Dear friend i am trying to update the recode but the following message always come up
" You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 9"
the code looks fine but i do not understand what i am doing wrong can someone help.
thanks in Advance.
<?php
if(isset($_POST['edit'])){
// this id wil be pulled from the URL above.
$hot_id = $_GET['hotl'];
$hotel_name = escape_value($_POST['title']);
$hotel_star = escape_value($_POST['category']);
$shortdes = escape_value($_POST['shortdes']);
$country = escape_value($_POST['country']);
$address = escape_value($_POST['address']);
$pcode = escape_value($_POST['pcod']);
$city = escape_value($_POST['city']);
$query = "UPDATE Hotels SET
hotel_name = '{$hotel_name}',
star ='{$hotel_star}',
description = '{$shortdes}',
country = '{$country}',
hotel_address = '{$address}',
hotel_postal_code = '{$pcode}',
hotel_city = '{$city}'
WHERE hotel_id = {$hot_id}";
$result = mysql_query($query, $connection);
if(mysql_affected_rows() == 1){
//Success
}else{
die("Some thing wrong with the Upadate: ". mysql_error());
}
}else{
//error ocurred
}
?>
i am posting my question in both PHP and Mysql Forum because i do not know exaectly where is the problem.
The easiest way to debug SQL statements (as mentioned above) is to echo out your query before you submit it and see exactly what you are sending to the database. That being said, why don't you try putting some quotes(' ') around your $hot_id var:
WHERE hotel_id = '{$hot_id}'
Somewhere in the update there should be $hot_id:
"UPDATE Hotels SET
hotel_name = '{$hotel_name}', hotel_id = '{$hot_id}', etc
Related
I am writing a Php 5 and Mysql 5 page counter script. When a student having id as 'visitorid' visits a page having id 'pageid' (both int(11)) the page counter tries to log the visit in 'visitors' database. But counter is not updating in mysql db, instead the visit_counter int(4) turns to 0.Whats wrong with my code? visitdate is datetime.
<?php
$pageid = 101;
$visitorid = 234;
$sql = "SELECT * FROM visitors
WHERE pageid = ".$pageid."
AND visitorid = ".$visitorid;
$temp = mysql_query($sql) or die("Error 1.<br>".mysql_error());
$data = mysql_fetch_array($temp);
// visit_counter is a field in table
if(($data['visit_counter']) != NULL){
echo "Entery exists <br>";
// Tried below version also
$visit = " SET visit_counter = visit_counter+1";
//$visit_counter = $data['visit_counter'];
//$visit = " SET visit_counter = ".$visit_counter++ ;
// Valid SQL
// UPDATE `visitors`
// SET visit_counter = visit_counter+1
// WHERE pageid = 101 and visitorid=234
// This manual sql query updates in phpmyadmin
$sql = "UPDATE visitors ".$visit."
AND visitdate = NOW()
WHERE pageid = ".$pageid."
AND visitorid = ".$visitorid;
$temp = mysql_query($sql) or die("ERROR 3.<br>".mysql_error());
//No error is displayed on above query.
} else {
//first entry
$visit_count = "1";
$sql = "INSERT INTO visitors
(`pageid`,`visitorid`, `visitdate`, `visit_counter`)
VALUES ('".$pageid."','".$visitorid."', NOW(), '".$visit_count."')";
$temp = mysql_query($sql);
//first entry is inserted successfully
//and visit_counter shows 1 as entry.
}
?>
Can anyone tell me whats wrong with this code?
Oh! I got answer by myself. Sometimes just little errors make us go crazy..
I made a mistake in udate query.. rather than using and I should have user a comma instead. .. working well now!
i am new to php programming. I always get this error when i run my code
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE service_name = ''' at line 7
this is my code
<?php
session_start();
include('../conn/openconn.php');
if(isset($_POST['butsend'])) {
$servicename = strtoupper($_POST['txtservicename']);
$serviceurl = $_POST['txtserviceurl'];
$id_div = $_POST['select_div'];
$id_unit = $_POST['select_unit'];
$servicedesc = $_POST['txtservicedesc'];
$id = $_SESSION['service_name'];
$updateuser = "UPDATE service SET
service_name = '$servicename',
service_url = '$serviceurl',
id_div = '$id_div',
id_unit = '$id_unit',
service_desc = '$servicedesc',
WHERE service_name = '$id'";
mysql_query($updateuser) or die (mysql_error());
}
?>
i have already search all the previous question but due to my limited knowledge in the programming i
cannot find the solution. sorry for my bad english..
You have an extra comma. Remove it.
