('s', $_SESSION['user_name']);
http://es1.php.net/manual/en/mysqli-stmt.bind-param.php
You're missing the unescaped quotes, and concatenate operators. Try this:
$user = $mysqli->query ("SELECT id FROM members WHERE username = '" . $_SESSION['user_name'] . "' LIMIT 1");
Note the '" . $_SESSION['user_name'] . "' is changed.
$user = $mysqli->query ("SELECT id FROM members WHERE username = '" . $_SESSION['user_name'] . "' LIMIT 1");
As everybody stated before, the following would be a working (but not perfect!) query:
$user = $mysqli->query("SELECT `id` FROM `members` WHERE `username` = '" . $_SESSION['user_name'] . "' LIMIT 1");
But please note: Inserting strings in SQL queries this way is a security risk, since $_SESSION['user_name'] may contain quotes itself, so that somebody attacking your site could execute arbitrary SQL statements! (Search for SQL Injection if you want to get more information on this.)
Using prepared statements as suggested by naoxink is a safer way, but I just want to mention another safe way to insert strings into SQL queries: Use the mysqli::real_escape_string() method:
$user = $mysqli->query("SELECT `id` FROM `members` WHERE `username` = '" . $mysqli->real_escape_string($_SESSION['user_name']) . "' LIMIT 1");
Use this instead
$user = $mysqli->query ("SELECT `id` FROM `embers` WHERE username = '".$_SESSION['user_name']."' LIMIT 0,1");
I have key_id, key_verification, confirm_key, and key_status in my verification table.
I managed to encrypt my key_verification into my database by using AES:
$sql2 = "INSERT INTO verification (key_verification, key_status) VALUES ((AES_ENCRYPT('bhadana', '" . $key_verification . "')), '" . $key_status . "')";
However I have problem when trying to decrypt it back. This is the code I’m using:
$sql4="SELECT * FROM verification WHERE key_verification = AES_ENCRYPT ('bhadana', '" . $key_verification . "')";
$query4 = mysql_query($sql4) or die ("Error: " . mysql_error());
$num_rows4 = mysql_num_rows($query4);
$check4 = mysql_fetch_array($query4);
$sql3= "SELECT AES_DECRYPT (key_verification, '" . $key_verification . "') as encrypted from verification";
$query3 = mysql_query($sql3) or die ("Error: " . mysql_error());
$num_rows3 = mysql_num_rows($query3);
$check3 = mysql_fetch_array($query3);
I know the SQL is wrong but I don't know how to join the SQL. And if there's anything that I need to add in the code?
I am new to encryption and I hope someone can help me with this.
EDIT: The error is "undefined key_verification"
Your PHP code is trying to use the variable $key_verification, but it seems to be undefined.
Your example statement, formatted for readability, says
$sql3= "SELECT AES_DECRYPT (key_verification, '" .
$key_verification .
"') as encrypted from verification";
For this to work you need the variable $key_verification already defined, or you'll get the undefined message from PHP.
Pro-tip: Using encryption with the old insecure mysql_ API is like putting an expensive security lock on your window while leaving your front door wide open.
If I have a user's email address as d'anthony.fredrick#hotmail.com and I use addslashes to make it d\'anthony.fredrick#hotmail.com, the following SQL statement fails.
"UPDATE subscriptions SET sent = '1' WHERE email ='" . $email . "' Limit 1";
The database as the email address is d\'anthony.fredrick#hotmail.com. Why does the UPDATE fail?
Always, always, always escape strings before adding them to queries.
"UPDATE subscriptions SET sent = '1' WHERE email ='" . $dbconn->real_escape_string($email) . "' Limit 1";
If you're using the original mysql API then you'd use mysql_real_escape_string in place of $dbconn->real_escape_string
use mysql_real_escape_string()
UPDATE `subscriptions` SET `sent` = '1' WHERE `email` ='" . mysql_real_escape_string($email) . "' Limit 1";
note: mysql_* has been depreciated. use MySQLi
i have a little problem with a very simple query ,
when i hard code the values in the query its working , but when i use a PHP variable nothing is retrieved , i over check a lot of things including the query , the database
it worth saying that i'm getting the variable from a form by POST and also checked that i'm getting them but when i use them in a query they jst dont work :S
here's my code ..PLZ what am i doing wrong ?!!!!!!!!!!!
<?php
$email = $_POST ['emailEnter'] ;
$password = $_POST ['passwordEnter'];
$connection = mysql_connect('localhost','root','') ;
$db_selected = mysql_select_db("lab5" , $connection) ;
$query = 'select * From user where email="$email" and password="$password" ' ;
$result = mysql_query ($query , $connection);
while($row=mysql_fetch_array($result))
{
echo $row['name'];
}
mysql_close($connection);
?>
You use single quotes in the query variable. Single quotes does not substitute variables - so it looks for literal string $email not the variable email. Either use double quotes or even better use something like PDO which would do the work for you.
