[SOLVED] mysql and PHP CONCAT ERR

[GreenSmurf]

Can someone help me? I seem to have stumped myself (not very hard to do).

$sql = "UPDATE $table SET firstname=".sql_safe($firstname).",lastname=".sql_safe($lastname).",
          firstname2=".sql_safe($firstname2).",lastname2=".sql_safe($lastname).",clientID=".sql_safe($clientID).",
          boss=".sql_safe($boss).",address=".sql_safe($address).",home=".sql_safe($home).",mobile=".sql_safe($home).",
          work=".sql_safe($work).",email=".sql_safe($email).",email2=".sql_safe($email2).",bday=".sql_safe($bday).",
          bmonth=".sql_safe($bmonth).",byear=".sql_safe($byear).",address2=".sql_safe($address2).",phone2=".sql_safe($phone2).",
          accnt=".sql_safe($accnt).",fax=".sql_safe($fax).",ext=".sql_safe($ext).",
          notes=".sql_safe(."CONCAT(today,' - ','".sql_safe($status)."',' - ',newnotes,CHAR(13),notes)".).",status=".sql_safe($status).",
          status2=".sql_safe($status2).",status3=".sql_safe($status3).",status4=".sql_safe($status4).",
          personal=".sql_safe($personal).",business=".sql_safe($business).",payroll=".sql_safe($payroll).",
          retainer=".sql_safe($retainer).",qb=".sql_safe($qb).",comment=".sql_safe($comment)." WHERE id=$id";

 

ERROR on this line:    notes=".sql_safe(."CONCAT(today,' - ','".sql_safe($status)."',' - ',newnotes,CHAR(13),notes)".).",status=".sql_safe($status).",

Thanks.

 

-Brandon

 

[BlueSkyIS]

echo $sql and see what it says.

[GreenSmurf]

I have the it set to output $sql but before the page loads I get:

Parse error: syntax error, unexpected '.', expecting ')' in C:\Program Files\Abyss Web Server\htdocs\edit.php on line 102

 

 

Slightly different code:

		  $sql = "UPDATE $table SET firstname=".sql_safe($firstname).",lastname=".sql_safe($lastname).",
          firstname2=".sql_safe($firstname2).",lastname2=".sql_safe($lastname).",clientID=".sql_safe($clientID).",
          boss=".sql_safe($boss).",address=".sql_safe($address).",home=".sql_safe($home).",mobile=".sql_safe($home).",
          work=".sql_safe($work).",email=".sql_safe($email).",email2=".sql_safe($email2).",bday=".sql_safe($bday).",
          bmonth=".sql_safe($bmonth).",byear=".sql_safe($byear).",address2=".sql_safe($address2).",phone2=".sql_safe($phone2).",
          accnt=".sql_safe($accnt).",fax=".sql_safe($fax).",ext=".sql_safe($ext).",
          notes=".sql_safe(."CONCAT(today,' - ','".sql_safe($status)."',' - ',newnotes,CHAR(13),notes)".).",status=".sql_safe($status).",
          status2=".sql_safe($status2).",status3=".sql_safe($status3).",status4=".sql_safe($status4).",
          personal=".sql_safe($personal).",business=".sql_safe($business).",payroll=".sql_safe($payroll).",
          retainer=".sql_safe($retainer).",qb=".sql_safe($qb).",comment=".sql_safe($comment)." WHERE id=$id";

 

-Brandon

[BlueSkyIS]

fixed that

 

$sql = "UPDATE $table SET firstname=".sql_safe($firstname).",lastname=".sql_safe($lastname).",
          firstname2=".sql_safe($firstname2).",lastname2=".sql_safe($lastname).",clientID=".sql_safe($clientID).",
          boss=".sql_safe($boss).",address=".sql_safe($address).",home=".sql_safe($home).",mobile=".sql_safe($home).",
          work=".sql_safe($work).",email=".sql_safe($email).",email2=".sql_safe($email2).",bday=".sql_safe($bday).",
          bmonth=".sql_safe($bmonth).",byear=".sql_safe($byear).",address2=".sql_safe($address2).",phone2=".sql_safe($phone2).",
          accnt=".sql_safe($accnt).",fax=".sql_safe($fax).",ext=".sql_safe($ext).",
          notes=".sql_safe("CONCAT(today,' - ','".sql_safe($status)."',' - ',newnotes,CHAR(13),notes)").",status=".sql_safe($status).",
          status2=".sql_safe($status2).",status3=".sql_safe($status3).",status4=".sql_safe($status4).",
          personal=".sql_safe($personal).",business=".sql_safe($business).",payroll=".sql_safe($payroll).",
          retainer=".sql_safe($retainer).",qb=".sql_safe($qb).",comment=".sql_safe($comment)." WHERE id=$id";

[GreenSmurf]

Could you please explain why the . was not needed with the " in the line of code?

