I storing articles in database that contains special characters like ", ', etc. but it gives error while saving in MySQL:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's and Moral Science's books in school. I clearly remember the picture of a Hindu' at line 1
mysql_real_escape_string everything you put into a query. Always. No exceptions.
Alternatively, use prepared statements.
use mysql_real_escape_string
Related
I'm having a problem when trying to add a URL to a mySQL database.
The string is a URL:
http://pbs.twimg.com/profile_images/1708867059/405000_10150426314376065_707061064_8645107_703731598_n_normal.jpg
The error I get is:
Error description: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '://pbs.twimg.com/profile_images/1708867059/405000_10150426314376065_707061064_86' at line 1
It seems as though it won't allow me to add a URL, I presume there is something wrong with some of the characters but I don't know what?
My SQL is:
INSERT INTO accounts (name,consumerkey,consumersecret,pic_url) VALUES ($twitterID,$consumerkey,$consumersecret,$picture_url)"
You cannot truly solve this kind of problem by adding a few characters (like ' or ") to your bespoke sql string!
Instead, get to know the real way to write sql in php (it's like a very badly kept secret), which is to use PDO statements. This will allow you to use placehoders like (:twitterID, :consumerKey, :consumerSecret, :pictureUrl) which will accept complex variables such as urls and any of the crap users send in much more gracefully.
In the long run, this will save you a lot of trouble and time.
You need to quote string values and any other character that SQL will complain about, in this case it's the colon; see further down below.
($twitterID,$consumerkey,$consumersecret,'$picture_url')
or
('".$twitterID."','".$consumerkey."','".$consumersecret."','".$picture_url."')
if you wish to quote all the values.
Sidenote: You can remove the quotes around the variables that are integers.
I.e.:
This based on, and without seeing how the rest of your code looks like:
$picture_url = "http://pbs.twimg.com/profile_images/1708867059/405000_10150426314376065_707061064_8645107_703731598_n_normal.jpg";
The error states that it is near : - near being just that, the colon.
...right syntax to use near '://pbs.twimg.com
^ right there
You can also use:
VALUES ($twitterID, $consumerkey, $consumersecret, '" .$dbcon->real_escape_string($picture_url) . "')";
$dbcon is an example of a DB connection variable and based on mysqli_ syntax.
Something you haven't stated as to which MySQL API you are using.
Plus, your present code is open to SQL injection.
Use prepared statements, or PDO with prepared statements.
I have the following mysql query:
REPLACE INTO application (export_date,application_id,title,recommended_age,artist_name,seller_name,company_url,support_url) VALUES (1362564068339,564783832,Eyelashes,4+,Char Room,Char Room,http://,http://ios.charroom.net/,http://itunes.apple.com/app/)
I get the following error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Char Room,Char Room,http://,http://ios.charroom.net/,http://itunes.apple.com/app' at line 1
I cant seem to see where the error is. Can someone help me out?
You must know that the above is an echo of the actual query. All the parameters in this query went through mysql_real_escape_string before being to the query.
Well, firstly you shouldn't be using mysql_real_escape_string:
This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used.
Secondly, you still need to put the quotes around the strings. mysql_real_escape_string will escape quotes within the string, but it doesn't add the quotes to the start and end.
You have to put quotes around data you are inserting in your database.
Effectively, what I am attempting to do is enter a string similar to this string
into MySQL (it's one line, made into two for readability)
fill:#0000ff;fill-rule:evenodd;stroke:#000000;stroke-width:1px;
stroke-linecap:butt;stroke- linejoin:miter;stroke-opacity:1
MySQL allows me to INSERT the string into the field using phpMyAdmin and phpMyAdmin adds the field as (again one line, made into two for readability):
('fill:#0000ff;fill-rule:evenodd;stroke:#000000;stroke-width:1px;stroke-
linecap:butt;stroke-linejoin:miter;stroke-opacity:1'' in ''field list')
With my PHP code I attempted to add the in field list part to my code as follows
$rectangle_array[$rstyle] = $rectangle_array[$rstyle] . "' in ''field list'";
$mysql_rectangle_table_entry = "INSERT INTO $mysql_table VALUES
($rectangle_array[$rstyle], 'rect',
$rectangle_array[$rid], $rectangle_array[$rwidth],
$rectangle_array[$rheight], $rectangle_array[$rx],
$rectangle_array[$ry])";
$run = mysql_query($mysql_rectangle_table_entry) or die(mysql_error());
And upon running the code I receive the following error.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ':#0000ff;fill-rule:evenodd;stroke:#000000;stroke-width:1px;stroke-linecap:butt;s' at line 1
What can I do to make this work?
