This query is not returning any result as there seems to be an issue with the sql.
$sql = "select region_description from $DB_Table where region_id='".$region_id."' and region_status =(1)";
$res = mysql_query($sql,$con) or die(mysql_error());
$result = "( ";
$row = mysql_fetch_array($res);
$result .= "\"" . $row["region_description"] . "\"";
while($row = mysql_fetch_array($res))
{
echo "<br /> In!";
$result .= " , \"" . $row["region_description"] . "\"";
}
$result .= " )";
mysql_close($con);
if ($result)
{
return $result;
}
else
{
return 0;
}
region_id is passed as 1.
I do have a record in the DB that fits the query criteria but no rows are returned when executed. I beleive the issue is in this part ,
region_id='".$region_id."'
so on using the gettype function in my php it turns out that the datatype of region_id is string not int and thus the failure of the query to function as my datatype in my tableis int. what would be the way to get parameter passed to be considered as an int in php. url below
GetRegions.php?region_id=1
Thanks
Try it like this:
$sql = "SELECT region_description FROM $DB_Table WHERE region_id = $region_id AND region_status = 1"
The region_id column seems to be an integer type, don't compare it by using single quotes.
Try dropping the ; at the end of your query.
First of all - your code is very messy. You mix variables inside string with escaping string, integers should be passed without '. Try with:
$sql = 'SELECT region_description FROM ' . $DB_Table . ' WHERE region_id = ' . $region_id . ' AND region_status = 1';
Also ; should be removed.
try this
$sql = "select region_description from $DB_Table where region_id=$region_id AND region_status = 1";
When you are comparing the field of type integer, you should not use single quote
Good Luck
Update 1
Use this.. It will work
$sql = "select region_description from " .$DB_Table. " where region_id=" .$region_id. " AND region_status = 1";
You do not need the single quotes around the region id i.e.
$sql = "SELECT region_description FROM $DB_Table WHERE region_id = $region_id AND region_status = 1"
Related
I am trying to updata a database table using pq_query in PHP. I have the following code:
$q = "UPDATE tableName SET ('data1 = " . $data1 . "', data2='" . $data2 . "') WHERE user=".$user;
$success = pg_query($q);
if (!$success) {
$errormessage = pg_last_error();
echo "Error " . $errormessage;
}
I am getting the following error message:
ERROR: syntax error at or near "'data1 = '"
LINE 1: UPDATE tableName SET ('data1 = 10', data2= 20'') WHERE user=
Replace your query with this query
$q = "UPDATE tableName SET data1 = '$data1', data2='$data2' WHERE user='$user'";
Explaination: You should pass variable in single quotes('') if your query in double quotes.
You are using a lot of quotes which it is not understood by PostgreSQL, try simply this :
$q = "UPDATE tableName SET data1 = " . $data1 . ", data2=" . $data2 . " WHERE user=".$user;
Remove those single quotes !
I'm working on a search query and i hit a little bump... So as you see in the code below, i'm adding values to a array to execute it later in the script, but it's not really working... So when i var_dumped all of this, it returned like it is supposed to but the :q was not changed to the value which was entered in the link.