 

-Brandon

[GreenSmurf]

Ok, the ""s did not quite fix the problem like I had thought. They still write but they give unintended output. When a new note is made the query should be sent to SQL and today will get its value from CURDATE() eg. 2008-5-28 and newnotes are the new notes input by the user obviously. Status is grabbed from a drop down menu and input automatically by the script. The CONCAT portion of the code is intended to create a list of notes in a format similar to this:

2008-5-28 - Cancelled - Code Failed

2008-5-27 - Cancelled - Either PHP or CONCAT code is wrong!

2008-5-26 - Complete - Code Works!

if($resultsnumber > 0)
{
	if($newnotes != NULL AND $firstname!=NULL AND $lastname!=NULL)
	{
	  $sql = "UPDATE $table SET newnotes='".sql_safe($newnotes)."', today=CURDATE() WHERE id=$id";
	  $result = mysql_query($sql);
	  
	  echo $sql."<br><br>";

          $sql = "UPDATE $table SET firstname=".sql_safe($firstname).",lastname=".sql_safe($lastname).",
          firstname2=".sql_safe($firstname2).",lastname2=".sql_safe($lastname).",clientID=".sql_safe($clientID).",
          boss=".sql_safe($boss).",address=".sql_safe($address).",home=".sql_safe($home).",mobile=".sql_safe($home).",
          work=".sql_safe($work).",email=".sql_safe($email).",email2=".sql_safe($email2).",bday=".sql_safe($bday).",
          bmonth=".sql_safe($bmonth).",byear=".sql_safe($byear).",address2=".sql_safe($address2).",phone2=".sql_safe($phone2).",
          accnt=".sql_safe($accnt).",fax=".sql_safe($fax).",ext=".sql_safe($ext).",
          notes=CONCAT(today,' - ',".sql_safe($status).",' - ',newnotes,CHAR(13),notes),status=".sql_safe($status).",
          status2=".sql_safe($status2).",status3=".sql_safe($status3).",status4=".sql_safe($status4).",
          personal=".sql_safe($personal).",business=".sql_safe($business).",payroll=".sql_safe($payroll).",
          retainer=".sql_safe($retainer).",qb=".sql_safe($qb).",comment=".sql_safe($comment)." WHERE id=$id";

 

Any ideas? I am unsure if it is the PHP or the mySQL that is incorrect all I know is the mySQL works perfectly if I type it in manually to Query with assigned values and it was working before I tried to use sql_safe()

 

sql_safe() Code:

//Funtion
function sql_safe($value,$allow_wildcards = false, $detect_numeric = true) {
  // Taken from the PHP site and modified for wildcards and automatic formatting for numbers/strings.

  // Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON.
  if (get_magic_quotes_gpc()) {
    if(ini_get('magic_quotes_sybase')) {
      $value = str_replace("''", "'", $value);
    } else {
      $value = stripslashes($value);
    }
  }

  //Escape wildcards for SQL injection protection on LIKE, GRANT, and REVOKE commands.
  if (!$allow_wildcards) {
    $value = str_replace('%','\%',$value);
    $value = str_replace('_','\_',$value);
  }

  // Quote if $value is a string and detection enabled.
  if ($detect_numeric) {
    if (!is_numeric($value)) {
      return "'" . mysql_real_escape_string($value) . "'";
    }
  }

  return mysql_real_escape_string($value);
}

//End Function

I think the problem may be here. If so, I hope to get the topic moved to the SQL help forums.

 

-Brandon

[GreenSmurf]

$sql = "UPDATE $table SET newnotes='".sql_safe($newnotes)."', today=CURDATE() WHERE id=$id";
$result = mysql_query($sql);

The error was on this line of code. It was a SQL error not PHP.

 

Code should have been.

[code]$sql = "UPDATE $table SET newnotes=".sql_safe($newnotes).", today=CURDATE() WHERE id=$id";
$result = mysql_query($sql);

Because the function sql_safe adds in '' automatically to every string.

 

-Brandon[/code]