I am getting the error below when trying to upload an JPEG image to my MySQL database (Image is a BLOB):
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id=57 (Image) VALUES ('ÿØÿà\0JFIF\0\0\0\0\0\0ÿá\0XExif\0\0MM\0*\0\0\' at line 1
I would really appreciate if you could tell me the problem in my code.
$sql = sprintf(
"INSERT INTO recipies WHERE id=$id (Image) VALUES ('%s')", mysql_real_escape_string(file_get_contents($_FILES["image"]["tmp_name"])));
$results = mysql_query($sql) or die(mysql_error());
Its insert into or update where.
You might want this:
$sql = sprintf(
"UPDATE recipies SET Image = '%s' WHERE id=$id", mysql_real_escape_string(file_get_contents($_FILES["image"]["tmp_name"])));
$results = mysql_query($sql) or die(mysql_error());
Maybe like this would be more correct syntax
$sql = sprintf(
"INSERT INTO recipies (Image) VALUES ('%s') ", mysql_real_escape_string(file_get_contents($_FILES["image"]["tmp_name"])));
$results = mysql_query($sql) or die(mysql_error());
EDIT
It seems you're confused with SQL UPDATE syntax and MySQL particular mess. So correct syntax would be
INSERT
[INTO] tbl_name [(col_name,...)]
{VALUES | VALUE} ({expr | DEFAULT},...),(...),...
Or:
INSERT
[INTO] tbl_name
SET col_name={expr | DEFAULT}, ...
So you friend is the MySQL::INSERT Syntax Manual.
Happy Querying!
Looks more like you are trying to update rather than insert
UPDATE recipes SET Image= ('%s') WHERE id = %d
Related
this is my upadating script--
$cno = $data[6];
$result = mysql_query("select *
from courier_details
where consignment_no = '".$cno."'");
if($result >0)
{
$update = "UPDATE `courier_details`
SET(`shipper_name`, `shipper_phone`, `shipper_address`, `receiver_name`,
`receiver_phone`, `receiver_address`, `consignment_no`,
`type_of_shippment`, `weight`, `volumetric_weight`, `packages`,
`product`, `qnty`, `booking_mode`, `total_freight`, `mode`,
`dept_time`, `origin`, `destination`, `pickup_date`, `pickup_time`,
`status`, `excepted_dly_date`, `comments`, `delivered_date`,
`delivered_time`, `deboy`, `career`,`originbr`, `destinationbr`,
`email`)
VALUES('$data[0]','$data[1]','$data[2]','$data[3]','$data[4]','$data[5]',
'$data[6]','$data[7]','$data[8]','$data[9]','$data[10]','$data[11]',
'$data[12]','$data[13]','$data[14]','$data[15]','$data[16]',
'$data[17]','$data[18]','$data[19]','$data[20]','$data[21]',
'$data[22]','$data[23]','$data[24]','$data[25]','$data[26]',
'$data[27]','$data[28]','$data[29]','$data[30]')
WHERE `consignment_no` = '".$cno."'";
mysql_query($update) or die(mysql_error());
}
there is show an error while execute code--
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use
near '(shipper_name, shipper_phone, shipper_address, receiver_name, `receiver_' at line 1
Your update query seems wrong.
You cannot use UPDATE query like INSERT query. Syntax should be:
Update TableName
Set col1=val1,
col2=val2,
col3=val3,
.......
On the other hand, INSERT can be used like:
INSERT INTO TableName
(col1,col2,col3) VALUES (val1,val2,val3)
You were mixing update and insert query you need to learn about the differences between them
UPDATE
UPDATE table_name SET field1=new-value1, field2=new-value2
[WHERE Clause]
INSERT
INSERT INTO TABLE_NAME (column1, column2, column3,...columnN)]
VALUES (value1, value2, value3,...valueN);
So your query will be like
"UPDATE `courier_details` SET `shipper_name` = '$data[0]',
`shipper_phone` = '$data[1]'.....
WHERE `consignment_no` = '$cno'"
use mysql_num_rows() to count number of row
this is wrong
if($result >0)
And don't use update query as insert query both are different
It would be:-
$result = mysql_query("select * from courier_details where consignment_no = '" . $cno . "'");
if (mysql_num_rows() > 0) {
$update="UPDATE table_name SET field1=value1, field2=value2";
mysql_query($update) or die(mysql_error());
}
I am new to mysql and I would really appreciate any help. What I want to do is to upload an image to a specific row in a database and then display the image in the user's page. The error I get is:
Error in Query:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = 1' at line 4.
