| Help required with UPDATE columns [message #179539] |
Tue, 06 November 2012 12:40  |
|
|
Originally posted by: Dynamo
Hi,
I am experiencing problem with updating records in my table. The
following code works.
[
$query1 = ("UPDATE mytable SET drawing = 'mydrawing.pdf' WHERE id=2");
$result = mysql_query($query1) or die ("Error in query $query1" .
mysql_error());
mysql_close($connection);
]
but this does not
[
$drawing = $_POST['drawing'];
$query1 = ("UPDATE mytable SET drawing = $drawing WHERE id=2");
$result = mysql_query($query1) or die ("Error in query $query1" .
mysql_error());
mysql_close($connection);
]
The following error message appears when executing the second
[
Error in query: UPDATE mytable SET drawing=mydrawing.pdf WHERE id=2.
Unknown column 'mydrawing.pdf' in 'field list'
]
What am I doing wrong? Any help greatly appreciated.
TIA
Dynamo
|
|
|
|
| Re: Help required with UPDATE columns [message #179540 is a reply to message #179539] |
Tue, 06 November 2012 12:44  |
Shake
Messages: 40
Registered: May 2012
Karma: 0
|
Member |
|
|
El 06/11/2012 13:40, Dynamo escribió:
> $query1 = ("UPDATE mytable SET drawing = 'mydrawing.pdf' WHERE id=2");
[...]
> $query1 = ("UPDATE mytable SET drawing = $drawing WHERE id=2");
-------------------------------------------^
There are no quotes.
Incorrect:
- $query1 = ("UPDATE mytable SET drawing = $drawing WHERE id=2");
correct:
- $query1 = ("UPDATE mytable SET drawing = '$drawing' WHERE id=2");
That's not a PHP problem. Is a SQL one.
Regards.
|
|
|
|
| Re: Help required with UPDATE columns [message #179541 is a reply to message #179539] |
Tue, 06 November 2012 13:15 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 11/6/2012 7:40 AM, Dynamo wrote:
> Hi,
> I am experiencing problem with updating records in my table. The
> following code works.
> [
> $query1 = ("UPDATE mytable SET drawing = 'mydrawing.pdf' WHERE id=2");
> $result = mysql_query($query1) or die ("Error in query $query1" .
> mysql_error());
> mysql_close($connection);
> ]
> but this does not
> [
> $drawing = $_POST['drawing'];
> $query1 = ("UPDATE mytable SET drawing = $drawing WHERE id=2");
> $result = mysql_query($query1) or die ("Error in query $query1" .
> mysql_error());
> mysql_close($connection);
> ]
> The following error message appears when executing the second
>
> [
> Error in query: UPDATE mytable SET drawing=mydrawing.pdf WHERE id=2.
> Unknown column 'mydrawing.pdf' in 'field list'
> ]
>
> What am I doing wrong? Any help greatly appreciated.
>
> TIA
> Dynamo
>
Echo your query to the browser and you'll see what your problem is.
And BTW - just taking a POST value without any validation is an
invitation to problems. Also, you should always use
mysql_real_escape_string() to escape strings before they are used in SQL
statements.
And finally - never use die() in production code! It's OK for
debugging, but terminates processing of the page right there - causing
invalid HTML to be sent to the browser and sends a non-user-friendly
message (which can give out hints on how to hack your system).
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: Help required with UPDATE columns [message #179542 is a reply to message #179540] |
Tue, 06 November 2012 17:59 |
Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma: 0
|
Senior Member |
|
|
Shake wrote:
> El 06/11/2012 13:40, Dynamo escribió:
>> $query1 = ("UPDATE mytable SET drawing = 'mydrawing.pdf' WHERE id=2");
> [...]
>> $query1 = ("UPDATE mytable SET drawing = $drawing WHERE id=2");
>
> -------------------------------------------^
>
> There are no quotes.
Either one allows for SQL injection. The OP should read on Prepared
Statements (but at least mysql_real_escape_string()) instead.
