I'm trying to change a database entry with PHP but is stuck with this error message:
Error: You have an error in your SQL
syntax; check the manual that
corresponds to your MySQL server
version for the right syntax to use
near 'Bjelkholm Lövgren AND adress =
Brinellgatan 14 AND postnummer = 57135
' at line 1
Code:
$namn = sanitize($_GET['namn']);
$adress = sanitize($_GET['adress']);
$postnummer = sanitize($_GET['postnummer']);
$postort = sanitize($_GET['postort']);
$email = sanitize($_GET['email']);
$status = 0;
$sql="UPDATE ordrar SET namn = $namn AND adress = $adress AND postnummer = $postnummer
AND postort = $postort AND email $email AND status = $status WHERE email = $email";
if (!mysql_query($sql))
{
die('Error: ' . mysql_error());
}
Thanks for answers.
/Victor
SET statement values delimiter is comma, not AND
string values should be quoted
To make SET statements it would be nice to use a small function
function dbSet($fields) {
$set='';
foreach ($fields as $field) {
if (isset($_POST[$field])) {
$set.="`$field`='".mysql_real_escape_string($_POST[$field])."', ";
}
}
return substr($set, 0, -2);
}
and than just
$table = "ordrar";
$email = mysql_real_escape_string($_POST['email']);
$fields = explode(" ","namn adress postnummer postort email status");
$query = "UPDATE $table SET ".dbSet($fields)." WHERE email='$email'";
will bring you properly formatted query
however, using email for row identification is bad.
I'd suggest to use an auto-increment id field to identify your records instead of email.
quote your variables (i.e. adress = '$adress')
Assuming those values are strings, you should quote them in your query string, plus you are missing the equals sign when comparing the email.
$sql="UPDATE ordrar SET namn = '$namn' AND adress = '$adress' AND postnummer = '$postnummer'
AND postort = '$postort' AND email = '$email' AND status = '$status' WHERE email = '$email'";
Couple things:
Your strings need to be quoted (and escaped).
You are missing an = for the email in the SET clause.
The short answer is that you've got a bunch of syntax errors. First, you'll need to properly quote your column names and values. Column names get a grave (sideways quote) and values get a normal single quote. And secondly you missed an equal sign before the $email variable.
Might I suggest breaking it up into multiple lines as well; this helps make it easier to debug.
$sql="UPDATE `ordrar`
SET `namn` = '$namn' AND
`adress` = '$adress' AND
`postnummer` = '$postnummer' AND
`postort` = '$postort' AND
`email` = '$email' AND
`status` = '$status'
WHERE `email` = '$email'";
One final suggestion, consider binding your parameters using prepared statements as opposed to string interpolation. They are more secure, and I personally find them easier to write.
$namn = sanitize($_GET['namn']);
$adress = sanitize($_GET['adress']);
$postnummer = sanitize($_GET['postnummer']);
$postort = sanitize($_GET['postort']);
$email = sanitize($_GET['email']);
$status = 0;
$sql="UPDATE ordrar SET
namn = '$namn' ,
adress = '$adress' ,
postnummer = '$postnummer' ,
postort = '$postort' ,
email = '$email' ,
status = '$status'
WHERE email = '$email' ";
if (!mysql_query($sql))
{
die('Error: ' . mysql_error());
}
Try this. Hope its work well ;-)
Related
I have this code which is supposed to insert some data if certain conditions are met. The first 3 parts of the conditional logic work perfectly bu the else seems not to be executing if the data is a string.
In summary, if the $USSD_STRING is is an integer is(12345) the query executes perfectly. But if there is a letter at the beginning of the value i.e. (AA12345) the else seems not to be working.
