I am a MySQL noob and basically hacking an insert query to become an update query instead. So I am sure it's something simple with the grammar. But what's wrong with this?
// Save data
$mySQLQuery = 'update `'. $fl['mysql_table']. '` SET '. $fl['mysql_query']. "' WHERE speres = '" . mysql_real_escape_string($_POST['speres']);
$rs = #mysql_query($mySQLQuery);
the original INSERT query (working) was
// Save data
$mySQLQuery = 'INSERT INTO `'. $fl['mysql_table']. '` SET '. $fl['mysql_query'];
$rs = #mysql_query($mySQLQuery);
The data is generated here:
$fl['mysql_query'] = "menrecin = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_17'])) . "', menrecvej = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_18'])) . "', menrecser = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_19'])) . "', menrecud = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_20'])) . "', menresmor = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_22'])) . "', menresfro = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_23'])) . "', menresmid = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_24'])) . "', menresres = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_25'])) . "', menrumind = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_28'])) . "', menrumren = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_29'])) . "', menrumved = '" . mysql_real_escape_string(YDFLValue($_SESSION['form']['item_30'])) . "', tekip = '" . $_SERVER['REMOTE_ADDR'] . "', tekbro = '" . $_SERVER['HTTP_USER_AGENT'] . "', tektid = NOW()";
I have an entry with speres = 100525 in the database, so please try:
http://www.konferencer.nu/form/index.php?speres=100525
Good practices of troubleshooting dynamic SQL:
Look at the SQL, not the code that builds the SQL. In other words, echo out $mySQLQuery to see the final SQL, and most of the time you can see the error right away.
Don't suppress errors. Error-checking is helpful and necessary in any code.
It looks to me like your query ends up being:
update `tablename` SET ..., tektid = NOW()' WHERE speres = '...;
So you have a spurious quote after the NOW() and a missing quote at the end.
If you had checked for errors, you'd get something like this:
ERROR 1064 (42000): You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for
the right syntax to use near '' WHERE speres = '...' at line 1
The quoting around the start of the WHERE clause looks odd:
UPDATE `...some table...` SET ...some query... 'WHERE speres = ' ... some criterion ...
Note the single quote placement. Maybe you want to remove the single quotes from inside the double quotes?
you query should look like
$mySQLQuery = 'update'. $fl['mysql_table'].'SET'. $fl['mysql_query'].'= <some value>' ' WHERE speres = '.mysql_real_escape_string($_POST['speres']);
$rs = #mysql_query($mySQLQuery);
Related
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 6 years ago.
I have small script that reeds cell from Database and anfter write to it. But it cause Error 1064.
It looks like this:
public function update($cart_id, $quantity) {
$this->db->query("UPDATE " . DB_PREFIX . "cart SET quantity = '" . (int)$quantity . "' WHERE cart_id = '" . (int)$cart_id . "' AND customer_id = '" . (int)$this->customer->getId() . "' AND session_id = '" . $this->db->escape($this->session->getId()) . "'");
//starts here
$cart_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "cart WHERE cart_id = '" . (int)$cart_id. "' AND session_id = '" . $this->db->escape($this->session->getId()) . "'");
$option= ($cart_query->row['option']);//success
$this->db->query("UPDATE " . DB_PREFIX . "cart SET option = '" . (string)$option . "' WHERE cart_id = '" . (int)$cart_id . "' AND customer_id = '" . (int)$this->customer->getId() . "' AND session_id = '" . $this->db->escape($this->session->getId()) . "'");//error
}
Thats What i see in log
2016-09-18 20:43:06 - PHP Notice: Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'option = '{"options":{"product_id":"176","colors":["000000"],"print":{"colors":{' at line 1<br />Error No: 1064<br />UPDATE oc_cart SET option = '{"options":{"product_id":"176","colors":["000000"],"print":{"colors":{"front":["FF0000"]},"elements":{"front":[{"width":"52.9375","height":"25.0938","type":"text"}]}},"attributes":{"sizememos":"0"},"attribute":[["0","0"]],"print_type":"screen","quantity":"0","design":{"vectors":{"front":[{"type":"text","width":"54.9375px","height":"27.0938px","top":"151px","left":"86px","zIndex":"1","svg":"<svg width="54.9375" height="27.09375" viewBox="0 0 54.9375 27.09375" xmlns="http:\/\/www.w3.org\/2000\/svg" xmlns:xlink="http:\/\/www.w3.org\/1999\/xlink"><g id="0.15760551612925844"><text fill="#FF0000" stroke="none" stroke-width="0" stroke-linecap="round" stroke-linejoin="round" x="" y="" text-anchor="start" font-size="24px" font-family="arial" data-textcurve="1" data-itemzoom="1 1" data-textspacing="0"><textPath xmlns:xlink="http:\/\/www.w3.org\/1999\/xlink" xlink:href="http:\/\/138.68.62.219\/Buy-Hanes-T-shirt-PC61LS#textPath-item-0"><tspan dy="0">Hello<\/tspan><\/textPath><\/text><\/g><defs><path id="textPath-item-0" d="M 0.125 22.117808976867764 A 3093.9720937064453 3093.9720937064453 0 0 1 54.124314613414626 22.117808976867764"><\/path><\/defs><\/svg>","rotate":"0","text":"Hello","color":"#FF0000","fontFamily":"arial","align":"center","outlineC":"none","outlineW":"0"}]},"images":{"front":"cart-designes\/2016\/09\/\/cart-front-1474230421.png","back":"cart-designes\/2016\/09\/\/cart-back-1474230421.png"}},"fonts":""}}' WHERE cart_id = '387' AND customer_id = '0' AND session_id = 'kkfj9svfssdnsph8pf8i5atjn3' in /var/www/html/system/library/db/mysqli.php on line 41
What the reason? i'm just saving data that already in this cell.