$query = "SELECT * FROM articles";
$columnsQuery = [];
$values = [];
if(isset($_GET['q']) && !empty($_GET['q']))
{
$columnsQuery[] = " WHERE MATCH (title) AGAINST (':q' IN NATURAL LANGUAGE MODE)";
$values[":q"] = $_GET['q'];
}
$fullQuery = $query . implode(" ", $columnsQuery)
. " ORDER BY id DESC"
. " LIMIT {$paginator->getLimitSQL()}";
$getArticles = $db->prepare($fullQuery)->execute($values);
$query = "SELECT * FROM articles";
$columnsQuery = [];
$values = [];
if(isset($_GET['q']) && !empty($_GET['q']))
{
$columnsQuery[] = " WHERE MATCH (title) AGAINST (':q' IN NATURAL LANGUAGE MODE)";
$values["q"] = $_GET['q']; // TRY WITHOUT COLON
}
$fullQuery = $query . implode(" ", $columnsQuery)
. " ORDER BY id DESC"
. " LIMIT {$paginator->getLimitSQL()}";
$getArticles = $db->prepare($fullQuery)->execute($values);
You should not use colon in the place of $values["q"] = $_GET['q'];
$query = "SELECT * FROM articles";
$columnsQuery = [];
$values = [];
if(isset($_GET['q']) && !empty($_GET['q']))
{
$columnsQuery[] = " WHERE MATCH (title) AGAINST (':q' IN NATURAL LANGUAGE MODE)";
$values["q"] = $_GET['q']; // TRY WITHOUT COLON
}
$fullQuery = $query . implode(" ", $columnsQuery)
. " ORDER BY id DESC"
. " LIMIT {$paginator->getLimitSQL()}";
$getArticles = $db->prepare($fullQuery)->execute($values);
$query = "SELECT * FROM articles";
$values = array();
if(!empty($_GET['q'])) {
$query .= " WHERE MATCH (title) AGAINST (q IN NATURAL LANGUAGE MODE)";
$db->bindParam(':q', $_GET['q']);
}
$fullQuery = $query . " ORDER BY id DESC" . " LIMIT {$paginator->getLimitSQL()}"
$getArticles = $db->prepare($fullQuery)->execute();
So after a while i figured it out, You're not supposed to use parameters while binding in the query, and like #Poiz pointed out i shouldnt use colons in the array either
Thx to everyone who tried helping :)
//$type has value of "Hello+World"
$type = $_POST['series'];
$sql = "select max(id) from TABLE_NAME where type = " . $type;
$result = sybase_query ($sql, $db_ro_conn) or die(db_error("query failed $sql"));
$row = sybase_fetch_row($result)
I get the error "incorrect syntax near "=". y15, procedure N/A in the $sql line.
What are the possible reasons why this is happening? Somehow it doesn't work. Would appreciate any help, thanks!
Put quotes around your $type like this:
$type = $_POST['series'];
$sql = "select max(id) from TABLE_NAME where type = '" . $type. "'";
$result = sybase_query ($sql, $db_ro_conn) or die(db_error("query failed $sql"));
$row = sybase_fetch_row($result)
Let me start with this. ALWAYS escape POST/GET values in your query!
The error is probably caused by $type is string and not quoted. Try changing $sql to
$sql = "select max(id) from TABLE_NAME where type = '" . $type."'";
You are not quoting the value:
$type = str_replace("'", "''", $_POST['series']);
$sql = "select max(id) from TABLE_NAME where type = '" . $type . "'";
Is there anything wrong with this SQL code? I got it from a tutorial, but it's returning the following error message
Database query failed: You have an
error in your SQL syntax; check the
manual that corresponds to your MySQL
server version for the right syntax to
use near 'LIMIT 1' at line 1
function get_subject_by_id($subject_id) {
global $connection;
$query = "SELECT * ";
$query .= "FROM subjects ";
$query .= "WHERE id=" . $subject_id ." ";
$query .= "LIMIT 1";
$result_set = mysql_query($query, $connection);
confirm_query($result_set);
// if no rows are returned, fetch array will return false
if ($subject = mysql_fetch_array($result_set)){
return $subject;
} else {
return NULL;
}
}
Best to echo the query and see what it looks like.
Probably $subject_id contains no value or an invalid value. If $subject_id is a string, you should escape it (using mysql_real_escape_string) and put it inside quotes in the query.
[Edit]
You know you can put enters in strings too, right?
// More readable
$query = "
SELECT *
FROM subjects
WHERE id = $subject_id
LIMIT 1";
$query .= "where id=" . $page_id . " ";
Needs to be put within single quotes. Replace the above statement by
$query .= "where id='" . $page_id . "' ";
Frankly, it's impossible to say what is exactly wrong with this code, not knowing what values are substituted in the query in place of variables.
Apart from that, the code in question may be subject to SQL injection attacks.
