UPDATE ".$tablename." SET stock=%s WHERE itemname=".$itemname."
SQL Query throwing this error:
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '' at line 1
Can't find what it is talking about as it only gives me '' and not any text in the query. Thanks!
The string concatenation above looks really messy!
I would go for something simple:
$sql = "UPDATE $tablename SET stock='$stock' WHERE itemname='$itemname'";
If this doesn't work, you should debug the values of : $tablename, $stock and $itemname
ps. I've already given +1 to Nick :)
The example looking incomplete.
Is it possible that variables $tablename or $itemname to be empty?
you are mixing sprintf and string concatenation. The best way is to use the only one method. i.e.:
$sql = "UPDATE %s SET stock='%s' WHERE itemname='%s'";
sprintf($sql, $tablename, $stock, $itemname); //use this in mysql_query
But agree with Parker that you don't quote your string
Try, it doesn't look like you're quoting your strings.
UPDATE ".$tablename." SET stock='%s' WHERE itemname='".$itemname."'
Related
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''s Office,meheh)' at line 1
here is my sql query
$sql1 = "INSERT INTO `tbl_charter`(`steps`, `personnel`, `timee`, `fees`, `documents`, `complaints`, `office`, `service`)
VALUES($InsertSteps','$InsertPersonnel','$InsertTime','$InsertFees','$InsertDocuments','$InsertComplaints',".$_GET["office_name"].",".$_GET["application_name"].")";
Looks like you're missing a single quote before $InsertSteps and around the two references to $_GET. Also, try escaping your variables first, it's good practice to always escape input prior to making calls to the database. Escaping will help protect your application against malicious attackers that could try to add extra commands to your SQL statement.
Example:
$InsertSteps = mysql_real_escape_string($InsertSteps);
$InsertPersonnel = mysql_real_escape_string($InsertPersonnel);
$InsertTime = mysql_real_escape_string($InsertTime);
$InsertFees = mysql_real_escape_string($InsertFees);
$InsertDocuments = mysql_real_escape_string($InsertDocuments);
$InsertComplaints = mysql_real_escape_string($InsertComplaints);
$InsertOfficeName = mysql_real_escape_string($_GET["office_name"]);
$InsertApplicationName = mysql_real_escape_string($_GET["application_name"]);
$sql1 = "INSERT INTO `tbl_charter`(`steps`, `personnel`, `timee`, `fees`, `documents`, `complaints`, `office`, `service`)
VALUES('$InsertSteps','$InsertPersonnel','$InsertTime','$InsertFees','$InsertDocuments','$InsertComplaints','$InsertOfficeName','$InsertApplicationName')";
Just try below query
$sql1 = "INSERT INTO `tbl_charter`(`steps`, `personnel`, `timee`, `fees`, `documents`, `complaints`, `office`, `service`) VALUES('$InsertSteps','$InsertPersonnel','$InsertTime','$InsertFees','$InsertDocuments','$InsertComplaints','".$_GET['office_name']."','".$_GET['application_name']."')";
$appname=$_GET["application_name"];
$officename=$_GET["office_name"];
$sql1 = "INSERT INTO `tbl_charter`(`steps`, `personnel`, `timee`, `fees`,`documents`, `complaints`, `office`, `service`) VALUES('$InsertSteps','$InsertPersonnel','$InsertTime','$InsertFees','$InsertDocuments','$InsertComplaints','$officename','$appname')";
Given this SQL
UPDATE `mytable`
SET `mycolumn`='karla bailey-pearapppppppp\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
WHERE `id`=5619
Why will mysqli_real_escape_string() not escape this string properly?
Trying to use this SQL query after escaping the column's value produces this mysqli error:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''karla bailey-pearapppppppp\\\\\\\\\\\\\\\\\\\\\\\\\\\' at line 3"
Is there a limit to the number of backslashes that can be escaped?
Are you escaping the ENTIRE string? e.g.
$sql = "UPDATE .... \\\\\\\'";
$escaped = mysqli_real_escape_string($link, $sql);
If so, that's incorrect. You are trashing the string by doing that. You'll also be escaping the ' that delimit your where clause value. Escaping should be performed only VALUES that you're inserting into the string. e.g.
$name = "Miles O'Brien"; // ' in name would cause syntax error
$bad_sql = "SELECT '$name'";
$broken_sql = mysqli_real_escape_string($link, $bad_sql);
// produces: SELECT \'Miles O\'Brien\'
$ok_sql = "SELECT '" . mysqli_real_escape_string($link, $name) . "'";
// produces: SELECT 'Miles O\'Brien';
Ok, so I found the problem. The application checks for the value length > column maximum, and if the value is too great, truncates the value AFTER the escape is done - thereby breaking the escaped value (very isolated case where this would occur, this code has been in place for years).
Ergo, can't truncate a value that ends in backslashes after the value is already escaped.
I am trying to insert a url to mysql(through php) column but unable to do it.
I am getting the following error
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%2F%2Flocalhost%2Fclient%2Fsave_file.php%3Ffilename%3D9 WHERE queryid='29'' at line 1
The code snippet :
$_POST['url1']="//localhost/client/save_file.php?filename=9";
$_POST['query_id']=29;
$var=$_POST['url1'];
$query_id=$_POST['query_id'];
// echo "$var";
$var=rawurlencode($var);
//echo "$var";
$sql1 = "UPDATE query_audio SET query_content=$var WHERE queryid='".$query_id."' ";
if (!mysql_query($sql1)) {
die('Error: ' . mysql_error($connection));
}
You have a fundamental misunderstanding of how to defend against SQL injection attacks You need to use mysql_real_escape_string(), not urlencode().
