if(isset($_POST['Update'])) {
$placename = $_POST['placename'];
$description = trim(addslashes($_POST['description']));
$hotel = $_POST['hotel'];
$transport = $_POST['transport'];
$map = $_POST['map'];
$sqlp = "UPDATE places SET placename = $placename, description = $description, hotel = $hotel, transport = $transport, map = $map WHERE place_id = ". $sPlace['place_id'];
connection();
if(mysql_query($sqlp)) {
echo "Successfully Updated";
} else {
echo mysql_error();
}
}
Error Message is following-
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '
map = map WHERE place_id = 54' at line 1
You error in that code is that you don't add quotes around variables, it should be like this:
$query = "UPDATE `table` SET `name`='".mysqli_real_escape_string($_POST['name'])."' WHERE `id`=1";
But please try to use PDO with transaction as you will be able to debug any errors and you don't have to worry about SQL Injection.
Try this: (you will see errors, and if it's not ok, it will rollback)
$db = new PDO('mysql:host=localhost;dbname=databaseName', 'username', 'password', array(PDO::ATTR_EMULATE_PREPARES => false));
$placename = $_POST['placename'];
$description = trim(addslashes($_POST['description']));
$hotel = $_POST['hotel'];
$transport = $_POST['transport'];
$map = $_POST['map'];
try {
$db->beginTransaction();
$stmt = $db->prepare("UPDATE `places` SET `placename`=:placename, `description`=:description, `hotel`=:hotel, `transport`=:transport, `map`=:map WHERE `place_id`=:place_id");
$stmt->execute(array(':placename' => $placename, ':description' => $description, ':hotel' => $hotel, ':transport' => $transport, ':map' => $map, ':place_id' => $sPlace['place_id']));
$db->commit();
} catch(PDOException $ex) {
$db->rollBack();
echo $ex->getMessage();
}
You have an error in your SQL syntax ... 'map = map WHERE place_id = 54' at line 1
map = map <-- is invalid. the right-side should be an sql value (quoted string, number, etc). Perhaps map = 'map' (quote the value) is the intended result?
The problem you are seeing has come about because none of your string literals have been quoted, so the comma in the value of $transport is being evaluated as a separator between SQL SET clauses and so gives rise to the syntax error that you witness.
You should quote your string literals—or better yet, use parameterised statements so that your variables do not get evaluated for SQL at all (which avoids all forms of SQL injection attack).
Related
why i always get error in hostgator when try to update this ga field in database, error happen when insert this code in textarea
_gaq.push(['_setCustomVar',1, 'Status', 'Logged In']);
_gaq.push(['_trackEvent', 'Custom', 'PageLoad', 'Setting Logged In State',0,true]);
<textarea name="ga"></textarea>
$name = $_POST['name'];
$ga = trim($_POST['ga']);
$req = "UPDATE `con` SET `name` = '".$name."', `ga` = '".$ga."'");
if (mysqli_query($con, $req)) {
echo "success"
}
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '_setCustomVar',1, 'Status', 'Logged In']);
_gaq.push(['_trackEvent', 'Custom', ' at line 1
if i remove ga = '".$ga."' my database update but if add this code it give error i have hostgator and it work good in localhost
type of ga in database is text.
Prepared statements are the one stop solution for this. Your code is supposed to be:
$name = trim($_POST['name']);
$ga = trim($_POST['ga']);
$some_value = 'some_value'; //This is just the imaginary value for demonstration
$req = "UPDATE `con` SET `name` = ?, `ga` = ? WHERE column_name = ?";
$stmt = $mysqli->prepare($req);
$stmt->bind_param('sss', $name, $ga, $some_value);
$stmt->execute();
You always want to use WHERE with UPDATE query. If you don't use WHERE clause, the changes will be applied to all records. I suppose you are aware of SQL injection, the notorious attack!
An alternative which can be used to fix the issue with your code is mysqli_real_escape_string().
For example,
$name = mysqli_real_escape_string($con, trim($_POST['name']));
$ga = mysqli_real_escape_string($con, trim($_POST['ga']));
But always use prepared statements as I've shown above.
I use PDO in a web application I am building. I always thought (I am wrong actually) that using prepare should help with single quotes in the inserted variables but it seems that I miss something. I get an error inserting values like L'Aquila where there is a single quote in the input data.
