I cant really figure out whats wrong with this. I used to write the exact same thing and got it working.
$check = mysql_query("SELECT encrypt FROM database WHERE word='$word'") or die(mysql_error());
Error returned is : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'database WHERE word='asdaasdasdd'' at line 1
DATABASE is a mysql reserved word, eclose it with backticks ``
$check = mysql_query("SELECT encrypt FROM `database` WHERE word='$word'")
or die(mysql_error());
Try backquoting database. It's probably a reserved word.
Database or Databases is a keyword. See the following link for Reserve words
The or die() trick is a very poor choice for several reasons:
It's not a very nice way to present the user with an error message.
Using for instance the mysql_error() call with it, as many people do, exposes information that should never get output in a production environment
You cannot catch the error in any way.
You cannot log the error.
You cannot control whether it should be output to the screen or not. It's okay to do that in a development environment, but certainly not in a production environment.
It prevents you from doing any sort of cleanup. It just ends the script abruptly.
An easy way to implement is :
$result = mysql_query('SELECT foo FROM bar', $db) or trigger_error('Query failed: ' . mysql_error($db), E_USER_ERROR);
Encrypt is a function so, even tho' it is not causing the problem, I would avoid using it as a column name.
Related
Notice: Undefined variable: table_name in /Applications/MAMP/htdocs/welcometowarwick/scripts/php/insert_imagery.php on line 106
Error: UPDATE SET business_description='', image1='profiles/sadsadas/', image2='profiles/sadsadas/', image3='profiles/sadsadas/', image4='profiles/sadsadas/', image5='profiles/sadsadas/' WHERE id='307' LIMIT 1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SET business_description='', image1='profiles/sadsadas/', image2='pr' at line 1
Here is the UPDATE code
$updatesql = sprintf("UPDATE $table_name SET
business_description='$business_description',
image1='$insert_upload1',
image2='$insert_upload2',
image3='$insert_upload3',
image4='$insert_upload4',
image5='$insert_upload5'
WHERE id='$user_id' LIMIT 1");
if (mysqli_query($link, $updatesql)) {
header('Location: ../../register/complete.php');
} else {
echo "Error: " . $updatesql . "<br>" . mysqli_error($link);
}
mysqli_close($link);
Can anyone see what the error with the syntax is?
This is too long for a comment, therefore I am submitting the following.
The syntax error is clear:
right syntax to use near 'SET it starts at SET, so this tells me that:
$table_name is either not defined, or it contains a character that MySQL doesn't agree with. Possibly a space, a hyphen; who knows. Only you know that and how $table_name is defined, or whether it's defined at all.
Plus, as I stated in comments; you're using sprintf but there is no syntax to support that. You can just get rid of it, far as I'm concerned.
It is also unclear which MySQL API you are using to connect with, so make sure you are indeed using mysqli_ to connect with and not mysql_ or PDO.
Those different MySQL APIs do not intermix with each other.
If you have any questions, please do not hesitate to place a comment underneath my answer.
You may also want to make use of mysqli_real_escape_string() in order to escape your data. There might be characters in there that MySQL will also want to buck about.
Add error reporting to the top of your file(s) which will help find errors.
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
// rest of your code
Sidenote: Error reporting should only be done in staging, and never production.
this query can't get the table name so it happens try to first echo $updatesql and check the query get table name
I'm getting this error in my Magento script:
Product not added exception:exception 'PDOException' with message
'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an
error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near 's Secret'' at
line 1'
Some background info:
I have a PHP script running on a cron job to add and update products. It runs a while now, but I got just now this error. I think it's because the manufacturers name got an apostrophe in it. But I have no clue how to fix it.
Changing the manufacturer's name is not a option.
function addManufacture($pid,$men){
$resource = Mage::getSingleton('core/resource');
$readConnection = $resource->getConnection('core_read');
$query = "SELECT manufacturers_id FROM p1_manufacturers WHERE m_name='".$men."'";
$lastid = $readConnection->fetchOne($query);
$write = Mage::getSingleton("core/resource")->getConnection("core_write");
if($lastid){}else{
$url = createUrl($men);
$query = "insert into p1_manufacturers (m_name,identifier,status) values ('".$men."','".$url."',1)";
$write->query($query);
$lastid = $write->lastInsertId();
}
$query1 = "insert into p1_manufacturers_products (manufacturers_id,product_id) values ('".$lastid."','".$pid."')";
$write->query($query1);
$query3 = "SELECT manufacturers_id FROM p1_manufacturers_store WHERE manufacturers_id='".$lastid."'";
$mid = $readConnection->fetchOne($query3);
if($mid){} else {
$query2 = "insert into p1_manufacturers_store (manufacturers_id,store_id) values ('".$lastid."',0)";
$write->query($query2);
}
}
Here is the problem:
$query = "SELECT manufacturers_id FROM p1_manufacturers WHERE m_name='".$men."'";
Replace that with:
$menEscaped = mysql_real_escape_string($men);
$query = "SELECT manufacturers_id FROM p1_manufacturers WHERE m_name='".$menEscaped."'";
For readability, I might be inclined to reformat it thus:
$menEscaped = mysql_real_escape_string($men);
$query = "
SELECT
manufacturers_id
FROM
p1_manufacturers
WHERE
m_name='{$menEscaped}'
";
The problem is you are not escaping your input variables, and if this comes from user input, you may find people injecting SQL of their own choice into your database. And that's generally not good!
