Re: [PHP] SQL syntax error in PHP script. dunno what's wrong
insert into test values (0,''; DELETE FROM test; ',1); ERROR 1064: You have an error in your SQL syntax near '' at line 1 what about insert into test values (0,'\'; DELETE FROM test; ',1); the character ' is used to denote the beginning and the end of a field value. If you have this character within the value, you will have to escape it. It's as simple as that. -- Herzlich Werner Stuerenburg _ ISIS Verlag, Teut 3, D-32683 Barntrup-Alverdissen Tel 0(049) 5224-997 407 ยท Fax 0(049) 5224-997 409 http://pferdezeitung.de -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] SQL syntax error in PHP script. dunno what's wrong
Thanks everybody, and Sam, that makes sense WRT the multiple words causing troubles. On Wed, 1 Aug 2001 12:54:01 -0400, Sam Masiello wrote: You will need to put single quotes around your variables in your SQL statement. Like this: $sql = UPDATE TABLE seminar SET title='$title',speaker='$speaker',event_date='$tdate',time='$time',bldg='$bu ilding' ,rm='$room' WHERE id='$id'; Without the quotes, SQL doesn't know that Something Amazing is supposed to go together in the same string. HTH Sam Masiello Software Quality Assurance Engineer Synacor (716) 853-1362 x289 [EMAIL PROTECTED] -Original Message- From: Chris Worth [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 01, 2001 12:36 PM To:[EMAIL PROTECTED] Subject: [PHP] SQL syntax error in PHP script. dunno what's wrong hey gang. here is my sql statement from my php script. $sql = UPDATE TABLE seminar SET title=$title,speaker=$speaker,event_date=$tdate,time=$time,bldg=$building ,rm=$room WHERE id=$id; it appears just like that in my code. here is the $sql string echoed to the screen to verify the variables. UPDATE TABLE seminar SET title=Something amazing,speaker=Mr. Black,event_date=2001-08-05,time=11:00:am,bldg=BCC ,rm=201 WHERE id=48 all of the variable are valid. here is my error. 1064: You have an error in your SQL syntax near 'TABLE seminar SET title=Something amazing,speaker=Mr. Black,event_date=2001-08' at line 1 I'm baffled. and I couldn't find error 1064 in the mysql manual.pdf either. any ideas. I know this is going to turn out to be something silly. thanks, chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] SQL syntax error in PHP script. dunno what's wrong
I'd always understood that mysql doesn't allow multiple statements to be submitted so this post obviously worried me. I did some tests and confirmed that this is not a problem in MySQL queries from PHP. If I'm wrong about this please let me know. Tim -- From: scott [gts] [SMTP:[EMAIL PROTECTED]] Sent: 01 August 2001 18:03 To: php Subject: RE: [PHP] SQL syntax error in PHP script. dunno what's wrong no offense to you sam, but please dont ever simply place single quotes around values. you have to escape the values *themselves*. what if someone submitted the form field title as: $title = '; DELETE FROM seminar; if you didn't escape the single quotes in there, it would get interpreted as a valid DELETE statement and your seminar table would get wiped. however, if you escaped $title, you'd end up setting title to \'; DELETE FROM SEMINAR; (rather than have the contents of $title interpreted as SQL commands) -Original Message- From: Sam Masiello [mailto:[EMAIL PROTECTED]] Subject: RE: [PHP] SQL syntax error in PHP script. dunno what's wrong You will need to put single quotes around your variables in your SQL statement. Like this: $sql = UPDATE TABLE seminar SET title='$title',speaker='$speaker',event_date='$tdate',time='$time',bldg='$bu ilding' ,rm='$room' WHERE id='$id'; Without the quotes, SQL doesn't know that Something Amazing is supposed to go together in the same string. HTH -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] SQL syntax error in PHP script. dunno what's wrong
hmmm, i am seeing the same thing as tim here. are we doing something wrong? i created a test table, entered some dummy data and then using scott's example of '; DELETE FROM seminar; i tried executing insert into test values (0,''; DELETE FROM test; ',1); and got this error ERROR 1064: You have an error in your SQL syntax near '' at line 1 trying other variations either caused similar errors or added rows to my table. is it possible to sneak in a command in this manner? mike on 8/2/01 2:39 AM, Tim Ward at [EMAIL PROTECTED] wrote: I'd always understood that mysql doesn't allow multiple statements to be submitted so this post obviously worried me. I did some tests and confirmed that this is not a problem in MySQL queries from PHP. If I'm wrong about this please let me know. Tim -- From: scott [gts] [SMTP:[EMAIL PROTECTED]] Sent: 01 August 2001 18:03 To: php Subject: RE: [PHP] SQL syntax error in PHP script. dunno what's wrong no offense to you sam, but please dont ever simply place single quotes around values. you have to escape the values *themselves*. what if someone submitted the form field title as: $title = '; DELETE FROM seminar; if you didn't escape