Plus, you forgot to quote your $var variable, so your query is litterally:
... SET query_content=http:%2F%2Fetc...
Without quotes around that url, mysql is free to interpret the http: portion as an (invalid) field name.
Try
$var = mysql_real_escape_string($_POST['url1']);
$query_id = mysql_real_escape_string($_POSt['query_id']);
$sql = "UDPATE ... SET query_content='$var' WHERE queryid='$query_id';";
^----^-- note these quotes.
The code below is used when the user enters a youtube url it get the youtube id from the url. It then get the title for that video with that id. That is then inserted into a database and recalled to display the image of the video associated with that id.
if i use this youtube url http://www.youtube.com/watch?v=p64tAbP-nHE or and other youtube url. If the title of that youtube url contains a ' ie(2013 Ravens Rock Rally - Jonathan O'Callaghan & Gavin Sheehan - Stage 3) i get the error
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Callaghan & Gavin Sheehan - Stage 3'' at line 1
Any help would be great, thanks in advance.
Here is my code:
<?php
include 'dataconnection.php';
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
else
$url = $_POST['set_video'];
parse_str( parse_url( $url, PHP_URL_QUERY ), $my_array_of_vars );
$youtube_id = $my_array_of_vars['v'];
$info = $_POST['set_desc'];
$id = $my_array_of_vars['v'];
$xmlData = simplexml_load_string(file_get_contents("http://gdata.youtube.com/feeds/api/videos/{$id}?fields=title"));
$title = (string)$xmlData->title;
$sql="INSERT INTO videodetails SET id='null',youtube_id='$youtube_id',info='$title'";
if (!mysqli_query($connection,$sql))
{
die('Error: ' . mysqli_error($connection));
}
echo "<div id='pageheader'>
1 record added<span id='logout'>Return to <a href='contributors_login.html'>Contributors Login</a></span>
</div>";
echo '<div id="setvideo"><img src="http://i4.ytimg.com/vi/'.$my_array_of_vars['v'].'/default.jpg" style="border:solid 2px white;"><p>'.$title.'</p></div>';
mysqli_close($connection);
?>
Use mysqli_real_escape_string in your INSERT INTO ... part.
You open single quotes. But the title contains also single quotes so they get closed. MySQL doesn't know this and thinks the text that follows is a MySQL keyword.
Your yourTube name has a quote in it, so the SQL line
$sql="INSERT INTO videodetails SET id='null',youtube_id='$youtube_id',info='$title'
becomes this
INSERT INTO videodetails SET id='null',
youtube_id='2013 Ravens Rock Rally - Jonathan O'Callaghan & Gavin Sheehan - Stage 3'
which MySQL sees as
INSERT INTO videodetails SET id='null',
youtube_id='2013 Ravens Rock Rally - Jonathan O',Callaghan & Gavin Sheehan - Stage 3'
and MySQL doesn't understand Callaghan & Gavin Sheehan - Stage 3'
The case of strings that contain quotes is why mysqli_real_escape_string() exists, to find those quotes and insert a \ before them so they count as literal quote characters, instead of terminating the quoted string.
. . .
$youtube_id = mysqli_real_escape_string($my_array_of_vars['v']);
$info = mysqli_real_escape_string($connection, $_POST['set_desc']);
$sql="INSERT INTO videodetails SET id='null',youtube_id='$youtube_id',info='$title'";
if (!mysqli_query($connection,$sql))
. . .
But the best practice is to use query parameters, so you don't need to worry about those embedded quotes. Any place you have a variable in your SQL string in place of a literal value, use a query parameter placeholder. These placeholders don't work in place of table names, column names, or SQL expressions or keywords -- they only work where you would normally put a single scalar value in your SQL.
$sql="INSERT INTO videodetails SET id='null',youtube_id=?,info=?";
if ($stmt = mysqli_prepare($connection, $sql)) {
mysqli_stmt_bind_param($stmt, 'ss', $youtube_id, $title);
mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
}
This is safer, and makes your SQL more readable. Notice that the ? placeholder itself doesn't go inside quotes, even if the value you bind to it is a string.
PS: I question your use of the quoted string 'null' where you may mean the SQL keyword NULL.
Your insert query is not valid sql. The keyword "set" is used with update queries. Insert queries look like this:
insert into atable
(f1, f2, etc)
values
(val1, val2, etc)
or this
insert into atable
(f1, f2, etc)
select val1, val2, etc
from someOtherTables
So here's the codeblock:
$query = "UPDATE users SET ?=? WHERE ?=?";
$type = "s";
$type .= substr(gettype($valname), 0, 1);
$type .= 'i';
if ( $smtp = $this->conn->prepare($query) )
{
$smtp->bind_param($type, $colname, $valname, 'id', 40);
$smtp->execute();
$smtp->close();
}else
{
return $this->conn->error;
}
For some reason it refuses to bind the parameters, and it gives me this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?=? WHERE ?=?' at line 1
If i add backticks ( ` ) or singlequotes ( ' ) around the questionmarks i get this error instead:
Unknown column '?' in 'where clause'
Any ideas what's gone wrong? I've been sitting here for hours playing with it, god it's frustrating!!
Thanks a bunch!
As far as I know, you can only use ? placeholders for the condition, not for table/field names.
See: http://php.net/manual/en/pdo.prepared-statements.php
I do not think you can define the column dynamically in a prepared statement, only values, as these are escaped etc. You will need to put the column name in the $query string, if it comes from an unknown source make sure you filter it and validate it.