I'm having trouble with this long sql query. If I change $result= mysql_query( to an echo statement and copy the resulting string into MySQL, it adds the data into the db just fine. It's only when I'm using PHP to do it that it fails.
Code:
$con = mysql_connect("-","-","-");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
else {
// connected to database successfully
}
mysql_select_db("casemanagers", $con);
$result= mysql_query("INSERT INTO `criminal` (`JudgeID`, `Month`, `Year`, `PendingCapDefs`, `PendingCapCases`, `PendingNonCapDefs`, `PendingNonCapCases`, `AsgNewCapDefs`, `AsgNewCapCases`, `AsgNewNonCapDefs`, `AsgNewNonCapCases`, `AsgTRCapDefs`, `AsgTRCapCases`, `AsgTRNonCapDefs`, `AsgTRNonCapCases`, `AsgRCCapDefs`, `AsgRCCapCases`, `AsgRCNonCapDefs`, `AsgRCNonCapCases`,
`DispGPCapDefs`, `DispGPCapCases`, `DispGPNonCapDefs`, `DispGPNonCapCases`, `DispDDCapDefs`, `DispDDCapCases`, `DispDDNonCapDefs`, `DispDDNonCapCases`, `DispNPCapDefs`, `DispNPCapCases`, `DispNPNonCapDefs`, `DispNPNonCapCases`, `DispODCapDefs`, `DispODCapCases`, `DispODNonCapDefs`, `DispODNonCapCases`, `DispBTACapDefs`, `DispBTACapCases`, `DispBTANonCapDefs`, `DispBTANonCapCases`, `DispBTCCapDefs`, `DispBTCCapCases`, `DispBTCNonCapDefs`, `DispBTCNonCapCases`, `DispJTACapDefs`, `DispJTACapCases`, `DispJTANonCapDefs`, `DispJTANonCapCases`, `DispJTCCapDefs`, `DispJTCCapCases`, `DispJTCNonCapDefs`, `DispJTCNonCapCases`, `DispADDCapDefs`, `DispADDCapCases`, `DispADDNonCapDefs`, `DispADDNonCapCases`, `DispSCDCapDefs`, `DispSCDCapCases`, `DispSCDNonCapDefs`, `DispSCDNonCapCases`, `DispCTOCapDefs`, `DispCTOCapCases`, `DispCTONonCapDefs`, `DispCTONonCapCases`, `OldCapDefs`, `OldCapCases`, `OldNonCapDefs`, `OldNonCapCases`) VALUES ('$judgeID',' $month',' $year',' $PendingCapDefs','$PendingCapCases','$PendingNonCapDefs','$PendingNonCapCases','$AsgNewCapDefs','$AsgNewCapCases','$AsgNewNonCapDefs','$AsgNewNonCapCases','$AsgTRCapDefs','$AsgTRCapCases','$AsgTRNonCapDefs','$AsgTRNonCapCases',' $AsgRCCapDefs','$AsgRCCapCases','$AsgRCNonCapDefs',' $AsgRCNonCapCases','$DispGPCapDefs','$DispGPCapCases','$DispGPNonCapDefs','$DispGPNonCapCases','$DispDDCapDefs','$DispDDCapCases','$DispDDNonCapDefs','$DispDDNonCapCases',' $DispNPCapDefs',' $DispNPCapCases',' $DispNPNonCapDefs','$DispNPNonCapCases','$DispODCapDefs',' $DispODCapCases','$DispODNonCapDefs','$DispODNonCapCases','$DispBTACapDefs','$DispBTACapCases','$DispBTANonCapDefs','$DispBTANonCapCases','$DispBTCCapDefs','$DispBTCCapCases','$DispBTCNonCapDefs','$DispBTCNonCapCases','$DispJTACapDefs','$DispJTACapCases','$DispJTANonCapDefs','$DispJTANonCapCases','$DispJTCCapDefs','$DispJTCCapCases','$DispJTCNonCapDefs','$DispJTCNonCapCases','$DispADDCapDefs','$DispADDCapCases','$DispADDNonCapDefs','$DispADDNonCapCases','$DispSCDCapDefs','$DispSCDCapCases','$DispSCDNonCapDefs','$DispSCDNonCapCases','$DispCTOCapDefs','$DispCTOCapCases','$DispCTONonCapDefs','$DispCTONonCapCases','$OldCapDefs','$OldCapCases','$OldNonCapDefs','$OldNonCapCases');");
if ($result==1){
$statusCaption = 'New Civil Report';
echo 'Report Successfully Saved!<br/><br/><-- Back to User Menu';
}
else {
$statusCaption = 'Error';
echo 'There was a problem with one or more of your entries. Please try again.<br/><br/><--Back to Civil Report';
}
mysql_query() returns a statement handle on success, or boolean false on failure/errors. It'll never return an integer '1'.
if ($result !== false) {
... success ...
