This code below gives me this error:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' where id = '000'' at line 1"
I don't understand the issue here
<?php
include(".conf.php");
$con = mysql_connect($conf['db_hostname'], $conf['db_username'], $conf['db_password']) or die (mysql_error());
$db = mysql_select_db("aTable", $con);
$pr = $_GET['aThing'];
$pr = addslashes(htmlentities($prof));
$info_array = mysql_query("SELECT * FROM '$db' where id = '$pr'", $con) or die(mysql_error());
while($row = mysql_fetch_array( $info_array )) {
echo $row['aThing'];
echo "</br>";
echo $row['aThing'];
echo "</br>";
echo $row['aThing'];
echo "</br>";
echo $row['aThing'];
};
?>
Thanks for your help.
You should put table name into FROM : SELECT * FROM aTable WHERE .....Also, you don't escape variable that comes from user.
You will need something like :
mysql_query("SELECT * FROM aTable where id = '".mysql_real_escape_string($pr)."'", $con) or die(mysql_error());
Function mysql_select_db returns either TRUE or FALSE
Instead, try:
$info_array = mysql_query("SELECT * FROM aTable where id = '$pr'", $con) or die(mysql_error());
Or perhaps:
$dbtable = "aTable";
$info_array = mysql_query("SELECT * FROM $dbtable where id = '$pr'", $con) or die(mysql_error());
I am pretty sure it doesn't have any errors with the exception of the
fatal error killing it.
I would say you'll get to a solution faster if you believe MySQL when it tells you there's a problem.
Re-reading the error message:
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near ''' where id = '000'' at line 1
I would question the table name and the quotes around the id. If that's an integer column, I'd expect to see a number without quotes.
If I remember correctly, mysql_select_db returns true or false. It doesn't return database name.
Related
I am trying to get the details of a person using their id, I have the following code and it's showing me an error.
$id = isset($_GET['id']) ? isset($_GET['id']) : "";
$sql = "SELECT * FROM `ArtListing` where `id` = $id";
$result = $conn->query($sql);
if (!$result) {
die("Query failed " . $conn->error);
}
if ($result->num_rows > 0) {
while ($row = $result->fetch_assoc()) {
echo $row["id"] . "." . $row["name"] ;
}
If I use where the id is some random number like it gives me back the details. The error it's showing me is as following
Query failed You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
It looks like the id you grabbing is undefined.
You should assign the $id variable as:
$id = isset($_GET['id']) ? $_GET['id'] : "0";
You cannot simply put variable inside a string
You need to properly concatinate it to become a part of a sting as follows
$sql = "SELECT * FROM `ArtListing` where `id` = '".$id."'";
You can test this code here
https://www.tehplayground.com/3HcoDppV0jAqdCYP
Take a look at combination of double quotes and single quotes.
Your SQL query string is created as follows
SELECT * FROM `ArtListing` where `id` = yourid; <-- incorrect
Whereas as per SQL syntax there should be single quotes
SELECT * FROM `ArtListing` where `id` = 'yourid'; <-- check single quotes around 'yourid'
I’m trying to use "group by" instead of "DISTINCT" in my php file to select some rows that all of them have an specific column value and it’s "idchat".
And I want to get more than one columns
please help me!
I’ve checked every pages but I didn’t understand enything
<?php
$connection = mysqli_connect("localhost","---","pass","---");
$id = $_GET["id"];
$mobile = $_GET["mobile"];
$idchat = $_GET["idchat"];
if (strpos($mobile, '9') !== false) {
$query = "SELECT DISTINCT a,b,c,d,idchat FROM database where mobile = '$mobile' ORDER BY id DESC";
$result = mysqli_query($connection,$query);
while ($row = mysqli_fetch_assoc($result)) {
$array[] = $row;
}
header('Content-Type:Application/json');
echo json_encode($array);
}
mysqli_close($connection);?>
and this code gives me this error:
Warning: mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, boolean given in /home/---/test.php on line 12
See next output:
mysql> SELECT * FROM database;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'database' at line 1
mysql> SELECT * FROM mytable;;
ERROR 1146 (42S02): Table 'test.mytable' doesn't exist
ERROR:
No query specified
mysql>
The first query is not understood because database is a reserved word. You should not use that to name a table. A work around is to add backquotes around the name:
mysql> SELECT * FROM `database`;
ERROR 1146 (42S02): Table 'test.database' doesn't exist
mysql>
"Could you correct my codes please?": Ok, but untested:
<?php
$connection = mysqli_connect("localhost","---","pass","---");
$id = $_GET["id"];
$mobile = $_GET["mobile"];
$idchat = $_GET["idchat"];
if (strpos($mobile, '9') !== false) {
$query = "SELECT DISTINCT a,b,c,d,idchat,id FROM `database` where mobile = '$mobile' ORDER BY id DESC";
$result = mysqli_query($connection,$query);
if ($result) {
while ($row = mysqli_fetch_assoc($result)) {
$array[] = $row;
}
header('Content-Type:Application/json');
echo json_encode($array);
}
else {
echo mysqli_error($connection);
}
mysqli_close($connection);?>
}
I also did add id to the query because of comment from #Raymond
When I run the below code i get an error message C:\wamp\www\web\polling\includes\resul and Warning: mysqli_query() expects parameter 1 to be mysqli, integer given i
<?php
$pollid = $_POST['foodID'];
$connection = include('connection.php');
$query = "SELECT * FROM polling WHERE foodID='$pollid'";
$q = mysqli_query($connection, $query);
while($row = mysqli_fetch_array($q)) {
$id = $row[0];
$food = $row[1];
$foodRate = $row[2];
$userEmail = $row[3];
echo "<h1>$food</h1>";
echo "<h1>$userEmail</h1>";
}
?>
Try mysqli_affected_rows() and see if $q is getting any data, if not it will never enter the while loop
Besides that it appears there is an issue in your connection, can you display how your connecting in connection.php?