As noted in the comments…
You could use mysql_real_escape_string() to escape any MySQL special characters before insertion.
For example:
$sql = "INSERT INTO my_table (string_column) VALUES ('" . mysql_real_escape_string($string) . "')";
Another option is to use Prepared Statements with PHP's MySQLi or PDO.
You might want to have a look either at prepared statements or mysql_real_escape_string to escape special characters that might break your INSERT.
I'm working on an existing website trying to prevent SQL injections. Before $_GET['ID'] was unsanitized.
$ID=mysql_real_escape_string($_GET['ID']);
$sQuery=mysql_query("select * from tbl_mini_website as s1, tbl_actor_merchant as me where s1.MERCHANT_ID=$ID AND s1.MERCHANT_ID=me.MERCHANT_ID");
If I put a ' at the end of the url, with mysql_real_escape_string() I get this from mysql_error():
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\' AND s1.MERCHANT_ID=me.MERCHANT_ID' at line 1
with out mysql_real_escape_string() I get:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND s1.MERCHANT_ID=me.MERCHANT_ID' at line 1
I'm not sure whats up with it? Any help would be greatly appreciated.
If it is an id, numerical I assume, why don't you just cast it to an integer?
$ID = (int) $_GET['ID'];
The best advice I can give you is to check out PDO and use bound parameters.
mysql_real_escape_string escapes, but doesn't quote.
Try:
$sQuery=mysql_query("select * from tbl_mini_website as s1, tbl_actor_merchant as me where s1.MERCHANT_ID='$ID' AND s1.MERCHANT_ID=me.MERCHANT_ID");
More generally, I tend to wrap both of these in a function, like:
function quoteValue($value) {
return "'" . mysql_real_escape_string($value) . "'";
}
This is useful, because you may find down the line that you want more refined quoting behavior (especially when it comes to handling Unicode, control characters, etc.)
It's because you're not quoting the variable.
Here's your query given the following inputs
$_GET['ID'] = "1";
$ID=mysql_real_escape_string($_GET['ID']);
SELECT ... where s1.MERCHANT_ID=1 ...
$_GET['ID'] = "1'"
$ID=mysql_real_escape_string($_GET['ID']);
SELECT ... where s1.MERCHANT_ID=1\' ...
$_GET['ID'] = "1'"
SELECT ... where s1.MERCHANT_ID=1' ...
Phil Brown is right, but you shoul forget about old fashioned mysql_real_escape_string or mysql_connect() as they are very old and move to php`s PDO() where you cand use prepared statements, binds, fetch object any many many more functions.
I suggest read PDO documentation at http://php.net/manual/en/book.pdo.php if you want next generation dabatase manipulation and security from SQL Injection .
hi all i have a field "ammount" in mysql database which have "varchar(50)" type. When i insert data into that field e.g ammount= 4 kg its ok but when i update that field it gives me the following error.
Error in query: UPDATE ingredients SET ingredient_name='test recipe',ammount=4 gm where ingredient_id='59'. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'gm where ingredient_id='59'' at line 1
and my query is
$query="UPDATE ingredients SET ingredient_name='$ingredient',ammount=$ammount where ingredient_id='$ingredient_id'";
1) The correct spelling is "amount".
2) You should not be using variable interpolation like this for an SQL query. It is very unsafe. Use a prepared statement.
3) You didn't put quotes around $amount when defining $query, so they don't end up in the final substituted query string. Look closely at the error message: it shows you the query that SQL tried to process. Notice how it says ammount=4 gm? It can't handle that, because there are no quotes.
If you use prepared statements like you are supposed to, the quoting takes care of itself.
Your query has:
...,ammount=4 gm where...
which is incorrect. You need quotes around 4 gm.
Change
,ammount=$ammount where
to
,ammount='$ammount' where