> Incorrect:
> - $query1 = ("UPDATE mytable SET drawing = $drawing WHERE id=2");
> correct:
> - $query1 = ("UPDATE mytable SET drawing = '$drawing' WHERE id=2");
The parentheses are unnecessary and misleading. The names should be
backtick-quoted.
> That's not a PHP problem. Is a SQL one.
_MySQL_, and you do not appear to know either very well.
PointedEars
--
Danny Goodman's books are out of date and teach practices that are
positively harmful for cross-browser scripting.
-- Richard Cornford, cljs, <cife6q$253$1$8300dec7(at)news(dot)demon(dot)co(dot)uk> (2004)
|
|
|
|
| Re: Help required with UPDATE columns [message #179543 is a reply to message #179542] |
Tue, 06 November 2012 18:06 |
Shake
Messages: 40
Registered: May 2012
Karma: 0
|
Member |
|
|
El 06/11/2012 18:59, Thomas 'PointedEars' Lahn escribió:
> Shake wrote:
>
> Either one allows for SQL injection. The OP should read on Prepared
> Statements (but at least mysql_real_escape_string()) instead.
[...]
> The parentheses are unnecessary and misleading. The names should be
> backtick-quoted.
>
>> That's not a PHP problem. Is a SQL one.
>
> _MySQL_, and you do not appear to know either very well.
I just signaled the main error. That's doesn't mean I don't know very
well. And, the error, isn't _MySQL_ The error is in the SQL sentence.
And this sentence is wrong in MySQL... and in others SQL-DBs.
Rgds.
|
|
|
|
| Re: Help required with UPDATE columns [message #179544 is a reply to message #179543] |
Tue, 06 November 2012 18:13 |
Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma: 0
|
Senior Member |
|
|
Shake wrote:
> El 06/11/2012 18:59, Thomas 'PointedEars' Lahn escribió:
>> Either one allows for SQL injection. The OP should read on Prepared
>> Statements (but at least mysql_real_escape_string()) instead.
> [...]
>> The parentheses are unnecessary and misleading. The names should be
>> backtick-quoted.
>>
>>> That's not a PHP problem. Is a SQL one.
>>
>> _MySQL_, and you do not appear to know either very well.
>
> I just signaled the main error. That's doesn't mean I don't know very
> well. And, the error, isn't _MySQL_ The error is in the SQL sentence.
> And this sentence is wrong in MySQL... and in others SQL-DBs.
You are mistaken. Whether the query is syntactically wrong in the DBMS
depends on the data type, the value of the variable (that we do not know, do
we?) and the query language.
The actual and much more grave issue here is that the OP is using user input
($_POST['…']) unchecked and unescaped, which allows for SQL injection. If
they fixed that with Prepared Statements, both problems would go away.
PointedEars
--
realism: HTML 4.01 Strict
evangelism: XHTML 1.0 Strict
madness: XHTML 1.1 as application/xhtml+xml
-- Bjoern Hoehrmann
|
|
|
|
| Re: Help required with UPDATE columns [message #179545 is a reply to message #179544] |
Tue, 06 November 2012 18:20 |
Shake
Messages: 40
Registered: May 2012
Karma: 0
|
Member |
|
|
El 06/11/2012 19:13, Thomas 'PointedEars' Lahn escribió:
>
> You are mistaken. Whether the query is syntactically wrong in the DBMS
> depends on the data type, the value of the variable (that we do not know, do
> we?) and the query language.
You do not know. I know it.
Your limitations are not my mistake.
mytable.drawing values have to be enclosed by quotes.
>
> The actual and much more grave issue here is that the OP is using user input
> ($_POST['…']) unchecked and unescaped, which allows for SQL injection. If
> they fixed that with Prepared Statements, both problems would go away.
Right. Still not a MySQL issue: An SQL issue.
