Please help still struggling with this

[Attila]

Can't seam to see what is wrong with this.  The error I am getting is this: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Greg's TestER WHERE `id` = 3 LIMIT 1' at line 8

 

$qinsert = "UPDATE `Character` SET `user` = '$_POST[username]',
`password` = '$_POST[password]', 
`realname` = '$_POST[realname]', 
`maintoonsname` = '$_POST[maintoonsname]', 
`location` = '$_POST[location]', 
`timezone` = '$_POST[timezone]', 
`playtime` = '$_POST[playtime]', 
`blog` = $blogging 
WHERE `id` = $idd LIMIT 1";

mysql_query($qinsert) or die(mysql_error());

[adam291086]

do all your variables contain data also

 

change

`blog` = $blogging 

 

to

 

`blog` = `$blogging`

[Attila]

To the best of my knowledge everything has a value.  I did the change you sugested now I am getting this error:  Unknown column 'This is Greg's TestERt' in 'field list'

 

$qinsert = "UPDATE `Character` SET `user` = '$_POST[username]',
`password` = '$_POST[password]', 
`realname` = '$_POST[realname]', 
`maintoonsname` = '$_POST[maintoonsname]', 
`location` = '$_POST[location]', 
`timezone` = '$_POST[timezone]', 
`playtime` = '$_POST[playtime]', 
`blog` = `$blogging`
WHERE `id` = $idd LIMIT 1";


mysql_query($qinsert) or die(mysql_error());

[DarkWater]

You need to escape the data with mysql_real_escape_string().  And also, enclose arrays in { } and their keys in ' ' when using them in double strings.

 

@adam291086: ` ` makes MySQL treat the value as a column name, not a literal value.

[Attila]

If I compleatly understood you this is what I did.  Sorry just tinker with this stuff I did go to http://us2.php.net/mysql_real_escape_string to see how to do it but not the best at this stuff so I am confused.  I would think you would want to do this: mysql_real_escape_string($idd); before you created the query to remove what ever it is removing.  LOL sorry but thanks for your help all of you.

 

$qinsert = "UPDATE `Character` SET `user` = '$_POST[username]',
`password` = '$_POST[password]', 
`realname` = '$_POST[realname]', 
`maintoonsname` = '$_POST[maintoonsname]', 
`location` = '$_POST[location]', 
`timezone` = '$_POST[timezone]', 
`playtime` = '$_POST[playtime]', 
`blog` = `$blogging`
WHERE `id` = $idd LIMIT 1";
mysql_real_escape_string($idd);
mysql_real_escape_string($blogging);


mysql_query($qinsert) or die(mysql_error());

[Mr_jmm]

Apply the mysql_real_escape_string to the $_POST variables

[knowj]

Best thing to do is to loop the post data into a mysql_real_escape_string() to catch everything. Then i prefer to always escape Superglobals within strings (SQL string in this case) i find it makes the code easier to read within programs with code highlighting and prevents any common gotchyas

<?php
foreach ($_POST as $name => $value)
{
$_POST[$name] = mysql_real_escape_string($value);
}

$qinsert = "UPDATE `Character` SET `user` = '".$_POST['username']."',
`password` = '".$_POST['password']."', 
`realname` = '".$_POST['realname']."', 
`maintoonsname` = '".$_POST['maintoonsname']."', 
`location` = '".$_POST['location']."', 
`timezone` = '".$_POST['timezone']."', 
`playtime` = '".$_POST['playtime']."', 
`blog` = `$blogging`
WHERE `id`='$idd' LIMIT 1";

mysql_query($qinsert) or die(mysql_error());
?>

[kenrbnsn]

Do something like this (i.e. let PHP do the work of creating the query)

<?php
$flds = array('username','password','realname','maintoonsname','location','timezone','playtime','blog');
$qtmp = array();
foreach ($flds as $fld)  {
    if ($fld == 'username') $qtmp[] = "`user` = '" . mysql_real_escape_string($_POST[$fld]) . "'";
    else $qtmp[] = "`" . $fld . "` = '" . mysql_real_escape_string($_POST[$fld]) . "'";
}
$qtmp = "`blog` = '" . mysql_real_escape_string($blogging) . "'";
$q = "update `Character` SET " . implode(', ', $qtmp) . " where `id` = '" . mysql_real_escape_string($idd) . "' limit 1";
mysql_query($q) or die("Problem with the query: $q<br>" . mysql_error());
?>

