I've been trying to query an email address using the following statement, however after hours of trying to escape the string successfully I've accepted defeat.
The query I am using is: SELECT id, email FROM user WHERE email = '$email'
That gives me an error:
MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '#gmail.com' at line 1
I'm sure it's simple.. I just can't seem to find an answer anywhere that works.
UPDATE #1
The code that I have been using is:
$email = "abc#gmail.com";
$sql = "SELECT id, email FROM user WHERE email = '$email'";
$result = mysql_query($sql) or die('Unable to connect: '.mysql_error());
UPDATE #2
The email comes from the Facebook connect API.
This is probably because you the E-Mail address that you get from Facebook connect contains quotes, e.g. something like
"Harry"#gmail.com
"Harry#gmail.com"
when pulling data from a web service (or from anywhere else), you need to escape the data to prevent SQL injection, and garbled queries like in your situation.
In your case:
$email = mysql_real_escape_string($email);
Related
I am currently trying to setup a game.
I have tried a lot of things but nothing seems to have worked so far
$sql = "
select username
, safe_username
from users
where id = $userid;
UPDATE users
SET username = '$newusername'
where id = $userid
";
Error: select username, safe_username from users where id = 10; UPDATE users SET username = 'Deaga' where id = 10
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UPDATE users SET username = 'Deaga' where id = 10' at line 1
I expected it to work.
i am trying to setup a game. if you could help me thank you very much i am new to coding and i don't really know what to look for when i get these kind of errors.
Only one query at a time is allowed. You'll need to run each query separately in your php program.
I am trying to update my database with php and for that I have written the following query :
$query = " UPDATE users SET username = '$username' , password = '$password' WHERE id = $id ";
and the error is shown as :
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use
near '' at line 1
can you please help..
“syntax to use near ‘something’” shows the first few characters after the last part of the query that MySQL could parse. When ‘something’ is a zero-length string like in this case, it means the query ended before it was complete. That points to $id being an empty string.
You didn’t ask for comments on whether your query has other severe problems that will certainly lead to cybercreeps pwning your web site, so I won’t offer any such comments. :-)
I am currently attempting to create a dashboard for a personal trainer where they can update client records. I have a mySQL database and I am using PHP as the scripting language.
What I want to do: Be able to update client information via HTML input boxes. (Which I have already created). The first being username - which should correspond to a username in the mySQL database. Then the information in the next three input boxes should be inserted into the correct fields in the database.
The Problem: I currently cannot get the SQL statement to work correctly as the Client username is not recognized. This is the error message I am currently receiving :
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') WHERE Client_username = JSmith' at line 1
JSMith is a valid username in the database.
Below is the PHP I am attempting to use:
//insert
$value1 = $_POST['height1'];
$value2 = $_POST['weight1'];
$value3 = $_POST['bodyfat1'];
$value4 = $_POST['username'];
$sql = "UPDATE client SET Height='$value1', Weight='$value2', Body_fat='$value3') WHERE Client_username = $value4";
if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
mysqli_close($con);
?>
My connection etc is working just fine.
If ayone could help me out that would be great!
Here's the deal.
The first error is coming from the bracket just before your where clause:
$sql = "UPDATE client SET Height='$value1', Weight='$value2', Body_fat='$value3') WHERE...
^ there
Remove it.
MySQL was telling you:
...right syntax to use near ') WHERE
^
Then, the "username" which is a string, needs to be treated as such, therefore wrapping the $value4 variable in your where clause with quotes.
WHERE Client_username = '$value4'
However, I need to point out that your present code is open to SQL injection. Use mysqli with prepared statements, or PDO with prepared statements, they're much safer.
An insight:
Make sure that your form contains name attributes to go with your POSTs, and contain no typos, and that letter-case matches.
Add error reporting to the top of your file(s) which will help find errors.
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
// rest of your code
Sidenote: Error reporting should only be done in staging, and never production.
I'm working with a PHP site right now that connects to a database and selects off 1 of our tables to compare information. Currently we are running into an issue with the # sign when comparing our email with a record in the table.
Here is exactly what is happening:
We are using a SELECT statement to compare the variable $Email to find out what is the associated ID for the account. The problem is when comparing with $Email and we have turned error reporting on we can see that the #hotmail.com is causing an error by SQL syntax standards.
$id = "SELECT idaccount FROM `animator`.`account` WHERE email = $Email";
$result = mysqli_query($dbc, $id) or die("Error: ".mysqli_error($dbc));
The outcome is the following:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '#hotmail.com' at line 1
Anyone got any ideas?
You should enclose the $Email value in single quotes, so the generated statement looks like this:
SELECT idaccount FROM `animator`.`account` WHERE email = 'something#hotmail.com'
Even better, you should prepare the statement and bind the value of $Email. Take a look here: http://php.net/manual/en/mysqli-stmt.bind-param.php
I'm trying to store in MySQL the last date and hour that a user accessed his account. When I log in I get the following error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '16:06:21 WHERE email = 'something#host.com'' at line 1
$query="UPDATE users SET last_visit=$last_visit WHERE email = '$email'";
mysql_query($query) or die (mysql_error());
last_visit is of datetime type.
$last_visit = date("Y-m-d H:i:s");
$email = mysql_real_escape_string($_POST['email']);
I know that MySQL is depreciated. I'll use MySQLi.
Let me know if I need to edit my question before downrating. Thanks!
You forgot the quotes ' since last_visit column is a DATETIME :
$query="UPDATE users SET last_visit='$last_visit' WHERE email = '$email'";