Rgs.
|
|
|
|
| Re: Help required with UPDATE columns [message #179546 is a reply to message #179545] |
Tue, 06 November 2012 18:30 |
M. Strobel
Messages: 386
Registered: December 2011
Karma: 0
|
Senior Member |
|
|
Am 06.11.2012 19:20, schrieb Shake:
> El 06/11/2012 19:13, Thomas 'PointedEars' Lahn escribió:
>>
>> You are mistaken. Whether the query is syntactically wrong in the DBMS
>> depends on the data type, the value of the variable (that we do not know, do
>> we?) and the query language.
>
> You do not know. I know it.
> Your limitations are not my mistake.
>
> mytable.drawing values have to be enclosed by quotes.
>
>>
>> The actual and much more grave issue here is that the OP is using user input
>> ($_POST['…']) unchecked and unescaped, which allows for SQL injection. If
>> they fixed that with Prepared Statements, both problems would go away.
>
> Right. Still not a MySQL issue: An SQL issue.
>
This sounds quite aggressive for someone showing so many coding problems. You could
have seen the sql error in your first posting.
/Str.
|
|
|
|
| Re: Help required with UPDATE columns [message #179547 is a reply to message #179546] |
Tue, 06 November 2012 18:45 |
Shake
Messages: 40
Registered: May 2012
Karma: 0
|
Member |
|
|
El 06/11/2012 19:30, M. Strobel escribió:
>
> This sounds quite aggressive for someone showing so many coding problems. You could
> have seen the sql error in your first posting.
I think you're confused, I am not the OP.
Rgrds.
|
|
|
|
| Re: Help required with UPDATE columns [message #179548 is a reply to message #179545] |
Tue, 06 November 2012 18:53 |
Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma: 0
|
Senior Member |
|
|
Shake wrote:
> El 06/11/2012 19:13, Thomas 'PointedEars' Lahn escribió:
>> You are mistaken. Whether the query is syntactically wrong in the DBMS
>> depends on the data type, the value of the variable (that we do not know,
>> do we?) and the query language.
>
> You do not know. I know it.
> Your limitations are not my mistake.
>
> mytable.drawing values have to be enclosed by quotes.
Oh shut up. How can you possibly *know* the value of the variable $drawing
when the OP has not posted it? All you have is conjecture.
>> The actual and much more grave issue here is that the OP is using user
>> input
>> ($_POST['…']) unchecked and unescaped, which allows for SQL injection.
>> If they fixed that with Prepared Statements, both problems would go away.
>
> Right. Still not a MySQL issue: An SQL issue.
Bullshit. It is obvious that the OP is using MySQL; so their MySQL syntax
is at fault and their approach, too.
PointedEars
--
Anyone who slaps a 'this page is best viewed with Browser X' label on
a Web page appears to be yearning for the bad old days, before the Web,
when you had very little chance of reading a document written on another
computer, another word processor, or another network. -- Tim Berners-Lee
|
|
|
|
| Re: Help required with UPDATE columns [message #179549 is a reply to message #179547] |
Tue, 06 November 2012 18:57 |
Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma: 0
|
Senior Member |
|
|
Shake wrote:
> El 06/11/2012 19:30, M. Strobel escribió:
>> This sounds quite aggressive for someone showing so many coding problems.
>> You could have seen the sql error in your first posting.
>
> I think you're confused, I am not the OP.
But you are equally confused (and equally address-munging)
as they are, so you have to give M. some credit here.
Score adjusted
PointedEars
--
When all you know is jQuery, every problem looks $(olvable).
|
|
|
|
| Re: Help required with UPDATE columns [message #179550 is a reply to message #179548] |
Tue, 06 November 2012 19:36 |
Shake
Messages: 40
Registered: May 2012
Karma: 0
|
Member |
|
|
Thomas 'PointedEars' Lahn a couché sur son écran :
>
> Oh shut up. How can you possibly *know* the value of the variable $drawing
> when the OP has not posted it? All you have is conjecture.
No. Is more than that. OP have not put the $drawing value explicitly.
OP have put the $drawing value implicitly. You can argue a lot of
hipotetical posibilities, but is obvious that $drawing have to by
enclosed with quotes.
But... anyway:
>
> Bullshit. It is obvious that the OP is using MySQL; so their MySQL syntax
> is at fault and their approach, too.