My actual code is:
$sql = "INSERT INTO anagrafiche SET
id_ndg = '$protocol',
nick = '$nick',
nome = '$nome',
cognome = '$cognome',
ragsoc = '$ragsoc',
leg_rappr = '$leg_rappr',
cod_fisc = '$cod_fisc',
p_iva = '$p_iva',
cf_estero = '$cf_estero',
SAE = '$sae',
RAE = '$rae',
ATECO = '$ateco',
CRCODE = '$crcode',
indirizzo = '$indirizzo',
civico = '$civico',
cap = '$cap',
citta = '$citta',
prov = '$prov',
tel = '$tel',
cell = '$cellulare',
mail = '$mail',
note = '$note',
file_ci = '$file_ci',
file_cf = '$file_cf',
file_visura = '$file_visura',
cittadinanza = '$cittadinanza',
res_fiscale = '$res_fiscale',
is_curatore = '$is_curatore',
is_legale = '$is_legale',
is_tribunale = '$is_tribunale',
is_fornitore = '$is_fornitore' ";
try{
$s = $pdo->prepare($sql);
$s->execute();
}
catch (PDOException $e){
$error = 'Errori nel caricamento: '.$e->getMessage();
}
and when I try to load a string containing the single quote I get an error like this while trying to load the string Piazza d'Armi
:
Errori nel caricamento: SQLSTATE[42000]: Syntax error or access
violation: 1064 You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to
use near 'Armi', civico = '0', cap = '83100', citta = 'Avellino',
prov' at line 15
What am I missing? I don't think that PDO quote can do the job for me but maybe it's me that I don't get the point
It helps with single quotes only if you do parametrized prepared statements, otherwise all you are doing is string concatenation and have to be subject to properly forming your SQL.
Try something like:
$sql = "INSERT INTO anagrafiche SET
id_ndg = :protocol,
nick = :nick,
nome = :nome,
...
";
$params = array(
':protocol' => $protocol,
':nick' => $nick,
':nome' => $nome,
...
);
try{
$s = $pdo->prepare($sql);
$s->execute($params);
} catch (PDOException $e) {
...
}
This also gives you the added advantage of mitigating SQL injection attacks.
If you want to go a step further and enforce data types, you could use bindValue() or bindParam()
like:
$sql = "INSERT INTO anagrafiche SET
id_ndg = :protocol,
nick = :nick,
nome = :nome,
...
";
try{
$s = $pdo->prepare($sql);
$s->bindParam(':protocol', $protocol, PDO::PARAM_ST);
$s->bindParam(':nick', $nick, PDO::PARAM_ST);
$s->bindParam(':nome', $nome, PDO::PARAM_ST);
...
$s->bindParam(':some_integer', $some_integer, PDO::PARAM_INT);
...
$s->execute();
} catch (PDOException $e) {
...
}
bindValue() has similar syntax to bindParam() but only binds the value of the variable at the time of binding to the parameter rather than the value of the variable at the time of statement execution.
I have a MySQL database with a table (opendpu) that has multiple columns including columns titled "ECRNUM" and "PE_REQUIRED".
I'm simply trying to test this update statement by specifying some values. I get this error:
Array ( [0] => 42000 [1] => 1064 [2] => You have an error in your
SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near 'DOE WHERE ECRNUM = 81308' at
line 1 )
I cannot, for the life of me, figure out what is wrong here. Can anyone help?
<?php
require ('config.php');
$ecrno = '81308';
$pe_required = 'JOHN DOE';
while (true) {
try {
$db = new PDO($dsn, $uname, $pword);
$db->exec( "SET CHARACTER SET utf8" );
$db->setAttribute( PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC );
$db->setAttribute( PDO::ATTR_PERSISTENT, true );
break;
}
catch (Exception $e) {
$db = null;
$counter++;
if ($counter == $limit)
throw $e;
}
}
$stmt = $db->prepare("UPDATE opendpu SET PE_REQUIRED = $pe_required WHERE ECRNUM = $ecrno");
$stmt->execute() or die(print_r($stmt->errorInfo(), true));
?>
.
+1 for using prepared statements... but (and its a big BUT):
You should never use prepared statements without bind_param as this leaves you wide open to SQL injection and negates the benefits of prepared statements.
