I have the following query:
SELECT * FROM ships WHERE shipCode="SP"
SELECT * FROM ships WHERE shipCode=\"SP\"
The first works fine, the second which is the result of calling mysql_real_escape_string on the first string, doesn't work and gives the useless error message #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\"SP\"' at line 1
What's wrong with it?
shipCode is a VARCHAR(2)
You're not supposed to call mysql_real_escape_string on the whole string. You use it only on the values you're concatenating into your query.
Wrong:
$query = 'SELECT * FROM ships WHERE shipCode="' . $var . '"';
$query = mysql_real_escape_string($query);
Right:
$query = 'SELECT * FROM ships WHERE shipCode="' . mysql_real_escape_string($var) . '"';
Even better: Prepared statements.
you need to have valid connection with mysql set up before you use mysql_real_escape string . do it like this
$attr="sp";
Select * from ships where shipcode = '" . mysql_real_escape_string($attr) . "';
Related
This sql query is not working:
$sql = "INSERT INTO top(topic_subject,topic_date, topic_cat, topic_by)
VALUES(" . mysql_real_escape_string($_POST['topic_subject']) . " , NOW()," . mysql_real_escape_string($_POST['topic_cat']) . " , " . isset ($_SESSION['user_id']) . ")";
how can I fix it?. I am getting this error message.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 2`
It's likely that topic_subject is character data. To include literal strings in SQL text, it should be enclosed in single quotes.
... VALUES ('abc', ...
If you used prepared statements, this wouldn't be an issue, and for the love of all things that are beautiful and good in this world, don't use the deprecated PHP mysql_ interface for new development. It's been superseded by the mysqli_ and PDO interfaces.
You forgot the quotes.
$sql = "INSERT INTO top(topic_subject,topic_date, topic_cat, topic_by)
VALUES('" . mysql_real_escape_string($_POST['topic_subject']) . "' , NOW(),'" . mysql_real_escape_string($_POST['topic_cat']) . "' , '" . isset ($_SESSION['user_id']) . "')";
And be aware that mysql_* is deprecated. Use PDO or mysqli instead.
There are couple problems here.
Quote your strings
Make sure your data is of the correct type
$topic_subject = mysql_real_escape_string($_POST['topic_subject']);
$topic_date = NOW();
$topic_cat = mysql_real_escape_string($_POST['topic_cat']);
$topic_by = isset($_SESSION['user_id']) ? $_SESSION['user_id'] : ""; // always returns a string value.
$sql = "INSERT INTO top(topic_subject,topic_date, topic_cat, topic_by)
VALUES('{$topic_subject}' , {$right_now}, '{$topic_cat}' , '{$topic_by}')";
It may help you to use more variables in your code (shown) so that you can use a debugger to verify that the strings and variables you create have the values you intend them to have.
My Code looks like below.
$var = 'ID="'. mysql_real_escape_string($data[0]).'" AND SYS="'.mysql_real_escape_string($data[2]). '" AND TITLE="'.mysql_real_escape_string($data[1]).'"';
$sql = 'SELECT * FROM `table_name` WHERE '. $var;
$result = mysql_query($sql);
In the where condition, TITLE when using a single quote(') I am facing the below error even though the mysql_real_escape_string() function is being used.
The error thrown is
Resource id #5You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Created', 'Test', 'Test', '0000-00-00 00:00:00', ' at line 25
after your dumping looks like you have problem with apostroph
you may change your quotes like that
$var = "ID='". mysql_real_escape_string($data[0])."' AND SYS='".mysql_real_escape_string($data[2]). "' AND TITLE='".mysql_real_escape_string($data[1])."' ";
$sql = "SELECT * FROM `table_name` WHERE ". $var;
$result = mysql_query($sql);
$finalvar=stripslashes($var);
$sql = 'SELECT * FROM table_name WHERE '. $finalvar;
Try dumping your SQL query in its compete form right before it is sent.
You'll be able to spot the error that way.
Well I have that code:
$query="INSERT INTO ".$db_prefix."members (badges) VALUES ('$id_badge') WHERE id_member = '$user_id'";
And PHP drop me that error:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id_member = '1'' at line 1
What can I do? :/
SORRY FOR EVERY PERSON WHO HAS REPLY TO ME I WAS WORNG WITH THE $QUERY, I HAVE EDITED TO THE CORRECT QUERY, NOW YOU CAN ANSWER ME. THANKS. :D
To every person that have voted me down, I'm starting in mysql... ¬¬
Try it like
$query="UPDATE ".$db_prefix."members SET badges = '$id_badge' WHERE id_member = '$user_id'";
You need to UPDATE the table not INSERT.And Try to avoid mysql_* statements due to the entire ext/mysql PHP extension, which provides all functions named with the prefix mysql_*, is officially deprecated as of PHP v5.5.0 and will be removed in the future.
There are two other MySQL extensions that you can better Use: MySQLi and PDO_MySQL, either of which can be used instead of ext/mysql.
You can't use WHERE in INSERT INTO. Use UPDATE command:
$query = "UPDATE " . $db_prefix . "members SET badges = '" . $id_badge . "' WHERE id_member = '" . $user_id . "'";
You are doing wrong do not insert data just update it
#mysql_query("UPDATE ".$db_prefix."members SET badges = '".$id_badge."' WHERE member_id='".$user_id."'");
$query = "UPDATE '".$db_prefix."members'
SET badges=$id_badge
WHERE id_member =".$user_id;
try putting up below line:
$query = mysql_query("SELECT `badges` FROM ".$db_prefix." members WHERE `id_member` = ".(int)$id_del_usuario."");
your second query:
$query="INSERT INTO ".$db_prefix."members SET (badges) VALUES (".$id_badge.") WHERE `id_member` = ".$user_id."";
Came across an error i have never seen before after writing the following code:
$query= "UPDATE `Pharm_Log` SET `text` = ". $bloodtest . " WHERE `id` = " . $patientid;
$result = mysql_query($query) or die(mysql_error());
My error message was this
"You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'Pressure Test: 235/43 WHERE id = 1' at line 1"
Any one have any idea on how to fix this? would be greatly appreciated
the string literal (value of $bloodtest) must be wrap with single quotes,
$query= "UPDATE `Pharm_Log` SET `text` = '". $bloodtest . "' WHERE `id` = " . $patientid;
$result = mysql_query($query) or die(mysql_error());
As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.
How to prevent SQL injection in PHP?
my code below
$count++;
$yesstring = 'MATCH';
echo $count . '. RESULT ' . $idcheck . ': ' . $phonecheck . ' was matched. <br />';
$matchquery = sprintf("UPDATE `list` SET match = `%s` WHERE homephone = `%s` LIMIT 1",
mysql_real_escape_string($yesstring),
mysql_real_escape_string($phonecheck));
$matchresult = mysql_query($matchquery);
if (!$matchresult) {
die("Invalid query: " . mysql_error());
}
and this is my error
Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'match = MATCH WHERE homephone = (999) 999-9999 LIMIT 1' at line 1
any help would be appreciated
match is a reserved word in MySQL. Escape it with backticks:
UPDATE `list` SET `match` = ...
You're using backticks when you should be using regular quotes. Backticks are reserved for escaping table or column names:
INSERT INTO `foo` VALUES ('value')
Although you're properly escaping your SQL, calling mysql_real_escape_string can prove to be a constant nuisance. Switching to mysqli or PDO would make writing correct SQL a lot easier in the long-run.