I get an error when I try to edit some info in my MySQL. When I click submit I get this error: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' WHERE ad_id=''' at line 1" There's nothing like that in line 1, so I tried to look for that code. Found instances where " where ad_id='" repeated. So, I changed a few to see which one exactly was. Then I found the one where the problem I think is... Here is the code... $query = "UPDATE tb_ads SET ad_url='$url', ad_description='$description', clicksleft='{$_POST['clicksleft']}', premium='{$_POST['premium']} WHERE ad_id='$id'"; mysql_query($query) or die(mysql_error()); PHP: What's the problem?! I tried a few things, but they didn't work. Thanks!!!
I wonder if you've used addslashes on the description If the description has ' in it the sql statement will fall over. addslashes puts a \' in there instead. It's also worth putting a check in there for the sql injection tricks that malicious users will try.
Thanks for your help...but, sorry; I am not quite sure of what you meant to say since I am not too much into PHP.
echo $query and see what it throws back at you. By malicious sql injection, I think they meant things like OR 1=1, or DROP TABLE users....some lovely people like to add that on the end of their form submissions, just to mess with your database...
Forgot a ' at the end of premium='{$_POST['premium']}' Use the following.. escapes the user inputted stuff to prevent MySQL Injections. $query = "UPDATE `tb_ads` SET `ad_url` = '".myqsl_real_escape_string($url)."', `ad_description`= '".mysql_real_escape_string($description)."', `clicksleft` = '".{$_POST['clicksleft']}."', `premium` = '".mysql_real_escape_string($_POST['premium'])."' WHERE `ad_id` = '".(int)$id."' PHP: addslashes() is deprecated.. use mysql_real_escape_string()
Thanks, but when I put the code I got this error"Parse error: syntax error, unexpected '{' in /home/content/g/a/m/gamalfjz/html/admin.php on line 616" However, now that error was the whole page. Before, the error was just a little bit. I also did notice the ' that was missing, but didn't fix it. I put the code just like you gave it, then I thought I maybe also had to add the second line that I put in the original post. But, didn't work neither way. Thanks though.
Wait... Before, I was putting ' and a coma, thinking it needed the coma. Now I only putted the ' since I understood that it didn't need a coma and I got this error: "Table 'GamalFJZ.tb_ads' doesn't exist" But, it does exist...is it like an space error? Like it needs a space or something?
Sorry for my repeated posts...but I went into my MySQL database, and the name is "ads" not "tb_ads" so now, the script works like it should. However, it doesn't actually update it. It just doesn't give me an error, and works like it should. But, it doesn't actually update it...
I thought it was, but no. I changed it, and now it the script works well; I don't get an error. But, it doesn't update/change it in the MySQL.
Sorry - I didn't check my syntax before replying (either way please apply the mysql_real_escape_string() changes ) Most likely it can't find the ID if there is no error.
Are you sure that $id does exist? Try to echo the statement to see if it produces the desired query. Peace,
I did, may I ask why is it better though? Now I get a complete error though... $query = "UPDATE `ads` SET `ad_url`='".mysql_real_escape_string($url)."', `ad_description`='".mysql_real_escape_string($description)."', `clicksleft`='".mysql_real_escape_string{$_POST['clicksleft']}."', `premium`='".mysql_real_escape_string{$_POST['premium']}."' WHERE `ad_id`='".(int)$id."'"; PHP:
Here is the code with some lines up...I do see a ID if ($_POST) { $id=$_POST["id"]; $plan=$_POST["plan"]; $url=$_POST["url"]; $description=$_POST["description"]; //Todo parece correcto procedemos con la inserccion $query = "UPDATE `ads` SET `ad_url`='".mysql_real_escape_string($url)."', `ad_description`='".mysql_real_escape_string($description)."', `clicksleft`='".mysql_real_escape_string{$_POST['clicksleft']}."', `premium`='".mysql_real_escape_string{$_POST['premium']}."' WHERE `ad_id`='".(int)$id."'"; PHP:
For readability reasons, perhaps you should more mysql_real_escape_string up to the variable declarations. $id = mysql_real_escape_string($_POST['id']); I have a few questions. First, why do you have (int)$id? Secondly, in your if statement, you aren't checking to be sure that anything is actually set, just that the $_POST array exists. Maybe if(isset($_POST['id'])&&$_POST['id']!=null) Echo $query and see what you get back.
He's typecasting the $id variable because he copied my code - though since I'm used to indexing everything / primary keys I assumed the $_POST['id'] would be a integer.. nice catch and it could be the issue. JoseYe: Have the form thats passing the information to the PHP script? Or just replace the (int)$id with mysql_real_escape_string($id).. The (int) is forcing the data in $id to be an integer (even if its a string).
if (isset($_POST['id'] && !is_null($_POST['id'])) { $id = mysql_real_escape_string($_POST['id']); $plan = mysql_real_escape_string($_POST['plan]); $url = mysql_real_escape_string($_POST['url']); $description = mysql_real_escape_string($_POST['description']); $clicksleft = mysql_real_escape_string($_POST['clickleft']); $premium = mysql_real_escape_string($_POST['premium']); $query = "UPDATE `ads` SET `ad_url`='$url', `ad_description`='$description', `clicksleft`='$clicksleft', `premium`='$premium' WHERE `ad_id`='$id';"; echo ($query); } Code (markup): You have kind of a mixed syntax. Try the above for consistency. I'm not entirely sure I got all your variables correct.
Thanks... I get this error now though... "Parse error: syntax error, unexpected T_CASE in /home/content/g/a/m/gamalfjz/html/admin.php on line 875" <? break; case (3): ?> PHP: Line 875 is where the "break;" is.
I have the same error as you. Possibly bought the same script as you. I can't solve this error. JoseYe have you already solved the error?