Let's say that I have an error in a php/mysql query :
$query = "SELECT * ROM users WHERE _id = :user_id";
Here, FROM is missing an "F".
When I launch this php file in localhost, my browser is not reacting, it should display something like that:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server
But it doesn't, only blank page...
How do I enable this option?
EDIT: I'm using PDO.
If you use mysql_* functions you have to do something like: mysql_query($sql) or die(mysql_error());
If you use mysqli_*: mysqli_query($sql) or die(mysqli_error());
If you use PDO: $stmt->execute() or die(print_r($stmt->errorInfo)); //$stmt is instance of PDOStatemen
If you still use mysql_* I strongly recommend to stop using (sql injection I mean).
First use mysql_error() function in your code in case if query is not executed
successfully. something like this :
if(!mysql_query($query)){
echo mysql_error();
}
Secondly, check in your php.ini whether error_reporting is on or off.
Then check on the browser for the error.
Related
I am trying to insert a ' symbol into my database and have the below code.
$actionurl =$_POST['actionurl'];
$newtitle = $_POST['newtitle'];
$newtitle = mysql_real_escape_string($newtitle);
$result2 = mysql_query("UPDATE links SET title='$newtitle' WHERE url='$actionurl'")
or die(mysql_error());
And I get this error
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's to start up a sample library (forum thread)'' at line 1
Why am I getting an error if I'm using mysql_real_escape_string on the $newtitle variable?
I suspect that it's actionurl that is causing the error, not $newtitle.
To debug this, echo or print the SQL statement to be executed.
You can do something like this:
$sql = "UPDATE links SET title='$newtitle' WHERE url='$actionurl'";
// for debugging, output contents of the $sql string
echo "SQL=" . $sql ;
mysql_query($sql) or die(mysql_error();
As others have already suggested, the mysql_ interface is deprecated. New development should use either mysqli or PDO. And use prepared statements with bind placeholders. It just seems nonsensical to be struggling with mysql_real_escape_string in 2016.
Are magic quotes on in your php.ini? If yes, disabling it should solve your issue. (It could be enabled by default)
I am writing a PHP script in which i need to run a MySQL query. I opened the data connection and all such pleasantries are working fine. My only doubt is regarding the syntax of the following query, since it is not working. I have a php variable $post_id against which I am selecting from the database.
$query1="SELECT needer FROM needer_blood WHERE value_id='$post_id'";
$result=mysql_query($query);
$req_id=$result[0];
You are not fetching the result.
So try this
<?php
$query1="SELECT needer FROM needer_blood WHERE value_id='$post_id'";
$result=mysql_query($query);
while($row= mysql_fetch_array($result))
{
echo $row['needer'];//You can display your result like this.
}
Also mysql is depricated learn Mysqli or PDO.
For Mysqli function check this link http://php.net/manual/en/book.mysqli.php
For PDO function check this link http://php.net/manual/en/book.pdo.php
try this one, its better approach if you user SQL INJECTION
<?php
$query1="SELECT needer FROM needer_blood WHERE value_id='".mysql_real_escape_string($post_id)."'";
$result=mysql_query($query) or die(mysql_error()); // die only used in development , remove when you live this
$data = mysql_fetch_array($result) or die(mysql_error());
echo $req_id = $data['needer']; // $req_id = $data[0];
?>
Firstly, notice that your query variable is called $query1 and your mysql_query is using a variable called $query (variable mismatch?).
You can use mysql_fetch_assoc() to get an associative array from your query.
Using the following code should work, though you should do some checking to make sure that the $result[0] exists.
// Query String
$query1="SELECT needer FROM needer_blood WHERE value_id='$post_id'";
// Run the query
$result=mysql_query($query1) or die(mysql_error());
// Fetch Associative Array
$rows=mysql_fetch_assoc($result);
// Get result [0]: this could result in an error if your query result is empty.
$req_id=$rows[0];
Also, as others have pointed out, mysql is deprecated and you should update to MySQLi or PDO_MySQL if your server supports it. If not, change servers.
Also, as others pointed out, you should watch out for SQL injection. This StackOverflow answer adresses the issue well.
I'm attempting to make a form for a charity that allows staff members to view and update victim records that are stored in the SQL Database via the website. I have managed to display the records and create a form that allows the alteration of the records, however when I enter variables I receive a SYNTAX error.
$updateSQL="UPDATE Victims SET victimFName=".$victimFN." WHERE victimId=".$id."";
$exeupdateSQL= mysql_query($updateSQL) or die (mysql_error());
echo "The Record has been updated";
I receive the error:
'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE victimId=' at line 1'
I then researched SQL Injections and changed the code:
$updateSQL="UPDATE Victims SET victimFName=".mysql_real_escape_string($_POST['victimFName']).";
WHERE victimId=".mysql_real_escape_string($_POST['victimId'])."";
exeupdateSQL= mysql_query($updateSQL) or die (mysql_error());
echo "The Record has been updated";
This still didnt work.
I have attempted to replace my variables $VictimFN and $id by entering data into the SQL query and the code works, updating the record. Such as:
$updateSQL="UPDATE Victims SET victimFName='Mary Smith' WHERE victimId='1'";
$exeupdateSQL= mysql_query($updateSQL) or die (mysql_error());
echo "The Record has been updated";
I am fairly new to programming and was wondering how I could fix this as the issue is to do with my variables.
Thanks to your help I have established the problem with the code and have now fixed it to:
$updateSQL="UPDATE Victims SET victimFName='".mysql_real_escape_string($_POST['victimFName'])."' WHERE victimId='".mysql_real_escape_string($_POST['victimId'])."'";
$exeupdateSQL=mysql_query($updateSQL) or die (mysql_error());
echo "The Record has been updated";
echo "<br><a href=ViewVictimRequest.php>View Updated Record</a>";
There are now no errors, however the records state they are updated when they are not. Is there anyway to fix this?
