[mysql][php]

Discussion in 'Scripts, 3rd Party Apps, and Programming' started by taekwondokid42, Feb 18, 2008.

  1. taekwondokid42

    taekwondokid42 New Member

    Messages:
    268
    Likes Received:
    0
    Trophy Points:
    0
    I am having trouble with this code:

    mysql_query("UPDATE wiki_quotes SET Quote = $quotes WHERE id = '$counter'") or die(mysql_error());


    The error I recieve is:


    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = ''' at line 1


    Does anyone know what is wrong with the code?
     
  2. deadimp

    deadimp New Member

    Messages:
    249
    Likes Received:
    0
    Trophy Points:
    0
    I don't think PHP will parse any string literals inside of mysql_query() as a precaution against injection attacks.
    Simplification [don't know if it's needed]: You can't use the $ sign inside of the quotes for mysql_query().

    You'll need to format your string outside of the function, like so:
    Code:
    //Quick sanitization function
    function sql_sanitize($value) {
     return addslashes($value); //There are better ones out there
    }
    $q="UPDATE wiki_quotes SET Quote='".sql_sanitize($quote)."' WHERE id='".sql_sanitize($counter)."'"; //You may not have to sanitize your id, but just as a precaution
    $res=mysql_query($q);
    Something like that ought to work.

    EDIT: Err, disregard my comment about the parsing and all that. That doesn't seem to apply. However, keep the sanitization in mind.
    My suggestion is to check your $counter value and see if it is valid.
     
    Last edited: Feb 19, 2008
  3. sunils

    sunils New Member

    Messages:
    2,266
    Likes Received:
    0
    Trophy Points:
    0
    Is the quotes and counter are php variables, then i think this will work.
    PHP:
     mysql_query("UPDATE wiki_quotes SET Quote='".$quotes."' WHERE id='".$counter."'") or die(mysql_error());
    If its the other way, remove the space in between the id and the equal to symbol.
     
  4. kajasweb

    kajasweb New Member

    Messages:
    1,723
    Likes Received:
    0
    Trophy Points:
    0
    Enclose the value of $quotes between double quotes. That value may have some spaces.

    PHP:
    mysql_query("UPDATE wiki_quotes SET Quote = \"" $quotes "\" WHERE id = '$counter'") or die(mysql_error());
    If the field "id" is an numeric one, don't enclose it with single quote.
     
    Last edited: Feb 19, 2008
  5. taekwondokid42

    taekwondokid42 New Member

    Messages:
    268
    Likes Received:
    0
    Trophy Points:
    0
    Okay, that problem is solved :).


    Now, I have a new one:

    $counter = 1;
    $quote = quote_;
    $quotes = $_POST['$quote.$counter'];

    ---------------------------------------------------------
    echo $_POST['$quote.$counter'];

    gives me what I need to know (whatever was submitted in the form)

    echo $quotes;

    does not spit out anything. does anybody know why?
    Edit:
    $counter = 1;
    $quote = quote_;
    $quotes = $_POST['$quote.$counter'];

    ------------------------------------------------
    echo $_POST[$quote.$counter];

    gives me whatever was submitted in the form.



    echo stripslashes($quotes);

    Does not give me anything.


    edit: nvm, I see my problem...
     
    Last edited: Feb 19, 2008

Share This Page