My code is
$user_query = '
UPDATE
users
SET
`password`="$password",
`email`="$email",
`position`="$position",
WHERE
`username`=".$uname."';
$user_result = mysql_query($user_query, $connection);
confirm_query($user_result);
When I run this query it gives me an error:
Database query failed: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE username=".$uname."' at line 7
Can any body help me resolve this error?
Your query is in single quotes, so the variables aren't parsed. As you can see in error, the string is literally
`username`=".$uname."
You need to either use double quotes around the enitre thing, to parse variables correctly.
$user_query = "
UPDATE
users
SET
`password`='$password',
`email`='$email',
`position`='$position'
WHERE
`username`='$uname'";
Or correctly use the string concatanation operator, ..
$user_query = '
UPDATE
users
SET
`password`="'.$password.'",
`email`="'.$email.'",
`position`="'.$position.'"
WHERE
`username`="'.$uname.'"';
As others have noted, there's also an extra , after postion="$position".
Remove the comma , before the WHERE clause
Just change quotes, and better escape data with DB driver funcs like mysql_real_escape_string()
Difference between quotes: https://stackoverflow.com/a/3446286/765634
Escaping: http://php.net/mysql_real_escape_string
Complete query:
$user_query = <<<SQL
UPDATE
users
SET
`password`="{$password}",
`email`="{$email}",
`position`="{$position}",
WHERE
`username`="{$uname}"
SQL;
There is a trailing comma between position="$position", and the where clause. Remove the comma just before the where clause.
UPDATE
users
SET
`password`="$password",
`email`="$email",
`position`="$position"
WHERE
`username`=".$uname."';
You had a trailing , after position
You have an extra comma after position="$position". Remove that.
Related
Here is the Query string I am using, i have tried many different itterations...
if (!mysqli_query($db_connection,'UPDATE `questions` SET
`question`='.$question.', `answer1`='.$answer1.', `answer2`='.$answer2.',
`answer3`='.$answer3.', `answer4`='.$answer4.', `rationale`='.$rationale.',
`resources`='.$resources.' WHERE `question_id`='.$id))
{
echo("Error description: " . mysqli_error($db_connection));
}
this is the error I get:
Error description: You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right
syntax.
I have tried using single quotes, double quotes without ` and with. Nothing seems to work.
It's not a case of using single or double quotes but doing both correctly, you need to wrap your strings in double quotes and open and close your concatenation with singles eg ’answer’ = " ' .$variable. ' ", ..... Then the quotes become part of your string.
Try this:
$query = mysqli_query($db_connection,"UPDATE `questions` SET question`='{$question}',`answer1`='{$answer1}', `answer2`='{$answer2}', `answer3`='{$answer3}', `answer4`='{$answer4}', `rationale`='{$rationale}', `resources`='{$resources}' WHERE `question_id`=".$id);
if ($query)
{
echo("Error description: " . mysqli_error($db_connection));
}
First of all, as the comments stated prepared statements is the way to go. You are open to SQL injection.
Secondly, as for the mysql error message, It looks like you are missing a single quote at the end of your query. WHERE question_id='.$id. Also Echo out the query string and you'll notice that your query does not have single quotes around your parameters. You are using single quotes to create the query string but not for the query parameters. Use double quotes for the query string, and single quotes for the parameters:
"UPDATE `questions` SET
`question`='".$question."', `answer1`='".$answer1."', `answer2`='".$answer2."',
`answer3`='".$answer3."', `answer4`='".$answer4."', `rationale`='".$rationale."',
`resources`='".$resources."' WHERE `question_id`="'.$id."'"
Please help I have no clue what is wrong here. I have submitted the error and the actual query below.
