Hello guys and girls im trying to a sql update but think i forgot a ' or a "
im getting this error messege
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Brock'='1'WHERE username = 'admin'' at line 1
The fault lies with in this bit of code if i take the code out the page loads witht he rest of the scripts on it. But need it two do the update.
$blah = mysql_query("UPDATE users SET '".$_SESSION['gymleader']."'='1'WHERE username = '".$_SESSION['username']."'")
or die(mysql_error());
Were am i going wrong ?
You miss a space between the '1' and the WHERE if I am not mistaken. And you should use backticks (`) when you want to escape a column name
So your code becomes:
$blah = mysql_query("UPDATE users SET `".$_SESSION['gymleader']."`='1' WHERE username = '".$_SESSION['username']."'")
Note the ` instead of the ' around the column name (right after the SET).
Further possible improvements:
In case the column is of type INT, you can replace the '1' by 1 (without the ')
You should never directly use the $_SESSION,$_POST,$_GET or other values which can be altered by users in your queries. Do a Google search on SQL injection for more information
UPDATE user SET field = '1' WHERE ...
instead of
UPDATE user SET 'field' = '1' WHERE ...
and if your field is of type int, you might use
UPDATE user SET field = 1 WHERE
If you want to escape your fieldname, use
`field`
in backticks `
Besides the fact that this looks like a bad idea to code like this, assuming you have a column named Brock then you should use this types of quotes instead:
$blah = mysql_query("UPDATE users SET `".$_SESSION['gymleader']."`='1' WHERE username = '".$_SESSION['username']."'")
or die(mysql_error());
Notice I replaced your ' with `
Related
The query I'm using (from php) is
"UPDATE articles SET
title='".$_POST['title']."',
contents='".$_POST['cont']."',
category='".$_POST['cat']."',
desc='".$_POST['desc']."'
WHERE stitle='".$_POST['stitle']."'";
and I get the error
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc='hello' WHERE stitle='banana'' at line 1.
If I remove desc='".$_POST['desc']."' the query works. The field 'desc' is varchar(150). I can insert text directly from phpMyAdmin, the field is definitely called 'desc', and $_POST['desc'] definitely captures a value (I tried using echo $_POST['desc']; and a value is passed). I tried changing the code to desc='test' and that doesn't work.
Any ideas?
I managed to resolve the issue. I created a new column in the table, copied the information from 'desc' into that column, deleted 'desc'. I ran the query with the new column name, and it works. I don't know what the issue was, but that fixed it.
The problem are your $_POST['desc'] contains an apostrophe. I recommend you to use on all parameters the function mysqli_real_escape_string (doc: http://be2.php.net/manual/en/mysqli.real-escape-string.php).
Also, try to escape all rows and tables with backticks, to avoid reserved words creating errors.
Your query example looks like this with them:
"UPDATE `articles` SET `title` = '".mysqli::real_escape_string($_POST['title'])."', `contents` = '".mysqli::real_escape_string($_POST['cont'])."', `category` = '".mysqli::real_escape_string($_POST['cat'])."', `desc` = '".mysqli::real_escape_string($_POST['desc'])."' WHERE `stitle` = '".mysqli::real_escape_string($_POST['stitle'])."'";
If you are programming with procedural style calls to mysqli functions, use:
"UPDATE `articles` SET `title` = '".mysqli_real_escape_string($link, $_POST['title'])."', `contents` = '".mysqli_real_escape_string($link, $_POST['cont'])."', `category` = '".mysqli_real_escape_string($link, $_POST['cat'])."', `desc` = '".mysqli_real_escape_string($link, $_POST['desc'])."' WHERE `stitle` = '".mysqli_real_escape_string($link, $_POST['stitle'])."'";
(Obviosuly, replace $link with the variable initialized when you do mysqli_connect())
Using these function, you can avoid these errors, and, also, a lot of SQL exploits. There's no required if the variable contains an integer, but, you always need to check the data passed to the SQL engine to avoid problems.
Is a good practice, to have some checks, for example, testing who integer vars contains integers, or doing escape with mysqli::real_escape_string. And, if something are incorrect on the input data, halt the process and don't request the SQL query.
I'm almost sorry to ask this question but I'm drawing a complete blank. I'm getting the following error:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE number='7'' at line 1"
It seems whenever I try to use just an integer in the following code, I get the syntax error;
$go = mysql_query("UPDATE $db1 SET count='$t1c', WHERE number='$input2'") or die(mysql_error());
As you can see the page gets the value, that's not the issue.. it just doesn't seem to like the WHERE = 7 part. I've tried with and without the quote marks, I've tried changing that column in the table from a int to a varchar. Still get the same thing yet the code BEFORE this piece that runs:
$check1 = mysql_query("SELECT * FROM $db1 WHERE number='$input2'");
Run's absolutely fine. It finds the value where number equals $input2...
