Thread: MySQL help

    #1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    153
    Rep Power
    13

    MySQL help


    Hi all

    I am sort of new to MySQl

    I have installed a script on my website and need help with the following if ok

    my wife created a account and used a few capital letters and a space in her username and logged in all ok and the page is where to write status updates and where a share button is, I am getting the following error, it only happens when capital letters and spaces are used

    How would I go about fixing it please

    Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's' ORDER BY messages_id DESC' at line 1

    Thank you in advance, I can paste any coding or give the website address if need be to look at

    Thanks in advance

    Ian
  2. #2
  3. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    It sounds like a problem with the script you installed. If the script is throwing that sort of error it usually means there is a SQL injection vulnerability in it and you would be advised to not use it.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  4. #3
  5. SQL Consultant
    Devshed Supreme Being (6500+ posts)

    Join Date
    Feb 2003
    Location
    Toronto Canada
    Posts
    27,124
    Rep Power
    4274
    Originally Posted by ianhaney
    I can paste any coding
    paste the query that's throwing the error
    rudy.ca | @rudydotca
    Buy my SitePoint book: Simply SQL
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    153
    Rep Power
    13
    Hi r937

    Thank you for the reply

    I think this is the query that is relating to the error

    $query = "SELECT *,UNIX_TIMESTAMP() - date_created AS TimeSpent FROM message WHERE poster='".$_SESSION['SESS_FIRST_NAME'] ."' ORDER BY messages_id DESC";
    $result = mysql_query($query);
  8. #5
  9. SQL Consultant
    Devshed Supreme Being (6500+ posts)

    Join Date
    Feb 2003
    Location
    Toronto Canada
    Posts
    27,124
    Rep Power
    4274
    Originally Posted by ianhaney
    I think this is the query that is relating to the error
    that's the php code that generates the query

    put an echo just before you execute the query, so that we can see what was actually passed to mysql that created the error
    rudy.ca | @rudydotca
    Buy my SitePoint book: Simply SQL
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    153
    Rep Power
    13
    Hi

    Hope I have done it right

    echo $query = "SELECT *,UNIX_TIMESTAMP() - date_created AS TimeSpent FROM message WHERE poster='".$_SESSION['SESS_FIRST_NAME'] ."' ORDER BY messages_id DESC";
    $result = mysql_query($query);

    Thank you for your help so far

    Ian
  12. #7
  13. SQL Consultant
    Devshed Supreme Being (6500+ posts)

    Join Date
    Feb 2003
    Location
    Toronto Canada
    Posts
    27,124
    Rep Power
    4274
    Originally Posted by ianhaney
    Hope I have done it right
    that's still just php code (and i don't think it's the right call to the echo function)

    what i want to see is what the echo produces, the query without the php variable stuck in it, but rather, the value of that php variable at the time of execution
    rudy.ca | @rudydotca
    Buy my SitePoint book: Simply SQL
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    153
    Rep Power
    13
    Ok might need bit of help with that as not 100% sure on what you need, is it ok to email you the file to look at, sorry for being a pain
  16. #9
  17. SQL Consultant
    Devshed Supreme Being (6500+ posts)

    Join Date
    Feb 2003
    Location
    Toronto Canada
    Posts
    27,124
    Rep Power
    4274
    Originally Posted by ianhaney
    Ok might need bit of help with that as not 100% sure on what you need, is it ok to email you the file to look at, sorry for being a pain
    no, it's not okay, sorry

    read the php manual for the correct syntax for echo

    then execute the echo instead of (or just prior to) executing mysql_query

    echo will produce some output -- copy/paste that output here
    rudy.ca | @rudydotca
    Buy my SitePoint book: Simply SQL
  18. #10
  19. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    PHP Code:
    echo $query "SELECT *,UNIX_TIMESTAMP() - date_created AS TimeSpent FROM message WHERE poster='".$_SESSION['SESS_FIRST_NAME'] ."' ORDER BY messages_id DESC"
    Should execute fine; when it does (ie: when you save the code / upload it / visit it in your browser), it will output the actual SQL query that is being run. That output is what he needs to see.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  20. #11
  21. SQL Consultant
    Devshed Supreme Being (6500+ posts)

    Join Date
    Feb 2003
    Location
    Toronto Canada
    Posts
    27,124
    Rep Power
    4274
    Originally Posted by E-Oreo
    Should execute fine
    huge disclaimer: i don't do php

    doesn't echo take a string argument? this seems to be passing an assignment, not a string

    but if you say it works, great

    i just wanna see the final query string, because, going back to post #1, the problem is the value passed as "session first name" -- i'm guessing it contains a single quote
    rudy.ca | @rudydotca
    Buy my SitePoint book: Simply SQL
  22. #12
  23. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    doesn't echo take a string argument? this seems to be passing an assignment, not a string
    Yep that's true; but in PHP an assignment is an expression that evaluates to whatever value was assigned, and due to order of operations the assignment happens before the echo, so echo actually does end up getting a string argument in this case. Normally you wouldn't write code like that though because it's confusing to read...

    i just wanna see the final query string, because, going back to post #1, the problem is the value passed as "session first name" -- i'm guessing it contains a single quote
    That's my feeling as well... actually the fix probably just involves changing the PHP for the query to:
    PHP Code:
     $query "SELECT *,UNIX_TIMESTAMP() - date_created AS TimeSpent FROM message WHERE poster='" mysql_real_escape_string($_SESSION['SESS_FIRST_NAME']) ."' ORDER BY messages_id DESC"
    Although if the problem exists here it almost certainly exists elsewhere in the code too.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  24. #13
  25. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    153
    Rep Power
    13
    I changed the coding to the following but still got the error so it must be elsewhere as well in another file or something

    $query = "SELECT *, UNIX_TIMESTAMP() - date_created AS TimeSpent FROM message WHERE poster='".mysql_real_escape_string($_SESSION['SESS_FIRST_NAME']) . "' ORDER BY messages_id DESC"
  26. #14
  27. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    153
    Rep Power
    13
    It's fixed, I had the following in the coding still

    echo $query; exit();

    so took that out and works perfect now so if I get the error elsewhere on another page etc, I just change the coding to the following

    $query = "SELECT *,UNIX_TIMESTAMP() - date_created AS TimeSpent FROM message WHERE poster='" . mysql_real_escape_string($_SESSION['SESS_FIRST_NAME']) ."' ORDER BY messages_id DESC";
    $result = mysql_query($query);

    Is that right?

    Thank you so much

    Ian
  28. #15
  29. No Profile Picture
    Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Mar 2008
    Posts
    1,928
    Rep Power
    378
    Please don't post in multiple forums, at least not without mentioning in one or other of them that that's what you've done.

    And believe it or not most people here are looking for help with MySQL so next time try to provide a more informative thread title.

IMN logo majestic logo threadwatch logo seochat tools logo