I have tried this:
elseif (is_string("$USSD_STRING")) {
$sql = "INSERT INTO userlevel SET phone_number = '$MSISDN', ussd_string = '$USSD_STRING', user_level = '$level', session_id = '$SESSION_ID', mno_id = '$MNOID', partner_id = '$PartnerId'";
$result=mysql_query($sql);
}
but its not working either.
if ( $USSD_STRING <=0) {
}
elseif ( $USSD_STRING ==1) {
$sql = "INSERT INTO userlevel SET phone_number = '$MSISDN', ussd_string = '$USSD_STRING', user_level = '$level', session_id = '$SESSION_ID', mno_id = '$MNOID', partner_id = '$PartnerId'";
$result=mysql_query($sql);
}
elseif ( $USSD_STRING ==2) {
$sql = "INSERT INTO userlevel SET phone_number = '$MSISDN', ussd_string = '$USSD_STRING', user_level = '$level', session_id = '$SESSION_ID', mno_id = '$MNOID', partner_id = '$PartnerId'";
$result=mysql_query($sql);
}
else {
$sql = "INSERT INTO userlevel SET phone_number = '$MSISDN', ussd_string = '$USSD_STRING', user_level = '$level', session_id = '$SESSION_ID', mno_id = '$MNOID', partner_id = '$PartnerId'";
$result=mysql_query($sql);
}
Any workarounds?
I will bet that you are declaring your variable in quotes, something you did not post in your question.
However, I could be wrong. But nonetheless, you have a few options for you below.
The following (and as an example)
$USSD_STRING = "12345";
or
$USSD_STRING = $_POST['var'];
Even though that is technically an integer (being set in quotes), it will still be interpreted as a string using the is_string() function.
"Any workarounds?"
Yes, you have a few.
Using the following will qualify as not being a string using the is_string() function.
$USSD_STRING = 12345;
You would be best using ctype_digit() for this.
$USSD_STRING = "a12345"; // fail
The following will pass as an integer even though it is inside quotes
$USSD_STRING = "12345"; // pass as an integer
if (ctype_digit($USSD_STRING)) {
...
}
while the following will fail if a letter is introduced
$USSD_STRING = "a12345"; // fail. It contains a letter
if (ctype_digit($USSD_STRING)) {
...
}
Another option available for you to use, would be FILTER_VALIDATE_INT.
if(filter_var($USSD_STRING, FILTER_VALIDATE_INT))
Where it will fail with
$USSD_STRING = "a12345";
but pass as (and even inside quotes):
$USSD_STRING = "12345";
References:
http://php.net/manual/en/function.ctype-digit.php
http://php.net/manual/en/function.filter-var.php
I don't know why, but for some reason the code below is not working as intended
$SQL = "UPDATE characters SET
name = '$char_name',
status = '$char_status',
gender = $char_gender,
pos.x = $char_posx,
pos.y = $char_posz,
shards = $char_money,
level = $char_level,
exp = $char_exp,
hair = $char_hair,
color.r = $char_color_r,
color.g = $char_color_g,
color.b = $char_color_b,
spawn = $char_spawn
WHERE username = '$nick'";
mysql_query($SQL) or die("ERRORCODE 04 - DB QUERY FAIL");
echo "saved";
it's always giving me the "ERRORCODE 04.." meaning that the query failed..
FYI: setting pos.y db value to the char_posz is correct as the axes are different from the Form to the actual database
EDIT: code now changed a bit due to some comments, looks now like this:
$SQL = "UPDATE characters SET
name = '$char_name',
status = '$char_status',
gender = $char_gender,
pos_x = $char_posx,
pos_y = $char_posz,
shards = $char_money,
level = $char_level,
exp = $char_exp,
hair = $char_hair,
color_r = $char_color_r,
color_g = $char_color_g,
color_b = $char_color_b,
spawn = $char_spawn
WHERE username = '$nick'";
mysqli_query($dbcon, $SQL) or die(mysqli_error($dbcon));
echo "saved";
this is the error I get:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '
pos_x = ,
pos_y = ,
shards = ,
' at line 4
Try to put single quotes around all variables in the query
This is my first UPDATE query, I have checked using jQuery for any empty fields. I want the user to input at least one field and then update the field(s). Doing a query with all the $_POST names might generate empty or undefined input fields in my database which doesn't work.. here is my query:
$first = $_POST['first'];
$last = $_POST['last'];
$birth = $_POST['birth'];
$bio = $_POST['bio'];
$UID = $_SESSION['id'];
$query = "UPDATE `user` SET `firstname`=$first,`lastname`=$last,`birthday`=$birth,`biography`=$bio WHERE `user_id` = '$UID'";
$result = mysql_query($query) or die($result . "<br/><br/>" . mysql_error());
The error:
syntax to use near 'birthday=,biography= WHERE user_id = '11'' at line 1
I don't want to go through nested if's to check whether has a value or not. Thanks.