If I may put together other suggestions that will make sure no error is ever generated with this code:
function get_subject_by_id($subject_id) {
global $connection;
$query = "SELECT * ";
$query .= "FROM subjects ";
$query .= "WHERE id='" . mysql_real_escape_string($subject_id) ."' ";
// note the quotes and escaping wrapper
$query .= "LIMIT 1";
$result_set = mysql_query($query, $connection);
confirm_query($result_set);
// if no rows are returned, fetch array will return false
if ($subject = mysql_fetch_array($result_set)) {
return $subject;
} else {
return NULL;
}
}
Additionally, using global variables is a bad practice nowadays, so I suppose the example you're using is quite outdated.
Try to use mysql_real_escape_string()
function get_subject_by_id($subject_id) {
global $connection;
$query = "SELECT * ";
$query .= "FROM subjects ";
$query .= "WHERE id='" . $subject_id ."' "; //You need single quotes
$query .= "LIMIT 1";
$result_set = mysql_query($query, $connection);
confirm_query($result_set);
// REMEMBER:
// if no rows are returned, fetch_array will return false
if ($subject = mysql_fetch_array($result_set)) {
return $subject;
} else {
return NULL;
}
}
$query .= "WHERE id='" . $subject_id ."' "; //work
$query .= "WHERE id=" . $subject_id ." "; //not work
I wrote this query:
$query = "UPDATE encodage_answer
SET Answer = geir
WHERE encodage_question_ID = 128
AND encodage_ID = 305
AND Extra = NULL";
$insert = mysql_query($query, $connection) or die(mysql_error());
But if I run this code I always get the same error:
Unknown column 'geir' in 'field list'
It's probably me but I think I am not saying geir is a column/field; what's the issue?
When I run this query directly in my PHPMyAdmin it works great.
Update: Full code:
The answer exists, $Extra variable is Null
$AnswerExists = answer_exists($Question_ID, $encodage_ID, $Extra);
if($AnswerExists <> ""){
if($Answer != NULL){
$correctAnswer = mysql_prep($Answer);
if($Extra != NULL){
$query = "UPDATE `encodage_answer` SET `Answer` = '" . mysql_prep($Answer) . "' WHERE `ID` = '" . $AnswerExists . "'";
$insert = mysql_query($query, $connection) or die(mysql_error());
$query2 = "UPDATE `encodage_answer` SET `Extra` = '" . $Extra . "' WHERE `ID` = '" . $AnswerExists . "'";
$insert = mysql_query($query2, $connection) or die(mysql_error());
}else{
$querytest = "UPDATE `encodage_answer` SET Answer = " . $Answer . " WHERE ID = " . $AnswerExists;
$insert = mysql_query($querytest, $connection) or die(mysql_error());
}
}
}
function answer_exists($Question_ID, $encodage_ID, $Extra){
global $connection;
$trfa = false;
echo $Question_ID . " - " . $encodage_ID . "<br />";
if($Extra <> ""){
$query = "SELECT *
FROM encodage_answer
WHERE encodage_ID = {$encodage_ID} AND encodage_question_ID = {$Question_ID} AND Extra = {$Extra}";
}else{
$query = "SELECT *
FROM encodage_answer
WHERE encodage_ID = {$encodage_ID} AND encodage_question_ID = {$Question_ID}";
}
Try putting single quotes around geir. By not quoting the string you want to set the column to, the SQL backend thinks you want to set the value of the Answer column to the value of the geir column. Since the geir column doesn't exist in your table, it throws an error.
Edit: I suspect that PHPMyAdmin has some kind of SQL statement filtering to catch cases like this, and automatically puts quotes around the string for you.
Thanks for the help to everyone! I'm changing all queries to a safer format! SQL-Injection treats are no longer an issue! Thanks for the tip!
Concerning my question:
I'am a complete idiot! After searching for a solution for 20 hours I found my error! The error was for another query. I'm very sorry for wasting your time but I'm a newbie (ergo, the sql-injection issue), so I hope I am allowed to make a few mistakes.
Thanks
Jens