PHP Fatal error: Uncaught mysqli_sql_exception
-
I was using a PHP script for a simple message service without any issue upto PHP 7.4, but when I upgrade the PHP version into 8.1, it gives following error_log when trying to send a new message containing "'" eg: I'm ok brother
PHP Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'm ok brother
')' at line 1 in send_message.php:9Full code of send_message.php
Please suggest me a solution
-
I was using a PHP script for a simple message service without any issue upto PHP 7.4, but when I upgrade the PHP version into 8.1, it gives following error_log when trying to send a new message containing "'" eg: I'm ok brother
PHP Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'm ok brother
')' at line 1 in send_message.php:9Full code of send_message.php
Please suggest me a solution
Add some code to print out the full statement when it is built. But a far better solution would be to use proper parameterised queries for database access. It has the advantage that you can quickly diagnose issues like this, but more importantly it protects you from SQL injection attacks.
-
Add some code to print out the full statement when it is built. But a far better solution would be to use proper parameterised queries for database access. It has the advantage that you can quickly diagnose issues like this, but more importantly it protects you from SQL injection attacks.
Actually did you see anything wrong in that code? When trying to store simple text message with ' character (I'm ok brother), it stops processing further and make above mentioned error_log.
mysqli_query($conn,"INSERT INTO ".C_MYSQL_MESSAGES."(`sender_id`,`receiver_id`,`message`) VALUES (".$_POST['sender_id'].",".$_POST['receiver_id'].",'".$_POST['message']."')");
I think
$_POST['message']
part or near has some issue Can you help me to resolve?
-
Actually did you see anything wrong in that code? When trying to store simple text message with ' character (I'm ok brother), it stops processing further and make above mentioned error_log.
mysqli_query($conn,"INSERT INTO ".C_MYSQL_MESSAGES."(`sender_id`,`receiver_id`,`message`) VALUES (".$_POST['sender_id'].",".$_POST['receiver_id'].",'".$_POST['message']."')");
I think
$_POST['message']
part or near has some issue Can you help me to resolve?
-
Udaya Arunakantha wrote:
Can you help me to resolve?
Yes, but you need to do what I suggested above. Whatever is causing the problem can only be discovered by displaying the complete message that MySQL is trying to process.
-
According to your tips, I was able to fix this issue by adding the following code line:
$_POST['message'] = mysqli_real_escape_string($conn, $_POST['message']);
-
That may work for now, but your code is still vulnerable to SQL injection attacks. You really should change to using proper parameterized queries for all SQL.
-
That may work for now, but your code is still vulnerable to SQL injection attacks. You really should change to using proper parameterized queries for all SQL.
-
I decided to remove this post as it's not appropriate to ask huge support for free. Sorry..
Sorry, I do not do private support. If you have a technical issue then post it in the forum. If you want one-to-one consultancy then you need to advertise on freelancer.com or similar.
-
Sorry, I do not do private support. If you have a technical issue then post it in the forum. If you want one-to-one consultancy then you need to advertise on freelancer.com or similar.