Can someone help me PLEASE? I'm drawing a complete blank here :/
Remove the , in the query:
mysql_query("UPDATE $db1 SET count='$t1c' WHERE number='$input2'");
Remove comma(,) which is placed before WHERE in UPDATE query
$go = mysql_query("UPDATE $db1 SET count='$t1c' WHERE number='$input2'") or die(mysql_error());
Change
"UPDATE $db1 SET count='$t1c', WHERE number='$input2'"
to
"UPDATE $db1 SET count='$t1c' WHERE number='$input2'"
The comma shouldn't be there (before WHERE) and is causing an error.
number is a reserved word in mysql sql
it is better not to name columns with that words or you need to backtick them in query
example:
`number`=3
mysql reserved words
I'm trying to write a MySQL in my PHP script which will update a field in the database however I get the error:
Fatal error: Wrong SQL: Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''user' SET 'currentsong' = '' WHERE 'userid' = '1893''
While using this code.
$setcurrentsongsql = "UPDATE 'user' SET 'currentsong' = '$currentsong' WHERE 'userid' = '$sql1'";
$setcurrentsong = $db->query($setcurrentsongsql);
I'm sure it's something simple however I'm completely baffled. Even if I replace the variables with just a normal string it doesn't work.
Thank you in advance for any help.
Use back ticks not single quotes for table names and column names. Try the following:
$setcurrentsongsql = "UPDATE `user` SET `currentsong` = '$currentsong' WHERE `userid` = '$sql1'";
In MySQL, identifier quote character is the backtick " ` ". This short page should give you a good understanding of the schema rules, identifiers and so on: http://dev.mysql.com/doc/refman/5.0/en/identifiers.html
mySQL uses the backtick ` for column and table names, and apostrophes ' for string constants. However these aren't needed unless you're using a reserved keyword (such as your table is actually called "table") or your table or column name contains spaces (such as "my table").
You can use:
$setcurrentsongsql = "UPDATE `user` SET `currentsong` = '$currentsong' WHERE `userid` = '$sql1'";
Or:
$setcurrentsongsql = "UPDATE user SET currentsong = '$currentsong' WHERE userid = '$sql1'";
Also, if $currentsong comes from an untrusted source, you might want to worry about SQL injection.
I am using php to update a mysql DB within a function. I am able to echo my variable names and was able to return the variables on the php page. This proves to me that my variables are working correctly.
Now when I use the update command, my DB does not respond. Yes, I have connected to the DB and it all works.
This is what I am using to update:
mysql_query("UPDATE `table_name`
SET `int_field` = '$int_value'
WHERE `username` = $username");
The value for $username should be wrap with single quotes.
mysql_query(" UPDATE table_name
SET int_field = '$int_value'
WHERE username = '$username'");
SideNote: your code is vulnerable with SQL Injection. Please read the article below to know how to secure your code,
Best way to prevent SQL injection in PHP?
You need to quote all of your input to the query. This prevents SQL injection, but also simple syntax errors that would occur if your user innocently inputs a special character that would break your query.
mysql_query('UPDATE table_name '.
'SET int_field = "'.mysql_real_escape_string($int_value).'" '.
'WHERE username = "'.mysql_real_escape_string($username).'"');
This is the correct STRUCTURE of how to update with a variable in php
mysql_query("UPDATE tablename SET password='". $NPass ."' WHERE custID='$num'");
Try this :
mysql_query("UPDATE `table_name`
SET `int_field` = '$int_value'
WHERE `username` = '$username'");
I had the same problem and found that the SET value doesn't need single quotes and that the WHERE clause does ...
mysql_query("UPDATE table_name SET int_field=$int_value
WHERE username='$username'");
.. seemed to work for me.
been learning php for 3 weeks now and i find myself with a simple error that does not make sense:
I cant see what is wrong with this code.
Could someone please point me to why this is happening.
Its a simple insert and set sql query which is like this:
code:
$insertresults = "UPDATE usage SET message='".$message."',islive='".$islive."' WHERE id=1";
$insertresults_doit = mysql_query($insertresults) OR die(mysql_error());
the error i am getting is this:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'usage SET message='hello',islive='0' WHERE id=1' at line 1
as you can see, the variables are correct and to what i can see the sql string is correct also.
Thanks
Your table name, usage, is actually a reserved word in MySQL. You'll have to quote it with backticks:
UPDATE `usage` SET ...
$insertresults = "UPDATE usage SET message=$message,islive=$islive WHERE id=1";
$insertresults_doit = mysql_query($insertresults) OR die(mysql_error());
You don't need to wrap the variables the way you did, give this a try :) Taking a look at that error shows you the extra ' surrounding the column names - you don't want that.
Try removing the quotes from $islive
Check whether you have a single quote in the variable values. It is always better to escape it before using in the sql statement
$message=addslashes($message);
$islive=addslashes($islive);
$insertresults = "UPDATE usage SET message='".$message."',islive='".$islive."' WHERE id=1";
$insertresults_doit = mysql_query($insertresults) OR die(mysql_error());
Assuming both the columns are of varchar type
"UPDATE usage SET message='{$message}',islive='{$islive}' WHERE id=1" – Nick 21 mins ago
#Nick i still get the exact same error if i use braces and even if i do not use the ' on int's the message is a message and the islive is either a 0 or a 1. – Robert 6 mins ago
#Robert, have you made sure $message and $islive has been properly escaped? use: addslashes() or mysql_real_escape_string()
moved to answer (grew)