I can't get this to compile properly.
$username = mysql_real_escape_string($_GET['username']);
$about = mysql_reaL_escape_string($_GET['about']);
$icebreaker = mysql_reaL_escape_string($_GET['icebreaker']);
$query = "UPDATE '$mysql_database'.main SET about = '$about', icebreaker = '$icebreaker' WHERE username = '$username';";
I get the error
You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near ''a4396957_users'.main
SET about = 'testing', icebreaker = 'ice' WHERE us' at line 1
Is there something missing in this statement?
don't quote the database name with apostrophes or quotes
$query = "UPDATE `$mysql_database`.`main` SET `about` = '$about', `icebreaker` = '$icebreaker' WHERE `username` = '$username';";
Use ` instead of '
$query = "UPDATE $mysql_database.main SET about = '$about', icebreaker = '$icebreaker' WHERE username = '$username';";
Certain objects within MySQL, including database, table, index, column, alias, view, stored procedure, partition, and other object names are known as identifiers..
The identifier quote character is the backtick (“`”)..
If the ANSI_QUOTES SQL mode is enabled, it is also permissible to quote identifiers within double quotation marks:
mysql> CREATE TABLE "test" (col INT);
ERROR 1064: You have an error in your SQL syntax...
mysql> SET sql_mode='ANSI_QUOTES';
mysql> CREATE TABLE "test" (col INT);
Query OK, 0 rows affected (0.00 sec)
Related
Query failed:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':c2 , add=:c3 , mob=:c4 WHERE id=:c1' at line 1
I had a syntax error in this program,I can't update "cus" table in database.Please anyone can solve this bug.
Thankyou
My PHP codings are below:
if(isset($_POST['submit']))
{
$c1=$_POST['cid1'];
$c2=$_POST['cname1'];
$c3=$_POST['cadd1'];
$c4=$_POST['cmob1'];
$sql1 = "UPDATE 'cus' set 'name'=':c2' , 'add'=':c3' , 'mob'=':c4' WHERE 'id'=':c1'";
$st1=$conn->prepare($sql1);
$st1->bindParam(":c2",$c2,PDO::PARAM_STR);
$st1->bindParam(":c3",$c3,PDO::PARAM_STR);
$st1->bindParam(":c4",$c4,PDO::PARAM_STR);
$st1->bindParam(":c1",$c1,PDO::PARAM_INT);
$st1->execute();
header("location:frm.php");
}
You need to use backticks around table and column names, or just leave the quotes out entirely if the names are not reserved words. Single quotes are for strings. You also must NOT put placeholders inside quotes.
$sql1 = "UPDATE `cus` set `name`=:c2 , `add`=:c3 , `mob`=:c4 WHERE `id`=:c1";
Identifier quotes are not single quotes. They are supposed to be backticks. Just ditch them instead.
Placeholders doesn't need quotes wrapping them:
$sql1 = "UPDATE cus SET name = :c2 , `add` = :c3 , mob = :c4 WHERE id = :c1";
EDIT:
With the exception of the reserved word ADD. That requires backticks
if(isset($_POST['submit'])) {
$c1 = $_POST['cid1'];
$c2 = $_POST['cname1'];
$c3 = $_POST['cadd1'];
$c4 = $_POST['cmob1'];
$sql1 = "UPDATE cus SET name = :c2 , `add` = :c3 , mob = :c4 WHERE id = :c1";
$st1 = $conn->prepare($sql1);
$st1->bindParam(":c2",$c2,PDO::PARAM_STR);
$st1->bindParam(":c3",$c3,PDO::PARAM_STR);
$st1->bindParam(":c4",$c4,PDO::PARAM_STR);
$st1->bindParam(":c1",$c1,PDO::PARAM_INT);
$st1->execute();
header('Location: frm.php');
}
While the following query works with phpmyadmin, when I use mysqli->query(), a syntax error occurs
START TRANSACTION;
SELECT Value INTO #Increment FROM SystemConfiguration WHERE `Key` = 'POIncrement' FOR UPDATE;
UPDATE SystemConfiguration SET Value = Value + #Increment WHERE `Key` = 'POID';
COMMIT;
The syntax error message:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SELECT Value INTO #Increment FROM SystemConfiguration WHERE `Key` = 'POIncrement' at line 2
Is it that mysqli prepares the query and adds something in?
$sql = <<<SQL
START TRANSACTION;
SELECT Value
INTO #Increment
FROM SystemConfiguration
WHERE `Key` = 'POIncrement' FOR UPDATE;
UPDATE SystemConfiguration
SET Value = Value + #Increment
WHERE `Key` = 'POID';
COMMIT;
SQL;
$res = mysqli_multi_query($connection, $sql);
I have the code below that UPDATE my database record.
