I wrote this query:
$query = "UPDATE encodage_answer
SET Answer = geir
WHERE encodage_question_ID = 128
AND encodage_ID = 305
AND Extra = NULL";
$insert = mysql_query($query, $connection) or die(mysql_error());
But if I run this code I always get the same error:
Unknown column 'geir' in 'field list'
It's probably me but I think I am not saying geir is a column/field; what's the issue?
When I run this query directly in my PHPMyAdmin it works great.
Update: Full code:
The answer exists, $Extra variable is Null
$AnswerExists = answer_exists($Question_ID, $encodage_ID, $Extra);
if($AnswerExists <> ""){
if($Answer != NULL){
$correctAnswer = mysql_prep($Answer);
if($Extra != NULL){
$query = "UPDATE `encodage_answer` SET `Answer` = '" . mysql_prep($Answer) . "' WHERE `ID` = '" . $AnswerExists . "'";
$insert = mysql_query($query, $connection) or die(mysql_error());
$query2 = "UPDATE `encodage_answer` SET `Extra` = '" . $Extra . "' WHERE `ID` = '" . $AnswerExists . "'";
$insert = mysql_query($query2, $connection) or die(mysql_error());
}else{
$querytest = "UPDATE `encodage_answer` SET Answer = " . $Answer . " WHERE ID = " . $AnswerExists;
$insert = mysql_query($querytest, $connection) or die(mysql_error());
}
}
}
function answer_exists($Question_ID, $encodage_ID, $Extra){
global $connection;
$trfa = false;
echo $Question_ID . " - " . $encodage_ID . "<br />";
if($Extra <> ""){
$query = "SELECT *
FROM encodage_answer
WHERE encodage_ID = {$encodage_ID} AND encodage_question_ID = {$Question_ID} AND Extra = {$Extra}";
}else{
$query = "SELECT *
FROM encodage_answer
WHERE encodage_ID = {$encodage_ID} AND encodage_question_ID = {$Question_ID}";
}
Try putting single quotes around geir. By not quoting the string you want to set the column to, the SQL backend thinks you want to set the value of the Answer column to the value of the geir column. Since the geir column doesn't exist in your table, it throws an error.
Edit: I suspect that PHPMyAdmin has some kind of SQL statement filtering to catch cases like this, and automatically puts quotes around the string for you.
Thanks for the help to everyone! I'm changing all queries to a safer format! SQL-Injection treats are no longer an issue! Thanks for the tip!
Concerning my question:
I'am a complete idiot! After searching for a solution for 20 hours I found my error! The error was for another query. I'm very sorry for wasting your time but I'm a newbie (ergo, the sql-injection issue), so I hope I am allowed to make a few mistakes.
Thanks
Jens
Related
Below is my small code for inserting some info into AthleteID. It doesn't actually insert the information to the table though, any help is appreciated. (sorry for asking twice, but I think my first question isn't addressing whatever issue is holding me up here!)
<?php
require_once('resources/connection.php');
echo 'hello noob' . '<br />';
$query = mysql_query('SELECT LName, MyWebSiteUserID FROM tuser WHERE MyWebSiteUserID = MyWebSiteUserID');
$athleteId = strtoupper(substr($row["LName"], 0, 2)) . $row["MyWebSiteUserID"];
$update = "UPDATE `tuser` SET `AthleteID`='$athleteId' WHERE `MyWebSiteUserID` = `MyWebSiteUserID`;";
while($row = mysql_fetch_array($query)){
mysql_query( $update);
}
Where to begin..
1) Your using mysql and not mysqli. mysql is now deprecated but you could be on a PHP 4 system so keep that in mind.
2) You are building the $athleteID before you have found out what LName and SkillshowUserID is.
3) Your using a where of 1 = 1. You dont need this as it will return true for every row.
4) So...
// Execute a query
$results = mysql_query('SELECT LName, MyWebsiteID FROM tuser WHERE SkillshowUserID = SkillshowUserID');
// Loop through the result set
while($row = mysql_fetch_array($query))
{
// Generate the athleteId
$athleteId = strtoupper(substr($row["LName"], 0, 2)) . $row["MyWebsiteID"];
// Generate an sql update statement
$update = "UPDATE `tuser` SET `AthleteID`='" . $athleteId . "' " .
" WHERE LName = '" . $row['LName'] . "' " .
" AND MyWebsiteID = '" . $row['MyWebsiteID'] . "';";
// Fire off that bad boy
mysql_query($update);
}
I need help with this code:
if (isset($_POST['aboutme'])) {
$aboutme = $_POST['aboutme'];
$aboutme = mysql_real_escape_string($aboutme);
mysql_query("UPDATE `users` SET `about_me`='" . $aboutme . "' WHERE `username`='" . $usn . "' LIMIT 1") or die(mysql_error());
}
I don't know why it doesn't work, but it does not make it to the proper cell to change it. Here is the text area:
<textarea id="aboutme" name="aboutme" rows="4" cols="50"><?php echo "$abme"; ?></textarea>
I don't know what is going one here because no errors are coming out of it.
http://gyazo.com/f36f04c014bb229c1be27cc7a9e5072f.png?1363328064
I strongly recommend to switch to mysqli.
also mysql_real_escape_string() requires an active database connection.