Error:
UPDATE `WWM_Login` SET `Username`='RyzeAlchemist',`Email`='smadger#live.co.uk',`FirstName`='test',`MiddleName`='test',`LastName`='test',`DiscordID`='#RyzeAlchemist#6043',`P_openCompletedOrders`=1,`P_openCurrentOrders`=1,`P_openRequestedOrders`=1,`P_openCreateAnOrder`=1,`P_OpenEditUsers`=0,`P_CreateStaff`=1,`P_CreateClient`= WHERE UserID = 9
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'WHERE UserID = 9' at line 1
Query:
"UPDATE `WWM_Login` SET `Username`='$uid',`Email`='$email',`FirstName`='$firstname',`MiddleName`='$middlename',`LastName`='$lastname',`DiscordID`='$DiscordID',`P_openCompletedOrders`=$field[1],`P_openCurrentOrders`=$field[2],`P_openRequestedOrders`=$field[3],`P_openCreateAnOrder`=$field[4],`P_OpenEditUsers`=$field[5],`P_CreateStaff`=$field[6],`P_CreateClient`=$field[7] WHERE UserID = $id"
The error seems to be towards the end of your query:
`P_CreateClient`= WHERE
Shouldn't this be:
`P_CreateClient`='x' WHERE
Where x is the value you want to set
Encase your variables in single quotes, like so:
P_CreateStaff`= '$field[6]'
This way, if there is an empty to NULL value it will take it as such. I see some of your variables are encased in signle quotes, but that particular variable is not so when there is no value MySQL is trying to look for a value equal to WHERE, so it's taking your WHERE clause as the condition for P_CreateStaff. To avoid this, encase all your variables in single quotes.
I am new to php and mysql and i am using delete query with CONCAT function, but it is showing some error.
My sql query is
$sql = "delete from wp_users_friends where userid ='$username'
and frid LIKE CONCAT('%',$frUserID)";
And the error is
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1
I am having a lot of trouble in this, try to help me
Correct it to:
$sql = "delete from wp_users_friends where userid ='$username'
and frid LIKE '%$frUserID'";
MySQL CONCAT() function is made for concatenating the strings to make them a single string. Which is not required here.
If you want to find ids which start with $frUserID, use like keywords with wild card operator % in the beginning.
This operator % will search for all rows which have frid starting from $frUserID.
Make your query as below:
$sql = "DELETE FROM wp_users_friends WHERE userid ='$username' AND frid LIKE '%".$frUserID."'";
You should not use CONCAT() for a LIKE expression, use a query like one of the other answers instead.
Just wanted to add, you should use single quotes (') for the variable you pass into CONCAT().
So instead of doing this :
$someSql = "CONCAT('%',$frUserID)";
You should do :
$sql = "CONCAT('%','$frUserID')";
Notice the single quotes around $frUserId.
Why this:
$query = "SET NAMES 'utf8'";
$query = str_replace("'", "\'", $query);
$pdo->query($query);
Would cause problem?
I'm currently getting this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'utf8\''
If I don't escape it, everything's fine, but the problem exists with further queries!
The sql you are trying to run is perfectly safe as is, it contains no user input and as such can be run without escaping.
Also you are actually escaping the delimiters of a string, not the value of the string itself.
You don't have to escape every single quote in a query, some are valid such as:
UPDATE table SET field='blah' WHERE id=10
Where field would be a varchar or similar. You would escape the quotes if they need to be part of the value of the field, such as:
UPDATE table SET field='This \'value\' uses quotes.' WHERE id=10
Hope that makes sense.
As a novice MySQL user I tried to insert, but I just read on the MySQL documentation that you can only insert on blank rows. My UPDATE statement needs work though, and I'm not sure that I have the syntax correct.
$query3 = "UPDATE `offices` SET `scash`="$total" WHERE `officename`="$office"";
offices is the table name. scash is the row to be updated. $total is a variable pulled from a post. $office is a variable pulled from the same database. I only want to set scash to total where the officename is $office.
Parse error: syntax error, unexpected T_VARIABLE is the error I'm getting.
$query3 = "UPDATE `offices` SET `scash`='$total' WHERE `officename`='$office'";
Replace the double quotes with normal quotes in the string since double quotes are string delimiters and can't be used in the string.
And as Marc B mentioned your code might be vurnerable for SQL injections. See this post how you can avoid that.
You are going wrong at quotes
$query3 = "UPDATE `offices` SET `scash`="$total" WHERE `officename`='$office'";
Also always use LIMIT 1 if you want to update just a single row...
And sanitize your inputs before updating your row, atleast use mysqli_real_escape_string()
if you still want to use double quotes inside double quotes escape it..
your query can be modified as follows..
$query3 = "UPDATE `offices` SET `scash`=\"$total\" WHERE `officename`=\"$office\"";