option column is UTF-8 , LongText
Error 1064 points to a Syntax error on your MySQL query, It seems there are some quotations not well escaped on your JSON string, to prove that try to fix a value of option to some short value and call your function again.
The best practice is to use parameterized queries, these will save you from all the escaping tasks and most importantly offer some protection from SQL injection
This is just an example of how your query will look like:
$sql="UPDATE table SET opton=:option WHERE cart_id=:id AND customer_id=:customer_id and session_id=:session_id";
$parameters = array(
'option'=>$option,
'cart_id'=>$cart_id,
'customer_id'=>$customer_id,
'session_id'=>$session_id
);
$sql = $this->db->prepare($sql);
$sql->execute($parameters);
You can find more details on the official php documentation
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
http://php.net/manual/en/pdo.prepared-statements.php
Happy Coding friend:)
It doesn't work becouse of OPTION coz it's part of MySql syntaxis. This is work
$customer_id=(int)$this->customer->getId();
$session_id=$this->db->escape($this->session->getId());
$this->db->query("UPDATE " . DB_PREFIX . "cart SET `option` = '" . (int)$quantity . "' WHERE cart_id = '" . (int)$cart_id . "' AND customer_id = '" . $customer_id . "' AND session_id = '" . $session_id . "'");
I have a problem with the condition 'where'.
I want one more condition in this code:
$sql="UPDATE
coursegrade
SET
FirstExam='" . mysql_real_escape_string($_POST['FirstExam']) . "',
SecondExam='" . mysql_real_escape_string($_POST['SecondExam']) . "',
ThirdExam='" . mysql_real_escape_string($_POST['ThirdExam']) . "',
Assignments='" . mysql_real_escape_string($_POST['Assignments']) . "',
FinalExam='" . mysql_real_escape_string($_POST['FinalExam']) . "'
WHERE
SID=" . mysql_real_escape_string($_POST['SID']) ;
Tell now I have no problem .. but the problem is that I don't know how to set the second condition.
CourseID=" . mysql_real_escape_string($_POST['CourseID'])
I want the condition to be something like...
WHERE
SID=" . mysql_real_escape_string($_POST['SID'])
AND CourseID=" . mysql_real_escape_string($_POST['CourseID'])
How could I do it?
Unless you use heredoc syntax php will parse strings on a single line.
ie the rendered clause is:
"WHERE SID=19AND CourseID=45"
Basically you missed a space before
"AND CourseID=" . mysql_real_escape_string($_POST['CourseID'])
or you could put quotes around the values
"SID='" . mysql_real_escape_string($_POST['SID']) . "'
AND CourseID='" . mysql_real_escape_string($_POST['CourseID'])."'"
This is may help
WHERE
SID=" . mysql_real_escape_string($_POST['SID'])
OR CourseID=" . mysql_real_escape_string($_POST['CourseID'])
or
WHERE
SID in (
mysql_real_escape_string($_POST['SID']),
mysql_real_escape_string($_POST['CourseID'])
)
its will work for INT value of SID and CourseID
You can try this, and let me know if there is error message
$sql="UPDATE coursegrade
SET
FirstExam = '" . mysql_real_escape_string($_POST[' FirstExam ']) . "',
SecondExam = '" . mysql_real_escape_string($_POST[' SecondExam ']) . "',
ThirdExam = '" . mysql_real_escape_string($_POST[' ThirdExam ']) . "',
Assignments = '" . mysql_real_escape_string($_POST[' Assignments ']) . "',
FinalExam = '" . mysql_real_escape_string($_POST[' FinalExam ']) . "'
WHERE
SID = ". mysql_real_escape_string($_POST['SID'])."
AND
CourseID = " . mysql_real_escape_string($_POST['CourseID']) .";
$updateSeats = mysql_query("UPDATE FORM_dateAndSeating SET NumberOfSeats = " . $removeSeatingNumber . " WHERE DATE = " . $revertToStandardDate);
In the code above I am trying to update the value within the MYSQL table.