This is the piece of code referenced:
$sql = "INSERT INTO users5 (image, imageName)
VALUES ('{$imgData}', '{$_FILES['userfile']['name']}')WHERE id = $id;";
What I want to do is to upload an image to a specific row in a database
You have to use an UPDATE command if a row is already existing.
$sql = "UPDATE users5 SET image = ?, imageName = ? WHERE id = ?";
$stmt = $mysqli->prepare( $sql );
$stmt->bind_param( 'ssi', $imgData, $_FILES['userfile']['name'], $id );
As suggested, you better use prepared statement to bind parameter values for placeholders safely, avoiding SQL injection.
i am relatively new in php.The problem that i am facing while i inserting values into 'leave' table of my database. the error is given below..
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'where lid = 4' at line 1
and here is my code
<?php
include_once 'config.php';
$accept = "accepted";
mysql_query("insert into `leave` (`action`) values ('$accept') where lid = ".$_GET['id'] , $dbCon ) or die(mysql_error());
header('location: admin_leave.php');
?>
You need to use update for this not insert
mysql_query("update leave set `action` ='$accept' where lid = ".$_GET['id'] , $dbCon ) or die(mysql_error());
and don't use mysql_* they are depreciated link: http://php.net/manual/en/function.mysql-db-query.php . Use either PDO/mysqli
INSERT can't use with WHERE, may be you are looking for UPDATE
mysql_query("UPDATE `leave` SET `action`='$accept' where lid = ".$_GET['id'] , $dbCon ) or die(mysql_error());
Your queries are full open for SQL Injection. Start using Mysqli OR PDO with prepared statement.
I'm creating and then editing a row in a table, however my edit mysql query in php is giving me an error that I can't figure out. Any help?
The creation query:
$query = "INSERT INTO timelines (
id, event_name, event_date, date_created, attendee_count, attendee_names, maximum_attendees, creator_id, creator_name, price, thumbnail
) VALUES (
'{$timelineID}', '{$event_name}', '{$event_date}', '{$date_created}', '{$attendee_count}', '{$attendee_names}', '{$maximum_attendees}', '{$creator_id}', '{$creator_name}', '{$price}', '{$thumbnail}'
)";
The edit query:
$query = "UPDATE timelines SET
event_name = '{$event_name}',
event_date = '{$event_date}',
maximum_attendees = '{$maximum_attendees}',
price = '{$price}',
thumbnail = '{$thumbnail}',
WHERE id = {$timelineID}";
Error:
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 'WHERE id =' at line 8
you have an extra comma before the WHERE clause. just remove it and it will work fine.
thumbnail = '{$thumbnail}',
^ here
WHERE ...
final query,
$query = "UPDATE timelines SET
event_name = '{$event_name}',
event_date = '{$event_date}',
maximum_attendees = '{$maximum_attendees}',
price = '{$price}',
thumbnail = '{$thumbnail}'
WHERE id = {$timelineID}";
Your query is vulnerable with SQL INJECTION, please read the article below to learn how to protect from it.
How can I prevent SQL injection in PHP?
I have this query:
$FullName = mysql_real_escape_string($_REQUEST['name']);
$EmailAdd = mysql_real_escape_string($_REQUEST['email_address']);
$City = mysql_real_escape_string($_REQUEST['city']);
$State = mysql_real_escape_string($_REQUEST['state']);
$SqlEInsert= "INSERT INTO `td_email` VALUES ((SELECT ownerid FROM 'td_events' where event_id = '$EvID'),'$EmailAdd','$FullName', '$City' ,'$State')";
$RsEmail = mysql_query($SqlEInsert) or die('Error :' . mysql_error());
but I'm getting the following error when I run the application
Error :You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''td_events' where event_id = '394'),'email#hotmail.com','Full Name', 'Atl' at line 1
You don't need ' for the table name when you want to use quotes then you have to use `
$SqlEInsert= "INSERT INTO td_email VALUES ((SELECT ownerid FROM td_events WHERE event_id = '$EvID'),'$EmailAdd','$FullName', '$City' ,'$State')";
And please take a look at SQL Injections and Security
$SqlEInsert= "INSERT INTO td_email VALUES ((SELECT ownerid FROM td_events WHERE event_id = '".(int)$EvID."'),'".mysql_real_escape_string($EmailAdd)."','".mysql_real_escape_string($FullName)."', '".mysql_real_escape_string($City)."' ,'".mysql_real_escape_string($State)."')";
The td_event is a field name rather than a value. Escape it with an apostrophe.
$SqlEInsert= "INSERT INTO `td_email` VALUES ((SELECT ownerid FROM `td_events` where event_id = '$EvID'),'$EmailAdd','$FullName', '$City' ,'$State')";
Make sure your values are escaped. You can run them through: mysql_real_escape_string() to do so.