So you should connect to the database first or mysql_real_escape_string() will return an empty string
DEBUG :
if (isset($_POST['aboutme'])) {
$aboutme = $_POST['aboutme'];
$aboutme = mysql_real_escape_string($aboutme);
$query = "UPDATE `users` SET `about_me`='" . $aboutme . "' WHERE `username`='" . $usn . "' LIMIT 1";
mysql_query($query) or die(mysql_error());
}
print_r($query);
this will allow you to see the query and trigger will an error if the form is not posted correctlly ( Undefined variable $query).
You can run the query on mysql if it output it to see the result;
//$type has value of "Hello+World"
$type = $_POST['series'];
$sql = "select max(id) from TABLE_NAME where type = " . $type;
$result = sybase_query ($sql, $db_ro_conn) or die(db_error("query failed $sql"));
$row = sybase_fetch_row($result)
I get the error "incorrect syntax near "=". y15, procedure N/A in the $sql line.
What are the possible reasons why this is happening? Somehow it doesn't work. Would appreciate any help, thanks!
Put quotes around your $type like this:
$type = $_POST['series'];
$sql = "select max(id) from TABLE_NAME where type = '" . $type. "'";
$result = sybase_query ($sql, $db_ro_conn) or die(db_error("query failed $sql"));
$row = sybase_fetch_row($result)
Let me start with this. ALWAYS escape POST/GET values in your query!
The error is probably caused by $type is string and not quoted. Try changing $sql to
$sql = "select max(id) from TABLE_NAME where type = '" . $type."'";
You are not quoting the value:
$type = str_replace("'", "''", $_POST['series']);
$sql = "select max(id) from TABLE_NAME where type = '" . $type . "'";
This query is not returning any result as there seems to be an issue with the sql.
$sql = "select region_description from $DB_Table where region_id='".$region_id."' and region_status =(1)";
$res = mysql_query($sql,$con) or die(mysql_error());
$result = "( ";
$row = mysql_fetch_array($res);
$result .= "\"" . $row["region_description"] . "\"";
while($row = mysql_fetch_array($res))
{
echo "<br /> In!";
$result .= " , \"" . $row["region_description"] . "\"";
}
$result .= " )";
mysql_close($con);
if ($result)
{
return $result;
}
else
{
return 0;
}
region_id is passed as 1.
I do have a record in the DB that fits the query criteria but no rows are returned when executed. I beleive the issue is in this part ,
region_id='".$region_id."'
so on using the gettype function in my php it turns out that the datatype of region_id is string not int and thus the failure of the query to function as my datatype in my tableis int. what would be the way to get parameter passed to be considered as an int in php. url below
GetRegions.php?region_id=1
Thanks
Try it like this:
$sql = "SELECT region_description FROM $DB_Table WHERE region_id = $region_id AND region_status = 1"
The region_id column seems to be an integer type, don't compare it by using single quotes.
Try dropping the ; at the end of your query.
First of all - your code is very messy. You mix variables inside string with escaping string, integers should be passed without '. Try with:
$sql = 'SELECT region_description FROM ' . $DB_Table . ' WHERE region_id = ' . $region_id . ' AND region_status = 1';
Also ; should be removed.
try this
$sql = "select region_description from $DB_Table where region_id=$region_id AND region_status = 1";
When you are comparing the field of type integer, you should not use single quote
Good Luck
Update 1
Use this.. It will work
$sql = "select region_description from " .$DB_Table. " where region_id=" .$region_id. " AND region_status = 1";
You do not need the single quotes around the region id i.e.
$sql = "SELECT region_description FROM $DB_Table WHERE region_id = $region_id AND region_status = 1"
this script have to update things on every refresh but not working. lend me a hand
$yp = mysql_query("select id from yyy where twitterid = '$tid'");
$qq = "update yyy set twitterid = '$tid',
twitterkullanici = '$twk',
tweetsayisi = '$tws',
takipettigi = '$tkpettigi',
takipeden = '$tkpeden',
nerden = '$nerden',
bio = '" . mysql_real_escape_string($bio) . "',
profilresmi ='$img',
ismi = '$isim'
where id = '$yp'";
$xx = mysql_query($qq);
Looks like you are not getting the value out of the variable $yp.
You need to do
$row = mysql_fetch_row($yp);
then
id = '.$row[0] .'
in your update query
$yp - is a result of mysql_query (resource). You have to read id from database (mysql_fetch_array or mysql_fetch_row).
$yp = mysql_query("select id from yyy where twitterid = '$tid'");
if ($yp)
{
if ($row = mysql_fetch_array($yp,MYSQL_ASSOC))
$id = $row["id"];
}
Now use $id in WHERE clause.
To make debugging SQL easier in PHP add the following after to your mysql_query(0 call.
mysql_query($qq) or die("A MySQL error has occurred.<br />Your Query: " . $qq. "<br /> Error: (" . mysql_errno() . ") " . mysql_error())
Just make sure you remove it before you go into prod, as it can give useful info away to any hackers attempting Sql Injection.