} else {
... failure ...
}
Note that 'failure' is only due to a syntax error in the query or a violation of a constraint in the db or a failure in the client-server communications link. A select query that returns no rows is NOT a failure. It's just a result set that happens to contain no rows.
$result= mysql_query("INSERT INTO `criminal` VALUES ('$judgeID',' $month',' $year',' $PendingCapDefs','$PendingCapCases','$PendingNonCapDefs','$PendingNonCapCases','$AsgNewCapDefs','$AsgNewCapCases','$AsgNewNonCapDefs','$AsgNewNonCapCases','$AsgTRCapDefs','$AsgTRCapCases','$AsgTRNonCapDefs','$AsgTRNonCapCases',' $AsgRCCapDefs','$AsgRCCapCases','$AsgRCNonCapDefs',' $AsgRCNonCapCases','$DispGPCapDefs','$DispGPCapCases','$DispGPNonCapDefs','$DispGPNonCapCases','$DispDDCapDefs','$DispDDCapCases','$DispDDNonCapDefs','$DispDDNonCapCases',' $DispNPCapDefs',' $DispNPCapCases',' $DispNPNonCapDefs','$DispNPNonCapCases','$DispODCapDefs',' $DispODCapCases','$DispODNonCapDefs','$DispODNonCapCases','$DispBTACapDefs','$DispBTACapCases','$DispBTANonCapDefs','$DispBTANonCapCases','$DispBTCCapDefs','$DispBTCCapCases','$DispBTCNonCapDefs','$DispBTCNonCapCases','$DispJTACapDefs','$DispJTACapCases','$DispJTANonCapDefs','$DispJTANonCapCases','$DispJTCCapDefs','$DispJTCCapCases','$DispJTCNonCapDefs','$DispJTCNonCapCases','$DispADDCapDefs','$DispADDCapCases','$DispADDNonCapDefs','$DispADDNonCapCases','$DispSCDCapDefs','$DispSCDCapCases','$DispSCDNonCapDefs','$DispSCDNonCapCases','$DispCTOCapDefs','$DispCTOCapCases','$DispCTONonCapDefs','$DispCTONonCapCases','$OldCapDefs','$OldCapCases','$OldNonCapDefs','$OldNonCapCases');") or die(mysql_error());
try it
BTW, you're probably missing a lot of variables
try to add
or die(mysql_error());
just after query
it will give you answer/error/tell you what's wrong.
Please read the PHP.net page. The function mysql_query() does not return true/false. It only returns false when there was an error. Your code should look like this:
if ($result === false) {
//error
}
else {
//success
}
That way you only see the error occurs when it REALLY REALLY returns false.
EDIT: Also, I never include ; in the actual query in your PHP code when you have one query. That is a query delimiter and is only needed in command prompt or when you are executing two queries in the same mysql_query() instance.
Related
I am lost a bit, shifting from regular queries to parametrized and it seems I cannot get an error.
I know for sure sql does not perform INSERT but also there is no error displayed.
How do I see errors with execute statements? The actual query has 50 values. Below is a code smaple, I just need ot know how to pull errors on execute. Thank you!
$sqlParamsArUpd = array('10', '20')
$data = $conn->prepare($sqlNew);
$data->execute($sqlParamsArUpd);
if ($data) {
// code continues here (SQL does not insert values and code simply continues here, instead of showing error
} else {
print_r($conn->errorInfo())
}
Use the boolean from PDOStatement::execute
$sqlParamsArUpd = array('10', '20')
$stmt = $conn->prepare($sqlNew);
$inserted = $stmt->execute($sqlParamsArUpd); // Returns true or false
if ($inserted) {
echo $stmt->rowCount()." rows inserted";
} else {
print_r($stmt->errorInfo())
}
I'm trying to use PHP/ODBC to connect to an access file. The problem is that I can read from the database but I can't write to it using the below:
$conn = odbc_connect('SKW-DB','','');
if (!$conn)
{
exit ("ODBC Connection Failed ". $conn);
}
$stmt = "INSERT INTO PRODUCT (ProductCode, ProductName) VALUES ('TestCode', 'TestEntry')";
$result = odbc_exec ($conn,$stmt);
echo "Result1: ";
echo $result;
$result returns nothing. Again, I am able to read from the database, connectivity isn't an issue. I just can't write to it.
