homepage Welcome to WebmasterWorld Guest from 54.227.11.45
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / Databases
Forum Library, Charter, Moderators: physics

Databases Forum

    
My Site showing an error
NuNet




msg:4387926
 4:18 am on Nov 17, 2011 (gmt 0)

Hi

We run a website. We use PHP.

Recently, somebody pointed out that the site shows the following error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'News WHERE id ='1530'' at line 1

Could you please let me know how to find this error and rectify it?

Thanks

[edited by: eelixduppy at 6:14 pm (utc) on Nov 22, 2011]
[edit reason] removed url - see tos [/edit]

 

rocknbil




msg:4388173
 4:51 pm on Nov 17, 2011 (gmt 0)

1. Look in your PHP scripts for mysql_error()

2. When you find it and fix it, you should REMOVE these error printouts from public display. I can already tell that you have a database table named News and this table's unique ID field is named "id". I can also guess that it's probable you're using raw input directly in your select statements. These, in combination with some other things that may be gathered from your site, arm a hacker to possibly do some Very Nasty Stuff.

Change your mysql_query 's to something like

mysql_query or die("Cannot execute query to get news article");
...

Making each one unique so you know where to look.

As for fixing it, you probably have something similar to this:

$query = "select from tablename where id=$id";
$result = mysql_query($query) or (echo mysql_error());

temporarily change it to

$query = "select from tablename where id=$id";
echo $query;
exit;
$result = mysql_query($query) or (echo mysql_error());

Then paste the result in phpMyAdmin (or, if you know mysql, might see exactly what the error is.)

NuNet




msg:4388409
 4:25 am on Nov 18, 2011 (gmt 0)

Hey Rocknbil

Thanks very much for your reply. I will try and doexactly wha you have said and will get back to you.

Thanks again.

NuNet




msg:4388857
 1:13 pm on Nov 19, 2011 (gmt 0)

Hi Rocknbil
Okay, I forgot to tell you that the error - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'News WHERE id ='1530'' at line 1 - is not public. I cannot thus see it in my PHP script.I went to my RV Sitebuilder and after some research understood that I will need to find php.ini file. Now this is where I have got lost.I cannot find this file anywhere in my CP Panel.I went to php.admin where I have some data bases listed.
Can you please help and let me know:
(a)If I am doing the right thing
(b)Where is the php.ini file located
(c) Once inside php.ini file, then do I have to change "Display Errors to On"?

Thanks in advance.

rocknbil




msg:4389476
 5:32 pm on Nov 21, 2011 (gmt 0)

the error - .. - is not public.


but

Recently, somebody pointed out that the site shows the following error:


Anyway all right then, you search your scripts for

News WHERE id

If it's properly coded, those values might be in variables, something like

.. from $current_table where $target_field = '$target_value'

(don't search for those variables, they are just for example)

So it might make that may be harder to find. You'll have to locate what exact function it's doing when that happens. For example, if it happens when someone searches it's in a search function; or opening an item's detail, the detail function.

I will need to find php.ini ... do I have to change "Display Errors to On"?


No . . . .there are two things at play here.

There are php errors/warnings, and there are mySQL errors/warnings. They are distinctly different "layers." When you see this,

You have an error in your SQL syntax;......

This is a mysql error, but if the script is set up to display errors, it passes from the database interface to PHP. so you are chasing a "ghost" by changing php.ini in any way to display or not display errors. To answer the question, it's best if the global PHP error display settings in php.ini are set to off.

If you need it, a better way to display errors is to temporarily add this at the top of your php script:

<?php error_reporting(E_ALL); ?>

This allows PHP errors to display in this script while leaving the global error reporting off. But the issues is that what you have there is a mySQL error, not a PHP error.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Databases
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved