I am trying to update two columns without deleting the entire row. Here is what I am using:
$sql='update users set token='',timestamp='' where token=?';
$stmt=$db_con->stmt_init();
$stmt->prepare($sql_3);
$stmt->bind_param('s',$token);
$stmt->execute();
However, it gives me this error: T_CONSTANT_ENCAPSED_STRING. Now the query works fine when I use it through the MySQL CLI as update users set token='',timestamp='' where token='blahblah'; How can I get around this?
Use this
$sql="update users set token='',timestamp='' where token=?";
You can find more info here how to escape a string.
http://php.net/manual/en/language.types.string.php
you should be using.
$sql="update users set token='',timestamp='' where token=?";
notice the double quote (") on start and end of the string.
since you are using multiple single quotes in your string PHP does not understand this, and will throw an error. you need to tell php to escape the quote. you can do it in two ways.
1) By using PHP's \ escape character infront of the quote.
'update users set token=\'\',timestamp=\'\' where token=?';
2) use double quote for the string instead of single quote.
"update users set token=\'\',timestamp=\'\' where token=?";
both should work.
Here i would like to inform you that as query was in single quotes and you have used single quotes more than one time in the query string. PHP will accept string from first quote to next quote, thats why you getting error but in command line this do not generate error
$sql='update users set token='',timestamp='' where token=?'; to
$sql="update users set token='',timestamp='' where token=?";
Related
When I am inserting into a database with mysqli_real_escape_string, I am finding that my single quotes are been escaped with \\ rather than \ which is causing my query to fail. See below:
NOTE: $link is my db connection var.
$string = mysqli_real_escape_string($link, "BEGIN testing quotes - don't use quotes END");
$query = "INSERT INTO table (field) VALUES ('".$string."')";
When I echo out my query, I get:
INSERT INTO table (field) VALUES ('BEGIN testing quotes - don\\'t use quotes END')
which is causing a SQL syntax error. I cannot seem to find a setting anywhere that can change this. If I copy the echo'd query into MySQL workbench and remove a \, the query insert's perfectly.
I have had a look through Stack Overflow and cannot find anything relating to this, and also searched through Google with no luck.
I have many queries that need escaping across my entire website. Could a setting be set to automatically apply escaping of strings pre-insert without having to go through and update all my variables? If not, Is there anyway I can alter the mysqli_real_escape_string function without having to manually check every string I insert for single quotes etc?
I appreciate any assistance with this.
As Krishna Gupta suggested, stripslashes resolved my issue:
$string = mysqli_real_escape_string($link, stripslashes("BEGIN testing quotes - don't use quotes END"));
Thanks.
I'm currently developing a simple php/mysql website as an assignment.
I need to update a char column in a table by passing a php variable. Issue is I don't know how to pass the variable as a string.
$verify = $_POST['verification'];
"UPDATE Users SET account_status=1 WHERE verification_code= . $verify . ";
Above query is not working for me. Running the query manually on mysql does work;
UPDATE Users SET account_status=1 WHERE verification_code="XYz12"
so I think the problem is passing the variable as a string. I tried a couple of different things but couldn't manage it...
the field verification_code is a string, this must be between simple quote like:
$query = "UPDATE Users SET account_status=1 WHERE verification_code='$verify'";
"UPDATE Users SET account_status=1 WHERE verification_code='" . $verify . "'";
But of course this is very poor form. You need to ensure your variable has been properly escaped. I recommend using PDO prepared statements:
$stmt = $db->prepare("UPDATE Users SET account_status=1 WHERE verification_code=?");
$stmt->execute(array($verify));
The correct string for the query is as follows:
$query = "UPDATE Users SET account_status=1 WHERE verification_code=\"" . $verify . "\"";
With the \ char you scape the quotes char. Anyways this can be quite confusing so you can use simple quotes.
$query = "UPDATE Users SET account_status=1 WHERE verification_code='$verify'";
Note that you can make a reference to a php variable within quotes like above.