That's because you're simply ASSUMING the query can never fail. It did fail, and returned a boolean false. echo false literally prints out nothing.
Try this instead:
$result = odbc_exec($conn, $stmt);
if ($result === false ) {
die(odbc_errormsg($conn));
}
And what you get back from odbc_exec() cannot be echoed out anyways. On success, it returns a statement handle, which is NOT something you can simply print out.
Sounds like you need a little more debugging code.
First, try var_dumping the $result instead of echoing it.
var_dump($result);
There's certain PHP variable types that echo can't/won't display.
Next -- chances are your query's causing an error of some sort, so try using the odbc error reporting functions after making your query
$result = odbc_exec ($conn,$stmt);
echo "Result1: ";
var_dump( $result );
if($result)
{
var_dump( odbc_error($conn) );
var_dump( odbc_errormsg($conn) );
}
Let's say you have a form with pre-populated data from your database, and you allow your users to make changes and save the form. If the user clicks the save button without making any changes, MySQL will not actually perform a write operation, and therefore the affected_rows will return 0.
I understand the behavior, but what is the best practice for determining if an update failed, other than checking for the number of affected_rows?
What is the best practice for differentiating between an update that actually failed, and one that "succeeded" but resulted in 0 affected_rows so that I can provide feedback to the user?
Just check if no errors occurred after execution of query.
If you use mysql, check mysql_error():
if (!mysql_error()) print 'all is fine';
Same for mysqli.
Variation 1:
mysql_query() or die('error');
Variation 2:
$conn = mysql_query();
if(!$conn) {//Error code here}
Variation 3:
try {
$conn = mysql_query();
if (!$conn) throw new Exception("mysql Error");
} catch(Exception $e) {
echo $e->getMessage();
}
[affected_rows()][1] is -1 if a query fails, not zero.
[1]: http://www.php.net/manual/en/function.mysql-affected-rows.php
It may return 0 if no changes were made to the row (same values), or if mysql didnt find a row to update. It will only return -1 due syntax erro
if the update "fails" due to syntax error, or other mysql will return an error code on the actual mysql query and affected_rows will return with yet another error.
Php for example:
$qry = mysql_query("update blah where IamaSyntaxerror,33");
if ($qry === FALSE) { echo "an error has occured"; }
else { mysql_affected_rows() == 0 means no updates occured
I have a a php page which updates a mySql database it works fine on my mac (localhost using mamp)
I made a check if its the connection but it appears to be that there is a connection
<?php require_once('connection.php'); ?>
<?php
$id = $_GET['id'];
$collumn = $_GET['collumn'];
$val = $_GET['val'];
// checking if there is a connection
if(!$connection){
echo "connectioned failed";
}
?>
<?php
$sqlUpdate = 'UPDATE plProducts.allPens SET '. "{$collumn}".' = '."'{$val}'".' WHERE allPens.prodId = '."'{$id}'".' LIMIT 1';
mysql_query($sqlUpdate);
// testing for errors
if ($sqlUpdate === false) {
// Checked this and echos NO errors.
echo "Query failed: " . mysql_error();
}
if (mysql_affected_rows() == 1) {
echo "updated";
} else {
echo "failed";
}?>
In the URL i pass in parameters and it looks like this: http://pathToSite.com/updateDB.php?id=17&collumn=prodid&val=4
Maybe this has to do with the hosting? isn' t this simple PHP mySql database updating? what can be wrong here?
Why on localhost it does work?
Why on live server it doesn't?
Let's start with troubleshooting your exact problem. Your query is failing for some reason. We can find out what that problem is by checking what comes back from mysql_query, and if it's boolean false, asking mysql_error what went wrong:
$sh = mysql_query($sqlUpdate);
if($sh === false) {
echo "Query failed: " . mysql_error();
exit;
}
You have other problems here. The largest is that your code suffers from an SQL Injection vulnerability. Let's say your script is called foo.php. If I request:
foo.php?collumn=prodId = NULL --
then your SQL will come out looking like:
UPDATE plProducts.allPens SET prodId = NULL -- = "" WHERE allPens.prodId = "" LIMIT 1
-- is an SQL comment.