When I echo the variables they show the data I am expecting, however the database is not being updated.
There is no error being returned either.
What are other possibilities for the sql not to update properly??
This will work:
$updateSeats = mysql_query("UPDATE FORM_dateAndSeating
SET NumberOfSeats = '" . $removeSeatingNumber . "'
WHERE DATE = '" . $revertToStandardDate . "'");
Long form:
$updateSeats = mysql_query("UPDATE FORM_dateAndSeating SET NumberOfSeats = '" . $removeSeatingNumber . "' WHERE DATE = '" . $revertToStandardDate . "'");
The variables need to be inside double quotes including single quotes
I.e.: '" . $removeSeatingNumber . "' WHERE DATE = '" . $revertToStandardDate . "'
-------^ --------------------------------------------^ -----------------------^ ----------------------------------------------^
Add apostrophes around your column values.
I am stuck with this.
Here is the code:
This is how I call the function,
$res = DataManager::agregarPropiedad($_POST);
here is the function that generate the query and send it,
public static function agregarPropiedad($datos){
$sql = "INSERT INTO propiedades (id_propiedad, nombre, tipopropiedad, descripcion, dormitorios, baños, direccion, localidad, provincia, fecha_alta, sup_cubierta, sup_total)
VALUES (null, '" . $datos['nombre'] . "', '" . $datos['tipo'] . "', '" . $datos['descripcion'] . "', '" . $datos['dormitorios'] . "', '" . $datos['baños'] . "', '" . $datos['direccion'] . "', '" . $datos['localidad'] . "', '" . $datos['provincia'] . "', CURRENT_TIMESTAMP, '" . $datos['supcubierta'] . "', '" . $datos['suptotal'] . "')";
//$sql = "insert into prueba values(null,'".$datos['nombre']."')";
echo $sql;
return DataManager::consulta($sql);
}
When I copy the echo$sql and paste in phpMyAdmin works fine, but when I try to send my function is not inserting anything, but I have no errors. mysql_erros() its empty too.
U can see that, there is a commented $sql. I use that just for test with another table which is much simpler and query the function "consulta" which works fine too.
This is maybe the 40 function that insert things in mysql database, but the first with which I have problems, and I don't know why =(
helppppp...
From personal experience, MySQL queries that work when dumped / copied / pasted into PhPMyAdmin that don't work in code are caused by:
autoincrement / unique field issues
unexpected characters in unprocessed form data
duplicate POST values ( like an array )
mismatched field count
encoding / character set issues
It may well be that if you address the second issue the problem might fix itself. In any case at a minimum you should process you POST(ed) data with strip_tags and add_slashes, but for MySQL mysql_real_escape_string() is strongly recommended.
http://php.net/manual/en/function.mysql-real-escape-string.php
http://www.adminsehow.com/2010/03/prevent-mysql-injection-in-php
There is a problem with your quotes inside the VALUES() and its vulnerable.
<?php
public static function agregarPropiedad($datos)
{
$tipo = mysql_real_escape_string($datos['tipo']);
$nomber = mysql_real_escape_string($datos['nombre']);
$dormitorios = mysql_real_escape_string($datos['descripcion']);
$baños = mysql_real_escape_string($datos['baños']);
$direccion = mysql_real_escape_string($datos['direccion']);
$localidad = mysql_real_escape_string($datos['localidad']);
$provincia = mysql_real_escape_string($datos['provincia']);
$supcubierta = mysql_real_escape_string($datos['supcubierta']);
$suptotal = mysql_real_escape_string($datos['suptotal']);
$sql = "INSERT INTO propiedades (id_propiedad, nombre, tipopropiedad, descripcion, dormitorios, baños, direccion, localidad, provincia, fecha_alta, sup_cubierta, sup_total)";
$sql .= "VALUES (null,'$tipo','$nomber ','$dormitorios ','$baños ','$direccion ','$localidad','$provincia ',CURRENT_TIMESTAMP,'$supcubierta','$suptotal')";
if(mysql_query($sql))
{
return TRUE;
}else{ return FALSE; }
}
?>
I'm trying to update two rows in my database using a query (which is going to be run from a PHP script) and there is just one Condition (WHERE). What I've tried is:
$sql = 'UPDATE ' . CANNED_MESSAGES . "
SET canned_message_content = '" . $db->sql_escape($content) . "',
canned_message_title = '" . $db->sql_escape($title) . "'
WHERE id = '" . intval($id) . "'" ;
$db->sql_query($sql);
Can you tell me whats wrong with my query? :)
This may be due to Quotes mismatch. Please use this
$sql = "UPDATE '" . CANNED_MESSAGES ."'
SET canned_message_content = '" . $db->sql_escape($content) . "',
canned_message_title = '" . $db->sql_escape($title) . "'
WHERE id = '" . intval($id) . "' " ;
I highly doubt that two rows can have the same id column. Do they? If not, how could you update 2 rows by specifying a condition on a column with such a constraint?