Search the Community

Hi all, I am new to this, so please be gentle . I have just taken over a website and moved to new server and it has thrown up a couple of errors, most of which I've sorted other than this one: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 this comes up when trying to update a quantity in a shopping cart and I think it has something to do with SQL injection but I've no idea what to do. My two bits of code are below, first the page with the drop down menu on it: <?php include 'include/functions.php'; $colname_rsOrderInformation = "-1"; if (isset($_SESSION['cartId'])) { $colname_rsOrderInformation = $_SESSION['cartId']; } mysql_select_db($database_conDB, $conDB); $query_rsCartInformation = sprintf("SELECT * FROM tabCart WHERE cartId = %s", GetSQLValueString($colname_rsOrderInformation, "int")); $rsCartInformation = mysql_query($query_rsCartInformation, $conDB) or die(mysql_error()); $row_rsCartInformation = mysql_fetch_assoc($rsCartInformation); $totalRows_rsCartInformation = mysql_num_rows($rsCartInformation); ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="keywords" content="belfast, cookery, school, fish, seafood, learning, northern ireland" /> <meta name="description" content="Belfast Cookery School in association with Mourne Seafood Bar - More than just a restaurant" /> <title>Belfast Cookery School in association with Mourne Seafood Bar - More than just a restaurant - Gift Vouchers</title> <link rel="shortcut icon" href="favicon.ico" /> <link href="main.css" rel="stylesheet" type="text/css"/> <style type="text/css"> .slideshow { height:319px; width:476px; margin-right:0px; margin-bottom:0px; z-index:0; background-color: #fff;} .slideshow img { height: 319px !important; width: 476px !important; padding-left: 0px; } </style> <!-- include jQuery library --> <script type="text/javascript" src="include/jquery.min.js"></script> <!-- include Cycle plugin --> <script type="text/javascript" src="include/java.js"></script> <script type="text/javascript"> $(document).ready(function() { $('.slideshow').cycle({ fx: 'fade' // choose your transition type, ex: fade, scrollUp, shuffle, etc... }); }); </script><?php if (!isset($_SESSION['memUsername'])) {?> <script type="text/javascript"> function changeToPassword(){ document.getElementById("txtLogPassword").type = "password"; document.getElementById("txtLogPassword").value = "" } function resetPassword() { if (document.getElementById("txtLogPassword").value == "") { document.getElementById("txtLogPassword").type = "text"; document.getElementById("txtLogPassword").value = "Password"; } } </script> <?php }?> <script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-9218136-12']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); </script> Now the update function that's called: <?php for ($x=1; $x<=$_POST['hidTotalCartItems']; $x++) { $tempCartQty = "selQty".$x; $newCartQty = @$_POST[$tempCartQty]; $tempCartItemId = "hidCartRowId".$x; $cartItemId = @$_POST[$tempCartItemId]; $tempCartItemPrice = 'hidCartPrice'.$x; $cartItemPrice = @$_POST[$tempCartItemPrice]; mysql_select_db($database_conDB, $conDB); $query_rsUpdateCartLine = sprintf("SELECT * FROM tabCart WHERE Id = %s", $cartItemId); $rsUpdateCartLine = mysql_query($query_rsUpdateCartLine, $conDB) or die(mysql_error()); $row_rsUpdateCartLine = mysql_fetch_assoc($rsUpdateCartLine); $totalRows_rsUpdateCartLine = mysql_num_rows($rsUpdateCartLine); if ($newCartQty>0) { $newCartItemPrice = $newCartQty * $cartItemPrice; $updateSQL = sprintf("UPDATE tabCart SET cartQty=%s, cartTotal=%s WHERE Id = %s", GetSQLValueString(@$newCartQty, "int"), GetSQLValueString(@$newCartItemPrice, "double"), GetSQLValueString($cartItemId, "int")); mysql_select_db($database_conDB, $conDB); $Result1 = mysql_query($updateSQL, $conDB) or die(mysql_error()); mysql_free_result($rsUpdateCartLine); } if ($newCartQty==0) { $deleteSQL = sprintf("DELETE FROM tabCart WHERE Id = %s", GetSQLValueString($cartItemId, "int")); mysql_select_db($database_conDB, $conDB); $Result1 = mysql_query($deleteSQL, $conDB) or die(mysql_error()); } } ?> Anyone got any ideas what I'm doing wrong? When the voucher quantity is changed and update button clicked, that's when the error occurs.