$stmt = $db->prepare("UPDATE opendpu SET PE_REQUIRED=? WHERE ECRNUM=?");
$stmt->bind_param('si', $pe_required, $ecrno);
$stmt->execute() or die(print_r($stmt->errorInfo(), true));
Change your syntax like this [Enclosed quotes around the variable]
$stmt = $db->prepare("UPDATE `opendpu` SET PE_REQUIRED = '$pe_required' WHERE ECRNUM = '$ecrno'");
Please check with below query
$stmt = $db->prepare("UPDATE opendpu SET PE_REQUIRED = '.$pe_required.' WHERE ECRNUM = '.$ecrno.'");
I'm trying to switch all my MySQL connections from the old mysql_query to PDOs. I'm trying to update multiple rows and columns of a MySQL table using different arrays and I'm receiving the following error:
[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(accnt, car, radio, misc) values ('admin', '300.00', '400.00', '10.00') WHERE ID' at line 1
From the following code:
$account = $_POST['account'];
$car_lease = $_POST['car_lease'];
$radio_lease = $_POST['radio_lease'];
$misc_lease = $_POST['misc_lease'];
$lease_ID = $_POST['lease_ID'];
//$data = array_map(null,$account,$car_lease,$radio_lease,$misc_lease);
$A = count($lease_ID);
try {
$DBH = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);
$DBH->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
$STH = $DBH->prepare('UPDATE lease (accnt, car, radio, misc) values (:account, :car_lease, :radio_lease, :misc_lease) WHERE ID = :lease_ID');
$i = 0;
while($i < $A) {
$STH->bindParam(':account', $account[$i]);
$STH->bindParam(':car_lease', $car_lease[$i]);
$STH->bindParam(':radio_lease', $radio_lease[$i]);
$STH->bindParam(':misc_lease', $misc_lease[$i]);
$STH->bindParam(':lease_ID', $lease_ID[$i]);
$STH->execute();
$i++;
}
}
catch(PDOException $e) {
echo "I'm sorry, but there was an error updating the database.";
file_put_contents('PDOErrors.txt', $e->getMessage(), FILE_APPEND);
}
I believe this problem is arising from the way I'm calling the statement handle, but I'm not sure what part of my syntax is incorrect. Also, is this the best way of handling such situations? Or is there a better method to update multiple rows in a table?
You have confused the syntax between INSERT and UPDATE statements. Instead of a VALUES() list, you need a SET clause:
$STH = $DBH->prepare('
UPDATE lease
SET
accnt = :account,
car = :car_lease,
radio = :radio_lease,
misc = :misc_lease
WHERE ID = :lease_ID
');
Review the MySQL UPDATE syntax reference for the full specification to use with UPDATE statements.
I think this would be the simplest and easiest solution, if you can trust your keys and values:
$update = 'SET ';
$fields = array_keys($_POST);
$values = array_values($_POST);
foreach ($fields as $field) {
$update .= $field . '=?,';
}
$update = substr($update, 0, -1);
$db->query("update sub_projects ${update} where id=${_GET['id']}");
$db->execute($values);
Simple way to update multiple fields .but very important that inputs on your editing page must be in same order with your data base table.
hope its help
if (isset($_POST['pageSubmit'])) {
echo '<pre>';
print_r($_POST['page']);
echo '</pre>';
$fields = array('id','name','title','content','metaKey','metaDescr','metaTitle');//fields array
$fields = array_map(function($field){
return "`$field`";
},$fields);
$queryArray = array_combine($fields,$_POST['page']);//createng array for query
$countFields = count($queryArray);//getting count fields
$id = array_splice($queryArray , 0,-($countFields-1));//getting id of page
$insertArray = $queryArray;//getting new fields array without first key and value
function updatePage($db, array $fields, array $id){
$where = array_shift($id);
$sql = array();
foreach ($fields as $key => $value) {
$sql[] = "\n".$key."" ." = "."'".$value."'";
}
$sql = implode(",",$sql);
try {
$query = $db->prepare("UPDATE `pages` SET $sql WHERE `id` = $where ");
$query->execute();
} catch (Exception $e) {
echo $e->getMessage();
}
}
updatePage($db, $insertArray, $id);
}
better way is CASE, it is 3-4 time faster than preapared stmt
I am making a simple select from mySQL using PHP. I am doing something wrong that I can't seem to track down.
Here's my statement:
$storyTitle = $_GET['title'];
$storyDate = urldecode($_GET['date']);
$SQL = "SELECT
*
FROM
tblContent
WHERE
REPLACE(contentTitle,' ' , '-') = :storyTitle
AND
date(publishDate) = date(:storyDate)";
$conn = new PDO("mysql:host=$dbhost;dbname=$dbname",$dbuser,$dbpass);
$q = $conn->prepare($SQL);
$q->execute(array(':storyTitle' => $storyTitle, ':storyDate' => $storyDate));
while($r = $q->fetch()){
echo $SQL;
};
This throws no errors and gives no rows.
If I replace the identifiers :storyTitle and :storyDate with a hard coded SQL statement, I get the correct results. I've stepped through and looked at the variables, and they seem right... I've already wasted so much time hunting, but I lack the expertise to pick out what I'm doing wrong.
Dump the contents of your variables. I'm suspicious of:
$storyDate = urldecode($_GET['date']);
$_GET parameters automatically are url-decoded.
you have to ask PDO to throw an error explicitly
try {
$conn = new PDO("mysql:host=$dbhost;dbname=$dbname",$dbuser,$dbpass);
$conn->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
$q = $conn->prepare($SQL);
$q->execute(array(':storyTitle' => $storyTitle, ':storyDate' => $storyDate));
} catch (PDOException $e) {
echo $e->getMessage();
}