No, using your arguments: all you have is a conjecture. OP could be not
using MySQL.
And... anyway again: No matters what SQL Db is using... the error was
on the SQL sentence, and was a generic SQL error. Not a MySQL specific.
Rgds.
|
|
|
|
| Re: Help required with UPDATE columns [message #179551 is a reply to message #179547] |
Tue, 06 November 2012 19:36 |
M. Strobel
Messages: 386
Registered: December 2011
Karma: 0
|
Senior Member |
|
|
Am 06.11.2012 19:45, schrieb Shake:
> El 06/11/2012 19:30, M. Strobel escribió:
>>
>> This sounds quite aggressive for someone showing so many coding problems. You could
>> have seen the sql error in your first posting.
>
> I think you're confused, I am not the OP.
>
Oops. Str.
|
|
|
|
|
|
| Re: Help required with UPDATE columns [message #179553 is a reply to message #179541] |
Wed, 07 November 2012 11:05 |
|
|
Originally posted by: Dynamo
On Tue, 06 Nov 2012 08:15:32 -0500, Jerry Stuckle
<jstucklex(at)attglobal(dot)net> wrote:
>
> Echo your query to the browser and you'll see what your problem is.
>
> And BTW - just taking a POST value without any validation is an
> invitation to problems. Also, you should always use
> mysql_real_escape_string() to escape strings before they are used in SQL
> statements.
>
> And finally - never use die() in production code! It's OK for
> debugging, but terminates processing of the page right there - causing
> invalid HTML to be sent to the browser and sends a non-user-friendly
> message (which can give out hints on how to hack your system).
Thank you Jerry. Shakes solution worked but I will bear your comments
in mind. However, the code is being used in a password protected area
that theoretically only I should have access to.
Regards
Dynamo
|
|
|
|
| Re: Help required with UPDATE columns [message #179554 is a reply to message #179540] |
Wed, 07 November 2012 11:07 |
|
|
Originally posted by: Dynamo
On Tue, 06 Nov 2012 13:44:27 +0100, Shake <QUITAESTO(at)QUITAESTO(dot)NOES>
wrote:
> El 06/11/2012 13:40, Dynamo escribió:
>> $query1 = ("UPDATE mytable SET drawing = 'mydrawing.pdf' WHERE id=2");
> [...]
>> $query1 = ("UPDATE mytable SET drawing = $drawing WHERE id=2");
>
> -------------------------------------------^
>
> There are no quotes.
>
> Incorrect:
> - $query1 = ("UPDATE mytable SET drawing = $drawing WHERE id=2");
> correct:
> - $query1 = ("UPDATE mytable SET drawing = '$drawing' WHERE id=2");
>
>
> That's not a PHP problem. Is a SQL one.
>
> Regards.
Thanks Shake. That worked. Will digest other comments in the post
later.
Regards
Dynamo
|
|
|
|
| Re: Help required with UPDATE columns [message #179555 is a reply to message #179553] |
Wed, 07 November 2012 12:07 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 11/7/2012 6:05 AM, Dynamo wrote:
> On Tue, 06 Nov 2012 08:15:32 -0500, Jerry Stuckle
> <jstucklex(at)attglobal(dot)net> wrote:
>
>
>>
>> Echo your query to the browser and you'll see what your problem is.
>>
>> And BTW - just taking a POST value without any validation is an
>> invitation to problems. Also, you should always use
>> mysql_real_escape_string() to escape strings before they are used in SQL
>> statements.
>>
>> And finally - never use die() in production code! It's OK for
>> debugging, but terminates processing of the page right there - causing
>> invalid HTML to be sent to the browser and sends a non-user-friendly
>> message (which can give out hints on how to hack your system).
>
> Thank you Jerry. Shakes solution worked but I will bear your comments
> in mind. However, the code is being used in a password protected area
> that theoretically only I should have access to.
>
> Regards
> Dynamo
>
Dynamo, it really doesn't matter if only you "should" have access to it.
Hackers gain "protected" access to sites every day. You really need
to protect yourself against them.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]