NOTE: Use mysql_real_escape_string() to prevent from sql injection.
if( !empty($first) &&
!empty($last) &&
!empty($birth) &&
!empty($bio) ){
$query = "UPDATE `user`
SET
`firstname`='$first',
`lastname`='$last',
`birthday`='$birth',
`biography`='$bio'
WHERE `user_id` = '$UID'";
}
I have a form that requires a user to enter their email address in order to receive a password reset email. I'm trying to compare the email to existing emails in the database before sending the email; if the email doesn't exist, the script should not send the reset email. I've been reading posted questions/responses and Googling my brains out for hours, as well as altering the code to remove white space or tweak the syntax but nothing has rid me of this #1064 error message...'bouts ta give up...
The error I get is:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '#rocketmail.com' at line 1
SQL: SELECT customer_id FROM customer WHERE customer_email = user#rocketmail.com
$sql = "SELECT customer_id FROM customer WHERE customer_email = ".$_POST['email'];
$result = mysqli_query($db, $sql) or die(mysqli_error($db)."<br />SQL: $sql");
$num_rows = mysql_num_rows($result);
if($num_rows < 1) {
$problem = TRUE;
$error_message .= '<p class="errorctr">Email was not found in our database.</p>';
}
You have to enclose a string value in quotes, otherwise it will surely be a syntax error that you get. Your PHP syntax is fine, MySQL is not
$sql = "SELECT customer_id FROM customer WHERE customer_email = '".mysqli_real_escape_string($db,$_POST['email'])."'";
Also later down in your code you have mysql_num_rows, which shuld be mysqli_num_rows like this
$num_rows = mysqli_num_rows($result);
Speaking of what you really need to try, it is PDO:
$sql = "SELECT customer_id FROM customer WHERE customer_email = ?";
$stm = $pdo->prepare($sql);
$stm->execute(array($_POST['email']));
$id = $stm->fetchColumn();
if(!$id) {
...
Try This:
$email = $_POST['email'];
$sql = "SELECT customer_id FROM customer WHERE customer_email = '".mysqli_real_escape_string($db,$email )."'";
$result = mysqli_query($db, $sql) or die(mysqli_error($db)."<br />SQL: $sql");
while($row = mysqli_fetch_array($result)){
if(!$row['customer_email']){
echo '<p class="errorctr">Email was not found in our database.</p>';
}
}
<?php
require('dbconnect.php');
$indexno = $_POST['indexno'];
$cevap = $_POST['cevap'];
$cevapdate = gmdate("Y-m-d\TH:i:s\Z");
$query = "UPDATE soru
SET cevap = '$cevap',
cevapdate = '$cevapdate'
WHERE `index` = '$indexno'";
$link = mysql_query($query);
if(!$link) {
die('not worked: ' . mysql_error());
} else {
mysql_close($con);
echo 'worked';
}
?>
Outcome of this php code is "Worked." but there is no change in the database. The thing is Im trying to update the cevap and cevapdate fields on a row by index id.
You need to remove the single quotes from aroud the index. You should not put single quotes around a column name while writing a query. Write your query this way -
$query = "UPDATE soru SET cevap = '$cevap', cevapdate = '$cevapdate' WHERE index = '$indexno'";
You have to escape your rows/table with backticks, not single-quotes.
$query = "UPDATE `soru`
SET `cevap` = '$cevap', `cevapdate` = '$cevapdate'
WHERE `index` = '$indexno'";
Also, you should escape your user input to prevent SQL injections.