"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' at line 1"

Question

MySQL server displays error, but the code is running proper. In this code i am using paytm gateway, when user pay to us paytm redirect it on our site, that time i am getting error, but the it is running proper. means insert, select, update queries are working proper.

<?php
header("Pragma: no-cache");
header("Cache-Control: no-cache");
header("Expires: 0");
include('../../connection.php'); 
include('../../header-payment.php');

/*Paytm Transaction Rsponse start*/

// following files need to be included
require_once("PaytmKit/lib/config_paytm.php");
require_once("PaytmKit/lib/encdec_paytm.php");

$status = 'success';
$paytmChecksum = "";
$paramList = array();
$isValidChecksum = "FALSE";

$paramList = $_POST;
$paytmChecksum = isset($_POST["CHECKSUMHASH"]) ? $_POST["CHECKSUMHASH"] : ""; //Sent by Paytm pg
$ords = explode("-",$_POST['ORDERID']);
$_SESSION['stud_id'] = $ords["1"];
if($_SESSION['stud_id'] ==''){
    echo '<meta HTTP-EQUIV="Refresh" Content="0; URL=../../student.php"/>'; 
}else{

$isValidChecksum = verifychecksum_e($paramList, PAYTM_MERCHANT_KEY, $paytmChecksum); //will return TRUE or FALSE string.
if($isValidChecksum == "FALSE") { ?>
<div class="corporate-login-sect_1">
        <div class="login-form">
            <div class="form-area" style="margin-top: 80px; margin-bottom: 52px;" >
                <h2 class="page-title">Sorry</h2>
                <div class="row">
                    <div class="col-sm-9 col-xs-12 col-md-12" align="center">
                        <h4>Your Payment Process is not completed successfully, Please try again.</h4>
                        <strong><a href="<?php echo $RootPath; ?>student.php" > Click Here </a></strong>
                    </div>
                </div>
            </div>
        </div>
    </div>
 <?php } 

if($isValidChecksum == "TRUE") {
$ords = explode("-",$_POST["ORDERID"]);
$_SESSION["stud_id"] = $ords["1"];
$coupon_code= $ords["2"];

if ($_POST["STATUS"] == "TXN_SUCCESS") {
$sql_paidcheck = mysql_query("select * from `student_invoice` where ProfileID = '".$_SESSION['stud_id']."'") or die(mysql_error());
$checkpaid = mysql_fetch_array($sql_paidcheck); 
/* echo "select * from `student_invoice` where ProfileID = '".$_SESSION['stud_id']."'";
die; */
$total_inv = mysql_num_rows($sql_paidcheck);
if($total_inv == '0'){

$query = mysql_query("update `profile` set IsPaid = 1 , PaymentTime = '".$_POST["TXNDATE"]."' , PaymentID = '".$_POST["TXNID"]."' , PaymentStatus = '".$status."', couponUsed = 'Yes', couponCode = '".$coupon_code."' where ProfileID = '".$_SESSION["stud_id"]."' ") or die(mysql_error());

$checkval=mysql_query("select MAX(Inv_ID) FROM `student_invoice`") or die(mysql_error());
$row = mysql_fetch_row($checkval);
$highest_id = $row[0];
$i= 1;
$checkvalu = $highest_id + $i; 
 $sql_1 = mysql_query("insert into `student_invoice` set ProfileID = '".$_SESSION["stud_id"]."' , Inv_No = '".$today = date("M-Y")."-".$checkvalu."', Inv_Date='".$_POST["TXNDATE"]."', Inv_Order ='".$_POST["ORDERID"]."' ") or die(mysql_error());

$sql1 = mysql_query($sql_1) or die(mysql_error());
}
?>
<div class="corporate-login-sect_1">
        <div class="login-form">
            <div class="form-area" style="margin-top: 80px; margin-bottom: 52px;" >
                <h2 class="page-title">Thank You</h2>
                <div class="row">
                    <div class="col-sm-9 col-xs-12 col-md-12" align="center">
                        <h4>Payment Paid Successfully, Thank You.</h4>
                        <strong><a href="<?php echo $RootPath; ?>pages/student/dashboard.php" > Click Here </a></strong>
                    </div>
                </div>
            </div>
        </div>
    </div>

<?php }
else { 
    ?>
    <div class="corporate-login-sect_1">
        <div class="login-form">
            <div class="form-area" style="margin-top: 80px; margin-bottom: 52px;" >
                <h2 class="page-title">Sorry</h2>
                <div class="row">
                    <div class="col-sm-9 col-xs-12 col-md-12" align="center">
                        <h4>Your Payment is not done. Please try again.</h4>
                        <strong><a href="<?php echo $RootPath; ?>pages/student/dashboard.php" > Click Here </a></strong>
                    </div>
                </div>
            </div>
        </div>
    </div>
<?php }

/* if (isset($_POST) && count($_POST)>0 )
{ 

    foreach($_POST as $paramName => $paramValue) {

        echo "<br/>" . $paramName . " = " . $paramValue;
    }
} */


}
else { 
if($isValidChecksum == "FALSE")?>
<div class="corporate-login-sect_1">
        <div class="login-form">
            <div class="form-area" style="margin-top: 80px; margin-bottom: 52px;" >
                <h2 class="page-title">Sorry</h2>
                <div class="row">
                    <div class="col-sm-9 col-xs-12 col-md-12" align="center">
                        <h4>Your Payment is not done. Please try again.</h4>
                        <strong><a href="<?php echo $RootPath; ?>pages/student/dashboard.php" > click here </a></strong>
                    </div>
                </div>
            </div>
        </div>
    </div>
  <?php } 
  }
 /*Paytm Transaction Rsponse End*/

 include('../../footer.php'); ?>

Thank you in Advance

Your code is vulnerable to SQL injection. Use parameterized statements — Gurwinder Singh, Mar 25 '17 at 11:17
If you're writing new code, **_please_ don't use the `mysql_*` functions**. They are old and broken, were deprecated in PHP 5.5 (which is so old it no longer even receives security updates), and completely removed in PHP 7. Use [`PDO`](https://secure.php.net/manual/en/book.pdo.php) or [`mysqli_*`](https://secure.php.net/manual/en/book.mysqli.php) with _prepared statements_ and _parameter binding_ instead. See http://stackoverflow.com/q/12859942/354577 for details. — ChrisGPT was on strike, Mar 25 '17 at 11:20

Barmar · Accepted Answer · 2017-03-25T11:27:19.963

0

The error is coming from this line:

$sql1 = mysql_query($sql_1) or die(mysql_error());

$sql_1 is not a query, it's the return value from another call to mysql_query.

$sql_1 = mysql_query("insert into `student_invoice` set ProfileID = '".$_SESSION["stud_id"]."' , Inv_No = '".$today = date("M-Y")."-".$checkvalu."', Inv_Date='".$_POST["TXNDATE"]."', Inv_Order ='".$_POST["ORDERID"]."' ") or die(mysql_error());

Remove this line from the script:

$sql1 = mysql_query($sql_1) or die(mysql_error());

It doesn't do anything useful.

edited Mar 25 '17 at 11:27

answered Mar 25 '17 at 11:18

Barmar

741,623
53
500
612

No, still error displaying I changed $sql_1 to $sqlqq1 – Neeraj Mar 25 '17 at 11:24
Changing the variable name won't help. Just delete the statement. – Barmar Mar 25 '17 at 11:25
Delete the statement that starts with `$sql1 =` – Barmar Mar 25 '17 at 11:26

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' at line 1"

1 Answers1