I'm not sure but the two different types of mysql interactions on the same page raises a red flag. Do you have other pages that work with two types of mysql interactions?
EDIT 1: Try this
$connection = mysqli_connect("localhost", "root", "", "test");
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
This should work for your first script
Is there a reason your using two different types of mysql interaction?
You are missing a symbol in the statement
$query = "SELECT * FROM polling WHERE foodID='$pollid'";
s/b
$query = "SELECT * FROM `polling` WHERE foodID='$pollid'";
i am making a public profile system,like facebook,youtube.....
when user register it create it own profile with his infos and give it a url like "www.mysite.com/userprofile.php?id=1" that can bee seen by any one without sign in,any one that visit that url can see the profile,the userprofile.php get data from the database.
here is my code :
<?php
$id = $_GET["id"];
$query = ("SELECT username,email FROM table WHERE id=" . $id . " LIMIT 1");
$result = mysql_query($query) or die(mysql_error());
while($row = mysql_fetch_array($result)){
echo $row['username']. " - ". $row['email']; }
?>
it work when visiting "www.mysite.com/userprofile.php?id=1" it get the user info that have the id 1,then echo them, but when i visit "www.mysite.com/userprofile.php" it give this sq error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIMIT 1' at line 1
even when i delete the "LIMIT 1" it give this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
And one more thing, if any one fixed the error,can you tell me how to make "www.mysite.com/userprofile.php?id=1" to "www.mysite.com/user1" and how to return a 404 error when the user profile doesn't exist
And any way to secure it from sql injection ?
Thank's Advance :)
When you navigate to /userprofile.php instead of /userprofile.php?id=123 you're essentially running this query:
SELECT username,email FROM table WHERE id= LIMIT 1
Which is an invalid SQL statement. There's a number of ways to fix it, but the easiest would probably be something like this:
<?php
$id = $_GET["id"];
if(!empty($id)) {
// typecast it for at least a little security
$query = ("SELECT username,email FROM table WHERE id=" . (int) $id . " LIMIT 1");
$result = mysql_query($query) or die(mysql_error());
while($row = mysql_fetch_array($result)){
echo $row['username']. " - ". $row['email']; }
} else {
echo "Please provide a user ID."
}
This checks if the user ID is set and that it's not empty, and typecasts it to an int before running the query.
With that said, you should really look into mysqli or PDO for this kind of thing.
I am getting the below error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'testing order by id'
Here is the main page..
echo "<div ><a href='secondpage.php?title=".urlencode($row['title'])."'>".wordwrap($row['title'], 35, "<br />\n", true)."</a></div>";
and here is the second page the error appearing on. the address bar reads http://localhost/secondpage.php?title=more+testing
<?php
$mydb = new mysqli('localhost', 'root', '', 'test');
$sql = "SELECT * FROM test where urlencode(title) =".$_GET['title']" order by id ";
$result = $mydb->query($sql);
if (!$result) {
echo $mydb->error;
}
?>
<div>
<?php
while( $row = $result->fetch_assoc() ){
echo $row['firstname'];
}
$mydb->close ();
?>
</div>
You want to use urldecode to decode the encoded string in your query:
$title = urldecode($_GET['title']);
$sql = "SELECT * FROM test where title = '$title' order by id";
I'm assuming you have a column named title in your test table. I don't think MySQL has urlencode function unless you have a procedure by that name which functions exactly like PHP's urlencode.
Update:
Thanks to #GeorgeLund, who pointed out the point of SQL Injection. Important topic which I missed earlier during answering your question. Please have a look at: https://www.owasp.org/index.php/SQL_Injection
For the very least please update your code to following:
$title = urldecode($_GET['title']);
$title = mysqli_real_escape_string($title); // Addition
$sql = "SELECT * FROM test where title = '$title' order by id";
$sql = "SELECT * FROM test where urlencode(title) ='".$_GET['title']."' order by id ";
Try like
$sql = "SELECT * FROM test WHERE urlencode(title) = ".$_GET['title']." ORDER BY id ";
You missed . leads syntax go away.
As far as I know SQL does not have function urlencode and why would you even want to urlencode the column name?
Also to store the encoded title string which is received from the last page you should decode the encoded title
So here is what I think you meant to do.
$sql = "SELECT * FROM test WHERE title = ".urldecode($_GET['title'])." order by id ";
Please try this code using urldecode
$sql = "SELECT * FROM test where title =".urldecode($_GET['title'])" order by id ";