the single quotes in there, it would get interpreted as a valid DELETE statement and your seminar table would get wiped. however, if you escaped $title, you'd end up setting title to \'; DELETE FROM SEMINAR; (rather than have the contents of $title interpreted as SQL commands) -Original Message- From: Sam Masiello [mailto:[EMAIL PROTECTED]] Subject: RE: [PHP] SQL syntax error in PHP script. dunno what's wrong You will need to put single quotes around your variables in your SQL statement. Like this: $sql = UPDATE TABLE seminar SET title='$title',speaker='$speaker',event_date='$tdate',time='$time',bldg='$bu ilding' ,rm='$room' WHERE id='$id'; Without the quotes, SQL doesn't know that Something Amazing is supposed to go together in the same string. HTH -- mike cullerton -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] SQL syntax error in PHP script. dunno what's wrong
on 8/1/01 11:35 AM, Chris Worth at [EMAIL PROTECTED] wrote: hey gang. here is my sql statement from my php script. $sql = UPDATE TABLE seminar SET title=$title,speaker=$speaker,event_date=$tdate,time=$time,bldg=$building ,rm=$room WHERE id=$id; strings in a mysql query need to be quoted. So change it to $sql = UPDATE TABLE seminar SET title='$title',speaker='$speaker',...; Matt -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] SQL syntax error in PHP script. dunno what's wrong
You will need to put single quotes around your variables in your SQL statement. Like this: $sql = UPDATE TABLE seminar SET title='$title',speaker='$speaker',event_date='$tdate',time='$time',bldg='$bu ilding' ,rm='$room' WHERE id='$id'; Without the quotes, SQL doesn't know that Something Amazing is supposed to go together in the same string. HTH Sam Masiello Software Quality Assurance Engineer Synacor (716) 853-1362 x289 [EMAIL PROTECTED] -Original Message- From: Chris Worth [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 01, 2001 12:36 PM To: [EMAIL PROTECTED] Subject:[PHP] SQL syntax error in PHP script. dunno what's wrong hey gang. here is my sql statement from my php script. $sql = UPDATE TABLE seminar SET title=$title,speaker=$speaker,event_date=$tdate,time=$time,bldg=$building ,rm=$room WHERE id=$id; it appears just like that in my code. here is the $sql string echoed to the screen to verify the variables. UPDATE TABLE seminar SET title=Something amazing,speaker=Mr. Black,event_date=2001-08-05,time=11:00:am,bldg=BCC ,rm=201 WHERE id=48 all of the variable are valid. here is my error. 1064: You have an error in your SQL syntax near 'TABLE seminar SET title=Something amazing,speaker=Mr. Black,event_date=2001-08' at line 1 I'm baffled. and I couldn't find error 1064 in the mysql manual.pdf either. any ideas. I know this is going to turn out to be something silly. thanks, chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] SQL syntax error in PHP script. dunno what's wrong
*always always always* quote everything in SQL statements.
you run the risk of letting people insert arbitrary
SQL statements into your script if you dont quote values.
if you're using MySQL, try mysql_escape_string
http://php.net/manual/en/function.mysql-escape-string.php
or you could roll your own with relative ease:
function db_quote($value) {
return '. preg_replace(/'/, '', $value) .'
}
-Original Message-
From: Matt Greer [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 01, 2001 12:45 PM
To: [EMAIL PROTECTED]
Subject: Re: [PHP] SQL syntax error in PHP script. dunno what's wrong
on 8/1/01 11:35 AM, Chris Worth at [EMAIL PROTECTED] wrote:
hey gang.
here is my sql statement from my php script.
$sql = UPDATE TABLE seminar SET
title=$title,speaker=$speaker,event_date=$tdate,time=$time,bldg=$building
,rm=$room WHERE id=$id;
strings in a mysql query need to be quoted. So change it to
$sql = UPDATE TABLE seminar SET title='$title',speaker='$speaker',...;
Matt
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] SQL syntax error in PHP script. dunno what's wrong
no offense to you sam, but please dont ever simply place single quotes around values. you have to escape the values *themselves*. what if someone submitted the form field title as: $title = '; DELETE FROM seminar; if you didn't escape the single quotes in there, it would get interpreted as a valid DELETE statement and your seminar table would get wiped. however, if you escaped $title, you'd end up setting title to \'; DELETE FROM SEMINAR; (rather than have the contents of $title interpreted as SQL commands) -Original Message- From: Sam Masiello [mailto:[EMAIL PROTECTED]] Subject: RE: [PHP] SQL syntax error in PHP script. dunno what's wrong You will need to put single quotes around your variables in your SQL statement. Like this: $sql = UPDATE TABLE seminar SET title='$title',speaker='$speaker',event_date='$tdate',time='$time',bldg='$bu ilding' ,rm='$room' WHERE id='$id'; Without the quotes, SQL doesn't know that Something Amazing is supposed to go together in the same string. HTH -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
