(posted to: php.general, comp.lang.php, alt.php, alt.php.sql)
I have a form where registered users on my site can edit their login
details. For some reason, the script is inserting an extraneous quote
mark in the mysql update query that is preventing it from running
successfully, but I am at a complete loss to understand why.
This is my code:
$sql = "UPDATE users SET
username = '{$usr}',
password = '{$pwd}',
fullname = '{$_POST['fullname']},
email = '{$_POST['email']}'
WHERE userid = '{$usrid}'";
if (@mysql_query($ sql)) {
//send email to user confirming changes
} else {
echo "<p>Error updating details: " . mysql_error() . "</p>";
}
This is the error message:
Error updating details: You have an error in your SQL syntax near
'x***@xxxx.com' WHERE userid = '15'' at line 4
I have checked that the $usrid variable does not contain the quote
mark.
Anyone have any bright ideas?
cheers,
d. 9 1945
davek wrote:
(posted to: php.general, comp.lang.php, alt.php, alt.php.sql)
I have a form where registered users on my site can edit their login
details. For some reason, the script is inserting an extraneous quote
mark in the mysql update query that is preventing it from running
successfully, but I am at a complete loss to understand why.
This is my code:
$sql = "UPDATE users SET
username = '{$usr}',
password = '{$pwd}',
fullname = '{$_POST['fullname']},
email = '{$_POST['email']}'
WHERE userid = '{$usrid}'";
if (@mysql_query($ sql)) {
//send email to user confirming changes
} else {
echo "<p>Error updating details: " . mysql_error() . "</p>";
}
This is the error message:
Error updating details: You have an error in your SQL syntax near
'x***@xxxx.com' WHERE userid = '15'' at line 4
I have checked that the $usrid variable does not contain the quote
mark.
Anyone have any bright ideas?
cheers,
d.
`password` is a MySQL reserved word.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
Jerry Stuckle wrote:
davek wrote:
>(posted to: php.general, comp.lang.php, alt.php, alt.php.sql)
I have a form where registered users on my site can edit their login details. For some reason, the script is inserting an extraneous quote mark in the mysql update query that is preventing it from running successfully , but I am at a complete loss to understand why.
This is my code: $sql = "UPDATE users SET username = '{$usr}', password = '{$pwd}', fullname = '{$_POST['fullname']}, email = '{$_POST['email']}' WHERE userid = '{$usrid}'";
if (@mysql_query($ sql)) {
//send email to user confirming changes
} else {
echo "<p>Error updating details: " . mysql_error() . "</p>";
}
This is the error message: Error updating details: You have an error in your SQL syntax near 'x***@xxxx.com ' WHERE userid = '15'' at line 4
I have checked that the $usrid variable does not contain the quote mark.
Anyone have any bright ideas?
cheers,
d.
`password` is a MySQL reserved word.
I should also add:
fullname = '{$_POST['fullname']},
has mismatched quotes.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
Jerry Stuckle wrote:
Jerry Stuckle wrote:
>davek wrote:
>>(posted to: php.general, comp.lang.php, alt.php, alt.php.sql)
I have a form where registered users on my site can edit their login details. For some reason, the script is inserting an extraneous quote mark in the mysql update query that is preventing it from running successfull y, but I am at a complete loss to understand why.
This is my code: $sql = "UPDATE users SET username = '{$usr}', password = '{$pwd}', fullname = '{$_POST['fullname']}, email = '{$_POST['email']}' WHERE userid = '{$usrid}'";
if (@mysql_query($ sql)) {
//send email to user confirming changes
} else {
echo "<p>Error updating details: " . mysql_error() . "</p>";
}
This is the error message: Error updating details: You have an error in your SQL syntax near 'x***@xxxx.co m' WHERE userid = '15'' at line 4
I have checked that the $usrid variable does not contain the quote mark.
Anyone have any bright ideas?
cheers,
d. `password` is a MySQL reserved word.
I should also add:
fullname = '{$_POST['fullname']},
has mismatched quotes.
And insecure without any validation.
Robin
davek schrieb:
This is my code:
$sql = "UPDATE users SET
username = '{$usr}',
password = '{$pwd}',
fullname = '{$_POST['fullname']},
End quote missing here ^
email = '{$_POST['email']}'
WHERE userid = '{$usrid}'";
You can easily find typos like this if you output var_dump($sql).
BTW it is a bad idea to put post data directly into your query - you
should check them for security issues and escape quotes first. Google
for "sql injection" and "e-mail injection".
--
Markus
davek wrote:
(posted to: php.general, comp.lang.php, alt.php, alt.php.sql)
I have a form where registered users on my site can edit their login
details. For some reason, the script is inserting an extraneous quote
mark in the mysql update query that is preventing it from running
successfully, but I am at a complete loss to understand why.
This is my code:
$sql = "UPDATE users SET
username = '{$usr}',
password = '{$pwd}',
fullname = '{$_POST['fullname']},
email = '{$_POST['email']}'
WHERE userid = '{$usrid}'";
if (@mysql_query($ sql)) {
//send email to user confirming changes
} else {
echo "<p>Error updating details: " . mysql_error() . "</p>";
}
This is the error message:
Error updating details: You have an error in your SQL syntax near
'x***@xxxx.com' WHERE userid = '15'' at line 4
I have checked that the $usrid variable does not contain the quote
mark.
As indicated earlier, you miss a quotation mark after fullname, but also:
- Try to always use backticks around fieldnames, it will save you a lot of
headache.
- In error messages like this, the error is 99% of the time on the left,
NOT the right.