BTW. Your error is that you are using the concatenation characters inside a string. It should be used like my first example. Anyways you need to quote the value of the SQL if it is a string. You don't have to do it if the field is NOT a string.
If you are worried about SQL-Injection you can use Prepared Statements instead of plain queries. I recommend to you the PDO Class of PHP. You can give a try to MySQLi too.
Why this:
$query = "SET NAMES 'utf8'";
$query = str_replace("'", "\'", $query);
$pdo->query($query);
Would cause problem?
I'm currently getting this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'utf8\''
If I don't escape it, everything's fine, but the problem exists with further queries!
The sql you are trying to run is perfectly safe as is, it contains no user input and as such can be run without escaping.
Also you are actually escaping the delimiters of a string, not the value of the string itself.
You don't have to escape every single quote in a query, some are valid such as:
UPDATE table SET field='blah' WHERE id=10
Where field would be a varchar or similar. You would escape the quotes if they need to be part of the value of the field, such as:
UPDATE table SET field='This \'value\' uses quotes.' WHERE id=10
Hope that makes sense.
As a novice MySQL user I tried to insert, but I just read on the MySQL documentation that you can only insert on blank rows. My UPDATE statement needs work though, and I'm not sure that I have the syntax correct.
$query3 = "UPDATE `offices` SET `scash`="$total" WHERE `officename`="$office"";
offices is the table name. scash is the row to be updated. $total is a variable pulled from a post. $office is a variable pulled from the same database. I only want to set scash to total where the officename is $office.
Parse error: syntax error, unexpected T_VARIABLE is the error I'm getting.
$query3 = "UPDATE `offices` SET `scash`='$total' WHERE `officename`='$office'";
Replace the double quotes with normal quotes in the string since double quotes are string delimiters and can't be used in the string.
And as Marc B mentioned your code might be vurnerable for SQL injections. See this post how you can avoid that.
You are going wrong at quotes
$query3 = "UPDATE `offices` SET `scash`="$total" WHERE `officename`='$office'";
Also always use LIMIT 1 if you want to update just a single row...
And sanitize your inputs before updating your row, atleast use mysqli_real_escape_string()
if you still want to use double quotes inside double quotes escape it..
your query can be modified as follows..
$query3 = "UPDATE `offices` SET `scash`=\"$total\" WHERE `officename`=\"$office\"";
I'm building my query:
$q = sprintf("UPDATE testTable SET Text='%s', [Read]=0, TimeUpdated='%s', [From]='%s' WHERE ID='%s'", ms_escape_string($text), $dateReceived, $from, $convID);
and I execute it:
$res = mssql_query($q, $dbhandle);
$text should be free text so it could contain all sorts of weird characters (for now let's stick to ASCII). The simplest scenario is when $text contains a quote, e.g. $text = "Mc'Donalds"
Inside the ms_escape_string function I try to prevent this by replacing ' with 2 quotes ''.
I echo the query string:
UPDATE testTable SET Text='Mc''Donalds', [Read]=0, TimeUpdated='2012-08-03 12:44:49', [From]='bogus' WHERE ID='14'
(Note: executing this query from the VS server explorer on the same db works just fine)
Everything seems ok - see the double quotes for Mc''Donalds - but it still fails when executing: [mssql_query(): message: Incorrect syntax near 'Mc'
I thought that SET QUOTED_IDENTIFIER might be the culprit so I tried
$q = "SET QUOTED_IDENTIFIER OFF";
$resq = mssql_query($q,$dbhandle);
before executing my query but no cigar - I still get the same error.
Now I'm stuck - what should I change to get strings containing single quotes to pass through?
This question seems more to do with the lack of a native mssql_real_escape_string() function, which is addressed by this thread.
You should be more worried about an SQL injection attack, a problem many of us have finally put to bed by preferring to use PDO, as has been mentioned in the comments.
This type of "Escaping in readiness for the next recipient of the data" forms part of the FIEO mantra (Filter Input Escape Output).