$updateuser = "UPDATE service SET
service_name = '$servicename',
service_url = '$serviceurl',
id_div = '$id_div',
id_unit = '$id_unit',
service_desc = '$servicedesc', <-- HERE
WHERE service_name = '$id'";
i am making a public profile system,like facebook,youtube.....
when user register it create it own profile with his infos and give it a url like "www.mysite.com/userprofile.php?id=1" that can bee seen by any one without sign in,any one that visit that url can see the profile,the userprofile.php get data from the database.
here is my code :
<?php
$id = $_GET["id"];
$query = ("SELECT username,email FROM table WHERE id=" . $id . " LIMIT 1");
$result = mysql_query($query) or die(mysql_error());
while($row = mysql_fetch_array($result)){
echo $row['username']. " - ". $row['email']; }
?>
it work when visiting "www.mysite.com/userprofile.php?id=1" it get the user info that have the id 1,then echo them, but when i visit "www.mysite.com/userprofile.php" it give this sq error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIMIT 1' at line 1
even when i delete the "LIMIT 1" it give this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
And one more thing, if any one fixed the error,can you tell me how to make "www.mysite.com/userprofile.php?id=1" to "www.mysite.com/user1" and how to return a 404 error when the user profile doesn't exist
And any way to secure it from sql injection ?
Thank's Advance :)
When you navigate to /userprofile.php instead of /userprofile.php?id=123 you're essentially running this query:
SELECT username,email FROM table WHERE id= LIMIT 1
Which is an invalid SQL statement. There's a number of ways to fix it, but the easiest would probably be something like this:
<?php
$id = $_GET["id"];
if(!empty($id)) {
// typecast it for at least a little security
$query = ("SELECT username,email FROM table WHERE id=" . (int) $id . " LIMIT 1");
$result = mysql_query($query) or die(mysql_error());
while($row = mysql_fetch_array($result)){
echo $row['username']. " - ". $row['email']; }
} else {
echo "Please provide a user ID."
}
This checks if the user ID is set and that it's not empty, and typecasts it to an int before running the query.
With that said, you should really look into mysqli or PDO for this kind of thing.
I don't know why, but for some reason the code below is not working as intended
$SQL = "UPDATE characters SET
name = '$char_name',
status = '$char_status',
gender = $char_gender,
pos.x = $char_posx,
pos.y = $char_posz,
shards = $char_money,
level = $char_level,
exp = $char_exp,
hair = $char_hair,
color.r = $char_color_r,
color.g = $char_color_g,
color.b = $char_color_b,
spawn = $char_spawn
WHERE username = '$nick'";
mysql_query($SQL) or die("ERRORCODE 04 - DB QUERY FAIL");
echo "saved";
it's always giving me the "ERRORCODE 04.." meaning that the query failed..
FYI: setting pos.y db value to the char_posz is correct as the axes are different from the Form to the actual database
EDIT: code now changed a bit due to some comments, looks now like this:
$SQL = "UPDATE characters SET
name = '$char_name',
status = '$char_status',
gender = $char_gender,
pos_x = $char_posx,
pos_y = $char_posz,
shards = $char_money,
level = $char_level,
exp = $char_exp,
hair = $char_hair,
color_r = $char_color_r,
color_g = $char_color_g,
color_b = $char_color_b,
spawn = $char_spawn
WHERE username = '$nick'";
mysqli_query($dbcon, $SQL) or die(mysqli_error($dbcon));
echo "saved";
this is the error I get:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '
pos_x = ,
pos_y = ,
shards = ,
' at line 4
Try to put single quotes around all variables in the query
I am getting the below error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'testing order by id'
Here is the main page..
echo "<div ><a href='secondpage.php?title=".urlencode($row['title'])."'>".wordwrap($row['title'], 35, "<br />\n", true)."</a></div>";
and here is the second page the error appearing on. the address bar reads http://localhost/secondpage.php?title=more+testing
<?php
$mydb = new mysqli('localhost', 'root', '', 'test');
$sql = "SELECT * FROM test where urlencode(title) =".$_GET['title']" order by id ";
$result = $mydb->query($sql);
if (!$result) {
echo $mydb->error;
}
?>
<div>
<?php
while( $row = $result->fetch_assoc() ){
echo $row['firstname'];
}
$mydb->close ();
?>
</div>
You want to use urldecode to decode the encoded string in your query:
$title = urldecode($_GET['title']);
$sql = "SELECT * FROM test where title = '$title' order by id";
I'm assuming you have a column named title in your test table. I don't think MySQL has urlencode function unless you have a procedure by that name which functions exactly like PHP's urlencode.
Update:
Thanks to #GeorgeLund, who pointed out the point of SQL Injection. Important topic which I missed earlier during answering your question. Please have a look at: https://www.owasp.org/index.php/SQL_Injection
For the very least please update your code to following:
$title = urldecode($_GET['title']);
$title = mysqli_real_escape_string($title); // Addition
$sql = "SELECT * FROM test where title = '$title' order by id";
$sql = "SELECT * FROM test where urlencode(title) ='".$_GET['title']."' order by id ";
Try like
$sql = "SELECT * FROM test WHERE urlencode(title) = ".$_GET['title']." ORDER BY id ";
You missed . leads syntax go away.
As far as I know SQL does not have function urlencode and why would you even want to urlencode the column name?
Also to store the encoded title string which is received from the last page you should decode the encoded title
So here is what I think you meant to do.
$sql = "SELECT * FROM test WHERE title = ".urldecode($_GET['title'])." order by id ";
Please try this code using urldecode
$sql = "SELECT * FROM test where title =".urldecode($_GET['title'])" order by id ";