You should also sanitize your inputs from SQL/XSS vulnerabilities.
The basic debugging steps are 1. adding
if (!$result) echo "Error: ".mysql_error();
to see any errors from the SQL query and 2. outputting
echo "Query: $query";
to see what the variables contain. One of these will point you to the problem.
Also, your query is vulnerable to SQL injection. You should add a
$email = mysql_real_escape_string($email);
$password = mysql_real_escape_string($password );
after fetching the values from the POST array.
Your error probably resides in the fact that you don’t escape your parameters.
While you are at it, use MySQLi or PDO (maybe even some prepared statements)
Someone mentioned your use of single-quotes, that’s the real error, my bad.
But my advice still stands. Having used prepared statements, you wouldn’t have fell for that mistake
try
$query = 'select * From user where email="' . $email . '" and password="'. $password . '" ' ;
or
$query = "select * From user where email='$email' and password='$password'" ;
Try this instead:
$query = "select * From user where email='" . $email . "' and password='" . $password . "';
Then immediately change that to this instead:
$query = "select * From user where email='" . mysql_real_escape_string($email) . "' and password='" . mysql_real_escape_string($password) . "';
Try
$query = "SELECT * FROM user WHERE email = '".$email."' AND password = '".$password."'";
You've confused the single and double quotes
You have:
$query = 'select * From user where email="$email" and password="$password" ' ;
You want:
$query = "select * From user where email='$email' and password='$password' " ;
Single quotes evaluate to whats literally inside. Double quotes will parse for variables inside. Theres also a curly brace {$variable} syntax you can use.
Suggestions from other posters for using mysql_real_escape or using newer mysqli or PDO are important as well. At the very least use mysql_real_escape on parameters that come from user input.
the problem is the way you are quoting the variables. Suppose that $email= 'some#gmail.com' and $password= 'securenot'.
what we want is the final interpreted string to be the following
select * from user where email='some#gmail.com' and password='securenot'
to achieve this we simply replace the some#gmail.com for $email and securenot for $password and get the following:
select * from user where email='$email' and password='$password'.
and then in php code ...
$query = "select * from user where email='$email' and password='$password'";
hope that is of some help
mysql_fetch_assoc() for associative array. You cannot use normal array as assoc array.
while($row=mysql_fetch_assoc($result))
{
echo $row['name'];
}
$sql = "UPDATE galleries SET name='$name', desc='$desc', mainthumb='$mt'
WHERE id='$id'";
this throws an error for some godforsaken reason. I must be way too tired because I don't see it.
I've confirmed that all the values are being posted. What's worse, it's an almost exact copy any query that works fine.
Update:
This has been solved. It was the fact that desc didn't have backticks. I'm also going to use PDO instead as suggested.
Is desc not a keyword that you can not use as a column name?
You have a column called desc, which is a reserved word. You will need to quote it with backticks.
`desc`='$desc'
Did you sanitize all the parameters before mixing them with the sql statement?
desc is a reserved word in MySQL, you have to explicitly mark it as an identifier:
An identifier may be quoted or unquoted. If an identifier contains special characters or is a reserved word, you must quote it whenever you refer to it. [...]
The identifier quote character is the backtick (“`”):
$mysql = mysql_connect(...
$sql = "
UPDATE
galleries
SET
name='" . mysql_real_escape_string($_POST['name'], $mysql) . "',
`desc`='" . mysql_real_escape_string($_POST['desc'], $mysql) . "',
mainthumb='" . mysql_real_escape_string($_POST['mt'], $mysql) . "'
WHERE
id='" . mysql_real_escape_string($_POST['id'], $mysql) . "'
";
or even better: use prepared statements
echo $sql and see what it actually becomes. It looks like an easy target for SQL injection, unless you took care of that.
yes, make sure you first sanitize the data, using mysql_real_escape_string for instance.
Then echo your mysql error (mysql_error() ) it will give you more hints as to where is the error;
<?php
$link = mysql_connect("localhost", "mysql_user", "mysql_password");
mysql_select_db("nonexistentdb", $link);
echo mysql_errno($link) . ": " . mysql_error($link). "\n";
mysql_select_db("kossu", $link);
mysql_query("SELECT * FROM nonexistenttable", $link);
echo mysql_errno($link) . ": " . mysql_error($link) . "\n";
?>
$sql = "UPDATE `galleries` SET
name='".$name."',
desc='".$desc."',
mainthumb='".$mt."'
WHERE id='".$id."'";
This could be one alternative way to handle it. Although I would gone PDO as VolkerK suggested it. I would also Echo to see what it would output as well. Also as Ben suggested, Desc may be a reserve word.