Addendum: the above may work, but I've just spotted you are using a library called Mage. This being the case, you will need to find out how to escape strings using that library - it will be something like $write->escapeString($men).
As has been noted in the comments, it is even better if you can switch to paramerisation. You'll need to check if your library supports that.
Your problem is being caused by an unescaped single-quote appearing in your data, and creating a syntax error in the queries you are submitting to your database.
Unfortunately, your database access code is hidden in some class, so it's not immediately obvious what changes are required. However...
As an absolute minimum you should escape any user data before applying it to the database. For this function this means
$men = mysql_real_escape_string($men);
$pid = mysql_real_escape_string($pid);
added at the top of the function. I have assume you are using 'mysql()` in this code.
Watch the line $url = createUrl($men); as this will be affected by this change. You may need further modifications here, and createUrl() may need to be changed too.
You will need to make similar changes in every function that accesses your database.
If you are using mysqli() more work will be required as the arguments are different and this 'easy' fix won't work.
Ultimately you should look to rewrite your code to use prepared statements.
Your code is seriously vulnerable to attack. There is a lot of work here. Get to it!
Edit
Thanks to #halfer for spotting the use of Mage. Magento uses the Zend framework which in turn uses PDO objects. Delving into the code you can rewrite the functions to use prepared statements which will deal with your problem effectively. This answer has a fuller description. This is a better fix than I suggested above, but you still have a great deal of work to do.
I'm getting these weird errors, and I've been up and down the code, commenting and rewriting, and googling all the things.
Perhaps you guys will see what I'm not seeing:
$mysqli = new mysqli('host','login','passwd','db');
if($mysqli->connect_errno > 0){ die('Cannot connect: '. $mysqli->connect_error); }
// See if there is one term or multiple terms
if (count($search) == 1) {
// If one term, search for that
$like = $search[0];
$stmt = "SELECT
gsa_committees.id,
gsa_committees.committee,
gsa_committees.appointer,
gsa_committees.representatives,
gsa_committees.contact,
gsa_committees.category,
gsa_committees.attachments,
gsa_committees.labels,
gsa_committee_reports.committee,
gsa_committee_reports.title,
gsa_committee_reports.author,
gsa_committee_reports.link,
gsa_funds.id,
gsa_funds.fund,
gsa_funds.attachments,
gsa_funds.labels,
gsa_meeting_minutes.title,
gsa_meeting_minutes.link,
gsa_officers.office,
gsa_officers.dept,
gsa_officers.name,
gsa_representatives.program_dept,
gsa_representatives.representatives,
gsa_representatives.alternate
FROM
gsa_committees,
gsa_committee_reports,
gsa_funds,
gsa_meeting_minutes,
gsa_officers,
gsa_representatives
WHERE
(gsa_committees.committee LIKE $like) AND
gsa_committees.committee IS NOT NULL";
}
if(!$result = $mysqli->query($stmt)){ die('Bad query: '. $mysqli->error); }
This gives me this error message:
Bad query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%ARCHAC%) AND gsa_committees.committee IS NOT NULL' at line 34
Which I know isn't true. If I change that las part to just this:
WHERE gsa_committees.committee LIKE $like";
I get this error message:
Bad query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%ARCHAC%' at line 34
Everywhere I've looked, the string "%".search."%" seems to be the correct method, but my server doesn't seem to like it here.
Interesting side note: I have a different LIKE statement working on another page on the same server, this just won't work for some reason.
Thanks!
Try putting single quotes around your search term ($like variable).
for example: (gsa_committees.committee LIKE '$like')
You need to wrap the variable in quotes for like to work:
WHERE gsa_committees.committee LIKE '$like';
See reference documentation on String Comparison Function.
it looks like missing quotes:
"WHERE gsa_committees.committee LIKE '$like' ";
Ok, I got it. The answer on this post solved my issue:
MYSQLI SQL query over multiple tables fail
As soon as I assigned the tables t1,t2,etc and did INNER JOIN, the results came in as expected, with %$search% or $search.