$assign_id_input = $_POST['assign_id_input']; // Get ID input from user, it is always an integer
$assign_math = $_POST['input_math']; // Get the input from user
mysql_query("UPDATE free_ebook SET math = $assign_math WHERE useid = $assign_id_input;")or die(mysql_error());
I will display the SQL error below
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'WHERE useid = 8' at line 1
I bet your 'math' column is a String so you have to secure the String with quotes around your variable.
mysql_query("UPDATE free_ebook SET math = '$assign_math' WHERE useid = $assign_id_input;")or die(mysql_error()
Math data is in string format and it shoud be passed like a string
mysql_query("UPDATE free_ebook SET math = '$assign_math' WHERE useid = $assign_id_input;")or die(mysql_error());
You should enclose variable names in SQLquery with single quotes like this:
Code:
mysql_query("UPDATE free_ebook SET math = '$assign_math' WHERE useid = '$assign_id_input'");
' is only use for column values, and it is for text/date/varchar types. Please take a look for column value which you are updating.
mysql_query("UPDATE free_ebook SET math = '$assign_math' WHERE useid = $assign_id_input")
You have ; inside the query, take it out
mysql_query("UPDATE free_ebook SET math = '$assign_math' WHERE useid = $assign_id_input")or die(mysql_error());
Whats wrong with my code?
Basically what I'm trying to do is add a number and update a field in the sql with what is connected to the variable. But since steamids look like this STEAM_0:0:123123123 or STEAM_0:1:123123123 I get this
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':0:14166834' at line 1
This is just for learning, so I know my code has useless echos, but its just to see it being added and making sure i was doing it correctly anyways
addmoney.php
<?php
include("inc/config.php");
$mysteamid=mysql_real_escape_string($_POST['mysteamid']);
$sql = "SELECT * FROM $tbl_name WHERE steamid='$mysteamid'";
$result=mysql_query($sql);
$cash=mysql_result($result, 0, 'cash'); // outputs 7th
echo $cash;
$newcash= $cash + "10000";
echo "\n";
echo $newcash;
mysql_query("UPDATE $tbl_name SET `cash` = $newcash WHERE `steamid` = $mysteamid") or die(mysql_error());
?>
index.php contains a working formdata its not really required with the error in my code.
my main problem is this line from addmoney.php which is
$mysql_query("UPDATE $tbl_name SET `cash` = $newcash WHERE `steamid` = $mysteamid") or die(mysql_error());
As your steamid field in your DB is a string (it seems to be, as possible values are STEAM_0:0:123123123 and STEAM_0:1:123123123), you must use quotes arround the value :
mysql_query("UPDATE $tbl_name SET `cash` = $newcash WHERE `steamid` = '$mysteamid'");
Using mysql_real_escape_string() is necessary, as it escapes quotes inside the variable you pass it as a parameter -- but you still have to put quotes arround the string, in your SQL queries.
In the first query you surrounded your $mysteamid value with simple quotes, and in the second query you didn't. If the steamid is a string type, you need to surround the value with quotes, like
"UPDATE $tbl_name SET `cash` = $newcash WHERE `steamid` =' $mysteamid'"
This is simple one i am using the following insert query
mysql_query(insert into table1 set saltval = 'Y'Z' where uid ='1');
but i does not work becaues the value for the field saltval is Y'Z . my question is how to considered this value is as a string .
You need to escape any single quotes with a backslash.
mysql_query("insert into table1 set saltval = 'Y\'Z' where uid ='1'");
However your SQL is invalid as well... Did you mean to do an update? Insert statements don't have a where.
As mentioned in other answers, if the input is from a user then you should use mysql_real_escape_string()
http://www.php.net/manual/en/function.mysql-real-escape-string.php
$string = mysql_real_escape_string("Y'Z");
mysql_query("insert into table1 set saltval = '{$string}' where uid ='1'");
Always use mysql_real_escape_string() function for this if values come from user input
$query="insert into table1 set saltval = '".mysql_real_escape_string($InputVal)."' where uid ='1'";
See http://php.net/manual/en/function.mysql-real-escape-string.php
You have to add a backslash to certain characters to make your string fit into SQL syntax rules.
Assuming you're creating your query dynamically, PHP has special escaping function for this and you should use it for the every quoted string in the query, no exceptions.
So, write your code like this:
$salt = "Y'Z";
$id = 1;
$salt = mysql_real_escape_string($salt);
$id = mysql_real_escape_string($id);
$sql = "update table1 set saltval = '$salt' where uid ='$id'";
mysql_query($sql) or trigger_error(mysql_error()." ".$sql);
to make it safe and fault-tolerant