[mysql][php]

T

taekwondokid42

New Member
Messages
268
Reaction score
0
Points
0
I am having trouble with this code:

mysql_query("UPDATE wiki_quotes SET Quote = $quotes WHERE id = '$counter'") or die(mysql_error());


The error I recieve is:


You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = ''' at line 1


Does anyone know what is wrong with the code?
 
D

deadimp

New Member
Messages
249
Reaction score
0
Points
0
I don't think PHP will parse any string literals inside of mysql_query() as a precaution against injection attacks.
Simplification [don't know if it's needed]: You can't use the $ sign inside of the quotes for mysql_query().

You'll need to format your string outside of the function, like so:
Code: 
//Quick sanitization function
function sql_sanitize($value) {
 return addslashes($value); //There are better ones out there
}
$q="UPDATE wiki_quotes SET Quote='".sql_sanitize($quote)."' WHERE id='".sql_sanitize($counter)."'"; //You may not have to sanitize your id, but just as a precaution
$res=mysql_query($q);
Something like that ought to work.

EDIT: Err, disregard my comment about the parsing and all that. That doesn't seem to apply. However, keep the sanitization in mind.
My suggestion is to check your $counter value and see if it is valid.
 
Last edited:
S

sunils

New Member
Messages
2,266
Reaction score
0
Points
0
Is the quotes and counter are php variables, then i think this will work.
PHP: 
 mysql_query("UPDATE wiki_quotes SET Quote='".$quotes."' WHERE id='".$counter."'") or die(mysql_error());

If its the other way, remove the space in between the id and the equal to symbol.
 
kajasweb

kajasweb

New Member
Messages
1,723
Reaction score
0
Points
0
Enclose the value of $quotes between double quotes. That value may have some spaces.

PHP: 
mysql_query("UPDATE wiki_quotes SET Quote = \"" . $quotes . "\" WHERE id = '$counter'") or die(mysql_error());

If the field "id" is an numeric one, don't enclose it with single quote.
 
Last edited:
T

taekwondokid42

New Member
Messages
268
Reaction score
0
Points
0
Okay, that problem is solved :).


Now, I have a new one:

$counter = 1;
$quote = quote_;
$quotes = $_POST['$quote.$counter'];

---------------------------------------------------------
echo $_POST['$quote.$counter'];

gives me what I need to know (whatever was submitted in the form)

echo $quotes;

does not spit out anything. does anybody know why?
Edit:
$counter = 1;
$quote = quote_;
$quotes = $_POST['$quote.$counter'];

------------------------------------------------
echo $_POST[$quote.$counter];

gives me whatever was submitted in the form.



echo stripslashes($quotes);

Does not give me anything.


edit: nvm, I see my problem...
 
Last edited:
You must log in or register to reply here.
Top