Thank you in advance for your response and sorry for the inconvenience!
The correct way is:
$updateSQL="UPDATE Victims SET victimFName='".mysql_real_escape_string($_POST['victimFName'])."' WHERE victimId='".mysql_real_escape_string($_POST['victimId'])."'";
Your $_POST values are string, thus you need to enclose them in single quotes '. Also remove the semi-colon ; before WHERE, it's breaking the string.
Note:
Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.
You have an errant semi-colon and missing quotes. Here's a cleaner version of your query:
$updateSQL="UPDATE Victims SET victimFName='".mysql_real_escape_string($_POST['victimFName'])."'
WHERE victimId=".mysql_real_escape_string($_POST['victimId']);
Or
$fname = mysql_real_escape_string($_POST['victimFName']);
$id = mysql_real_escape_string($_POST['victimId']);
$updateSQL="UPDATE Victims SET victimFName='{$fname}' WHERE victimId={$id}";
I'm getting these weird errors, and I've been up and down the code, commenting and rewriting, and googling all the things.
Perhaps you guys will see what I'm not seeing:
$mysqli = new mysqli('host','login','passwd','db');
if($mysqli->connect_errno > 0){ die('Cannot connect: '. $mysqli->connect_error); }
// See if there is one term or multiple terms
if (count($search) == 1) {
// If one term, search for that
$like = $search[0];
$stmt = "SELECT
gsa_committees.id,
gsa_committees.committee,
gsa_committees.appointer,
gsa_committees.representatives,
gsa_committees.contact,
gsa_committees.category,
gsa_committees.attachments,
gsa_committees.labels,
gsa_committee_reports.committee,
gsa_committee_reports.title,
gsa_committee_reports.author,
gsa_committee_reports.link,
gsa_funds.id,
gsa_funds.fund,
gsa_funds.attachments,
gsa_funds.labels,
gsa_meeting_minutes.title,
gsa_meeting_minutes.link,
gsa_officers.office,
gsa_officers.dept,
gsa_officers.name,
gsa_representatives.program_dept,
gsa_representatives.representatives,
gsa_representatives.alternate
FROM
gsa_committees,
gsa_committee_reports,
gsa_funds,
gsa_meeting_minutes,
gsa_officers,
gsa_representatives
WHERE
(gsa_committees.committee LIKE $like) AND
gsa_committees.committee IS NOT NULL";
}
if(!$result = $mysqli->query($stmt)){ die('Bad query: '. $mysqli->error); }
This gives me this error message:
Bad query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%ARCHAC%) AND gsa_committees.committee IS NOT NULL' at line 34
Which I know isn't true. If I change that las part to just this:
WHERE gsa_committees.committee LIKE $like";
I get this error message:
Bad query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%ARCHAC%' at line 34
Everywhere I've looked, the string "%".search."%" seems to be the correct method, but my server doesn't seem to like it here.
Interesting side note: I have a different LIKE statement working on another page on the same server, this just won't work for some reason.
Thanks!
Try putting single quotes around your search term ($like variable).
for example: (gsa_committees.committee LIKE '$like')
You need to wrap the variable in quotes for like to work:
WHERE gsa_committees.committee LIKE '$like';
See reference documentation on String Comparison Function.
it looks like missing quotes:
"WHERE gsa_committees.committee LIKE '$like' ";
Ok, I got it. The answer on this post solved my issue:
MYSQLI SQL query over multiple tables fail
As soon as I assigned the tables t1,t2,etc and did INNER JOIN, the results came in as expected, with %$search% or $search.
Thanks all!
The exact error message is:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'where rfflag='0'' at line 1
Hi,
I'm trying to get some php scripts working and it dies with the above error message. There are two locations where rfflag is used in the SQL query:
$_SESSION['lang']=$objTerm->my_get_one("select min(id) from "
.$objTerm->TABLE['languages']." where status='1' and rfflag='0'");
$rs_lang=$objTerm->execute_query("select id,language from "
.$objTerm->TABLE['languages']." where `status`='1' and `rfflag`='0'");
How do I determine which one is causing the problem? Or is the problem something else altogether?
Echo this:
"select id,language from ".$objTerm->TABLE['languages']." where status='1' and rfflag='0'"
and this:
"select min(id) from ".$objTerm->TABLE['languages']." where status='1' and rfflag='0'"
Then run execute each output in your favorite sql developer tool.
Errors will be displayed there.
How do I determine which one is causing the problem?
Remove one of the queries. See if it still happens.
On a secondary thought, I would suggest that you change your MySQL query code so, that it doesn't use die() to print out the error message. Use trigger_error or exceptions instead, this way you will automatically get a trace of which line caused it.
How do I determine which one is causing the problem?
use trigger_error() to output an error message.
I guess (I have to guess because you supply no code) that you are using die() to output an error.
if you change this bad practice function to trigger_error(), you will be able to see the line number, where error occurred.
If you add non only mysql_error() to it's output, but also query itself, you will be able to see the problem code too.
I guess $objTerm->TABLE['languages'] is undefined or does not have the value you’re expecting.
As sheeks06 has already suggested, just echo the query to see if everything is as expected:
$query = "select min(id) from "
.$objTerm->TABLE['languages']." where status='1' and rfflag='0'";
echo $query;
$_SESSION['lang']=$objTerm->my_get_one($query);
$query = "select id,language from "
.$objTerm->TABLE['languages']." where `status`='1' and `rfflag`='0'";
echo $query;
$rs_lang=$objTerm->execute_query($query);