- The extra quote is indeed not in your code, but the errormessage quotes a
part of your query, hence:
userid = '15'
becomes:
'userid = '15''
--
Grtz,
Rik Wasmus
Markus Ernst wrote:
End quote missing here ^
doh! I missed that completely... thanks - just goes to show that
another pair of eyes is always useful...
BTW it is a bad idea to put post data directly into your query - you
should check them for security issues and escape quotes first. Google
for "sql injection" and "e-mail injection".
Thanks for the tip - I've seen sql injections mentioned elsewhere so
I'm vaguely aware of them and will get to grips with how to avoid them
before the site goes live... fortunately, it still exists only on my
testing server at the moment.
d.
Jerry Stuckle wrote:
`password` is a MySQL reserved word.
Not something I've come across before, but just done a bit of
googling... thanks for the tip-off.
d.
Rik wrote:
- Try to always use backticks around fieldnames, it will save you a lot of
headache.
That's to do with the mysql reserved names, right? Sounds like a
sensible plan.
userid = '15' becomes: 'userid = '15''
That makes sense. Thanks.
d.
At the very least you should be escaping your strings before
concatenate your string. What if someone's last name is D'Maro?? This
query will then fail to run. Preventing SQL injection isn't something
that you should go back and do, it should be a part of your query
writing process. At the very least your query should look like this:
$sql = "UPDATE users SET
username = '" . mysql_escape_st ring($usr) . "',
password = '" . mysql_escape_st ring($pwd} . "',
fullname = '" . mysql_escape_st ring($_POST['fullname'] . '",
email = '" . mysql_escape_st ring(_POST['email'] . "'
WHERE userid = '" . mysql_escape_st ring($usrid) . "'";
Robin wrote:
Jerry Stuckle wrote:
Jerry Stuckle wrote:
davek wrote:
(posted to: php.general, comp.lang.php, alt.php, alt.php.sql)
I have a form where registered users on my site can edit their login details. For some reason, the script is inserting an extraneous quote mark in the mysql update query that is preventing it from running successfully , but I am at a complete loss to understand why.
This is my code: $sql = "UPDATE users SET username = '{$usr}', password = '{$pwd}', fullname = '{$_POST['fullname']}, email = '{$_POST['email']}' WHERE userid = '{$usrid}'";
if (@mysql_query($ sql)) {
//send email to user confirming changes
} else {
echo "<p>Error updating details: " . mysql_error() . "</p>";
}
This is the error message: Error updating details: You have an error in your SQL syntax near 'x***@xxxx.com ' WHERE userid = '15'' at line 4
I have checked that the $usrid variable does not contain the quote mark.
Anyone have any bright ideas?
cheers,
d.
`password` is a MySQL reserved word.
I should also add:
fullname = '{$_POST['fullname']},
has mismatched quotes.
And insecure without any validation.
Robin
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Neculai Macarie |
last post by:
Hi!
Using Union and Order By gives strange behaviour in the following test-case:
drop table if exists gallery;
drop table if exists gallery_categ;
# create test tables
create table gallery (d_image_small char(100), d_image_big char(100));
create table gallery_categ (d_image char(100));
# insert test data
|
by: Soefara |
last post by:
Dear Sirs,
I am experiencing strange results when trying to optimize a LEFT JOIN
on 3 tables using MySQL.
Given 3 tables A, B, C such as the following:
create table A (
uniqueId int not null default 0 auto_increment,
a1 varchar(64) not null default '',
|
by: Nick |
last post by:
In VS 2003 and VS 2005 beta 2 I am trying to write a simple program. It has
a datagrid and a textbox along with a menubar. There is a command in the
menu bar which is "Run Query" and has the shortcut key of Ctrl + R If I am
typing in my textbox and hit Ctrl + R an extra r character will show up in
the textbox. I decided to then try this in...
|
by: Kevin |
last post by:
Hi,
With this, i get the error:
" Microsoft VBScript runtime error '800a01ca'
Variable uses an Automation type not supported in VBScript "
at line 79
<%
totintot=request.cookies("totintot")
....
|
by: cdkorzen |
last post by:
I'm sorry if this is a rehash, but all I see is the same info.
Here's my debacle:
I CAN get the PATH_INFO to work. With ANYTHING but ASP. Python, Perl,
Cmd files... works fine. ASP can't find a file when extra path
information is added. Is there a switch in ASP or something I can
change that'll get it to work?
Thanks!
| |
by: Wong Yung |
last post by:
Hi guys,
I recently noticed this strange script appearing on my webpage. I know
I didn't put it there because I hand-coded it. Someone told me it
looks like javascript and it looked like I might have been hacked.
I've taken the webpage down for now but I was hoping someone here would
be able to tell me what it does so I know just how much...
|
by: toffee |
last post by:
Hi all,
I created a little button which when clicked will run a query on mysql db
and output the results as an excel spreadsheet.
I do this by setting the header as application excel. All works well except
for a very strange problem. Let's say a column should say 16500.22. When I
run it here from the uk, the cell will show 16500.22
When...
|
by: Dave |
last post by:
Hi guys,
I have just set up a duplicate server running:
apache 2.54, mysql 5.04 and php 5.04
This is the same setup as as the server we are using now, apart from
the hardware inside. I have copied across the database and website,
with exact same permissions as the first server.
The problem is that part of the php code is executing but...
|
by: Frank Aune |
last post by:
Hi,
Explaining this problem is quite tricky, but please bear with me.
Ive got an application which uses MySQL (InnoDB) for two things:
1. Store and retrieve application data (including viewing the application log)
2. Store the application log produced by the python logging module
The connection and cursor for the two tasks are...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
| |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...
| |