I just managed to nuke all of the product IDs in your table.
The most effective way to stop SQL injection is to use prepared statements and placeholders. The "mysql" extension in PHP doesn't support them, so you'd also need to switch to either the must better mysqli extension, or the PDO extension.
Let's use a PDO prepared statement to make your query safe.
// Placeholders only work for *data*. We'll need to validate
// the column name another way. A list of columns that can be
// updated is very safe.
$safe_columns = array('a', 'b', 'c', 'd');
if(!in_array($collumn, $safe_columns))
die "Invalid column";
// Those question marks are the placeholders.
$sqlUpdate = "UPDATE plProducts.allPens SET $column = ? WHERE allPens.prodId = ? LIMIT 1";
$sh = $db->prepare($sqlUpdate);
// The entries in the array you pass to execute() are substituted
// into the query, replacing the placeholders.
$success = $sh->execute(array( $val, $id ));
// If PDO is configured to use warnings instead of exceptions, this will work.
// Otherwise, you'll need to worry about handling the exception...
if(!$success)
die "Oh no, it failed! MySQL says: " . join(' ', $db->errorInfo());
Most mysql functions return FALSE if they encounter an error. You should check for error conditions and if one occurs, output the error message. That will give you a better idea of where the problem occurred and what the nature of the problem is.
It's amazing how many programmers never check for error states, despite many examples in the PHP docs.
$link = mysql_connect(...);
if ($link === false) {
die(mysql_error());
}
$selected = mysql_select_db(...);
if ($selected === false) {
die(mysql_error());
}
$result = mysql_query(...);
if ($result === false) {
die(mysql_error());
}
Your call to mysql_query() is faulty; you're checking the contents of the variable you're passing in but the function call doesn't work that way. It returns a value which is what you should check. If the query failed, it returned false. If it returns data (like from a SELECT) it returns a resource handle. If it succeeds but doesn't return data (like from an INSERT) it returns true.
You also have some problems constructing your SQL. #Charles mentions SQL injection and suggests prepared statements. If you still want to construct a query string, then you need to use mysql_real_escape_string(). (But I would recommend you read up on the mysqli extension and use those functions instead.)
Secondly, you're concatenating strings with embedded substitution. This is silly. Do it this way instead:
$sqlUpdate = 'UPDATE plProducts.allPens SET '.$collumn.' = \''.$val.'\'
WHERE allPens.prodId = '.intval($id).' LIMIT 1';
If you must accept it in the querystring, you should also check that $collumn is set to a valid value before you use it. And emit and error page if it's not. Likewise, check that $id will turn into a number (use is_numeric()). All this is called defensive programming.
I am creating a new login script/members directory.
I am creating it from scratch without any frameworks (advice on this matter would also be appreciated).
The situation:
// Look up the username and password in the database
$query = "SELECT admin_id, username FROM admin WHERE adminname = '$admin_user' AND password = SHA1('$admin_pass')";
$data = mysqli_query($dbc, $query);
if (mysqli_num_rows($data) == 1) {
This bit of code keeps giving me an error (the last line in particular):
Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given in /home8/craighoo/public_html/employees/security/dir_admin.php on line 20
When echoing the query I get:
SELECT admin_id, adminname FROM admin WHERE adminname = 'admin' AND password = SHA1('password')
EDIT:
Thanks to everyone. The problem was in my Database column names and the column names I was referencing.
Your query execution is failing. When that happens mysqli_query returns false (boolean value) and when is passed to mysqli_num_rows, you get this error.
Print the query just before executing and check for correctness.
Considering that mysqli_query returns false on failure, and that $data is a boolean, here, I suppose there is an error occuring during the execution of your SQL query.
You could try using mysqli_error to find out what this error is :
$data = mysqli_query($dbc, $query);
if ($data !== false) {
// Do whatever you want with $data
if (mysqli_num_rows($data) == 1) {
//
}
} else {
echo mysqli_error($dbc);
die;
}
Note : echoing the error message and dying, like I did here, is OK while developping your script ; but you should not do that in production.
Instead, in production, you should :
Log the error to a file
Display a nice message to the user
When you have a critical query, it's best to add a die to it like so:
mysqli_query($dbc, $query) or die('Critical error on line #'. __LINE__ .' when attempting to login ...<br>'. mysql_error());
Have you tried running that same query manually thru phpmyadmin or the console? What result do you get?