Thanks all!
[UPDATED] with new code "sql_real_escape_string()"
[UPDATED] if anyone wants to look at the site its at Test site
[UPDATED] with the while code showing any results via echo
Hello All,
I have looked at many posts on this matter, but simply cannot understand why the following code doesn't work:
$username = $_POST['username'];
// get the record of the user, by looking up username in the database.
$query = sprintf("SELECT UserName, Password FROM userlogin WHERE UserName='%s'", mysql_real_escape_string($username));
$result = mysqli_query($dbc, $query) or
die ("Error Querying Database for: " . $query .
"<br />Error Details: " . mysql_error() . "<br/>" . $result);
while ($row = mysqli_fetch_assoc($result))
{
Echo($row['UserName']);
}
The Code seems to be correct... the database is working perfectly (for input purposes) and the connection is a shared connection applied with require_once('databaseconnection.php'); that is working for the registration side of things.
like normal I'm sure this is something simple that I have overlooked but cannot for the life of me see it!
I do not get any error messages from the myssql_error() its simply blank.
any help would be much appreciated.
Regards
Check the username you try to query as it might be empty. Do you really use a post-request to run that script? How do you verify that it does not work? What do you do with $data after the query?
If just nothing seems to happen it is likely your query did not match any record. Check for whitespace and case of the username you are looking for.
Mind those warnings:
Use a prepared statement or at least sql-escape any user-input before using it in sql.
Don't use die in serious code only for debugging.
The $data will contain a result object. You need to iterate over it using something like mysqli_fetch_assoc($data).
Also, you can interpolate variables directly into double quoted strings - i.e. UserName='".$username."'" could be written more cleanly as UserName='$username' rather than breaking out of the string.
Also, please sanitize your input - all input is evil - using mysqli_real_escape_string() function. You've got a SQL injection exploit waiting to happen here.
Bear in mind that it's a very good idea to validate all data to be inserted into a database.
Very often you have problems with query itself, not implementation. Try it in phpMyAdmin first and see if there are any problems.
Check server logs.
BY THE WAY: Never put variables from POST to query! That's definitely a SQL injection'
You might have some issue with the query.
Have you Tried to echo the $query and run that directly with mysql client or workbench?
This piece of code seems ok. That is, if $dbc contains an actual database connection. But the choice of naming that variable $data while the function actually returns a result object or a boolean, indicates that you may process the data wrong.
If that is not the problem, we'll definately have to see more code.
Try printing $data variable instead of printing only query. Check, whether you are able to get any error messages. If you could see any data then you should use mysql fetch function to iterate things. Try it.
The exact error message is:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'where rfflag='0'' at line 1
Hi,
I'm trying to get some php scripts working and it dies with the above error message. There are two locations where rfflag is used in the SQL query:
$_SESSION['lang']=$objTerm->my_get_one("select min(id) from "
.$objTerm->TABLE['languages']." where status='1' and rfflag='0'");
$rs_lang=$objTerm->execute_query("select id,language from "
.$objTerm->TABLE['languages']." where `status`='1' and `rfflag`='0'");
How do I determine which one is causing the problem? Or is the problem something else altogether?
Echo this:
"select id,language from ".$objTerm->TABLE['languages']." where status='1' and rfflag='0'"
and this:
"select min(id) from ".$objTerm->TABLE['languages']." where status='1' and rfflag='0'"
Then run execute each output in your favorite sql developer tool.
Errors will be displayed there.
How do I determine which one is causing the problem?
Remove one of the queries. See if it still happens.
On a secondary thought, I would suggest that you change your MySQL query code so, that it doesn't use die() to print out the error message. Use trigger_error or exceptions instead, this way you will automatically get a trace of which line caused it.
How do I determine which one is causing the problem?
use trigger_error() to output an error message.
I guess (I have to guess because you supply no code) that you are using die() to output an error.
if you change this bad practice function to trigger_error(), you will be able to see the line number, where error occurred.
If you add non only mysql_error() to it's output, but also query itself, you will be able to see the problem code too.
I guess $objTerm->TABLE['languages'] is undefined or does not have the value you’re expecting.
As sheeks06 has already suggested, just echo the query to see if everything is as expected:
$query = "select min(id) from "
.$objTerm->TABLE['languages']." where status='1' and rfflag='0'";
echo $query;
$_SESSION['lang']=$objTerm->my_get_one($query);
$query = "select id,language from "
.$objTerm->TABLE['languages']." where `status`='1' and `rfflag`='0'";
echo $query;
$rs_lang=$objTerm->execute_query($query);