 

Ken

 

[Attila]

You all have provided me great ways to do this and I tried both ways with still no luck.  The problem is me not you guys.  I am so new at this that I am not sure if I have something from above all this wrong.  So here is the entire page.  If you can help with this it would be much appreciated.  Don't laugh too much.  To see the page please go to: http://thaczero.com/memberslog.php 

The user is: userS

Password is: passwordS

 

I am still getting the same error.

 

Thanks again.

 

<?
// start the session 
session_start();
ob_start();
header("Cache-control: private"); //IE 6 Fix 
?>
<title>THAC0 (To Hit Armor Class Zero)</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="CSS/style.css" rel="stylesheet" type="text/css">
<body bgcolor="#000000" text="#CCCCCC">
<div>
<? 

include ('includes/thacoheader.php');
include ('includes/allfunctions.php');

if ($count != "1") 
{

$sql = "SELECT * FROM `Character` WHERE `user` = \"$_SESSION[name]\" AND `password` =  \"$_SESSION[pass]\"";
database_connected();
$result = mysql_query($sql) or die(mysql_error());
$num_rows = mysql_num_rows($result);
while($row = mysql_fetch_array($result)) 
{  
$count = 1;
$uname = $_SESSION['name'];
$pass = $_SESSION['pass'];
$img = $row['picture'];
$rname = $row['realname'];
$toon = $row['maintoonsname'];
$loc = $row['location'];
$tim = $row['timezone'];
$ptim = $row['playtime'];
$origblog = $row['blog'];
$idd = $row['id'];
} //end to the while loop
}
?>
<p align="center"><img src="<? echo $img; ?>"></p>
<?
$top_form = "<form method=\"post\" action=\"$_SERVER[php_SELF]\">

<table align=\"center\">
<tr class=\"cindex\">
    	<td>Field Name</td>
    	<td>This is what is in the database</td>
	<td>This is the colum you edit</td>
	<td>Notes</td>
  </tr>
<tr class=\"cindex\">
    	<td>User Name:</td>
    	<td>$uname</td>
	<td><input name=\"textfield\" type=\"text\" name=\"username\" size=\"30\" maxlength=\"30\" value=\"$_POST[username]\"/></td>
	<td>This can only be up to 30 Characters long with no spaces just your first name.</td>
  </tr>
  </tr>
<tr class=\"cindex\">
    	<td>Password:</td>
    	<td>$pass</td>
	<td><input name=\"textfield\" type=\"text\" name=\"password\" size=\"30\" maxlength=\"30\" value=\"$_POST[password]\"/></td>
	<td>This can only be up to 30 Characters long with no spaces just your first name.</td>
  </tr>
  </tr>
<tr class=\"cindex\">
    	<td>Real Name:</td>
    	<td>$rname</td>
	<td><input name=\"textfield\" type=\"text\" name=\"realname\" size=\"30\" maxlength=\"30\" value=\"$_POST[realname]\"/></td>
	<td>This can only be up to 30 Characters long with no spaces just your first name.</td>
  </tr>
<tr class=\"cindex\">
    	<td>Main Toons Name:</td>
    	<td>$toon</td>
	<td><input name=\"textfield\" type=\"text\" name=\"maintoonsname\" size=\"30\" maxlength=\"30\" value=\"$_POST[maintoonsname]\"/></td>
	<td>This can only be up to 30 Characters long with no spaces just your characters first name.</td>
  </tr>
<tr class=\"cindex\">
    	<td>Location:</td>
    	<td>$loc</td>
	<td><input name=\"textfield\" type=\"text\" name=\"location\" size=\"30\" maxlength=\"30\" value=\"$_POST[location]\"/></td>
	<td>This can only be up to 30 Characters long and it is where you live.</td>
  </tr>
<tr class=\"cindex\">
    	<td>Time Zone:</td>
    	<td>$tim</td>
	<td><input name=\"textfield\" type=\"text\" name=\"timezone\" size=\"30\" maxlength=\"30\" value=\"$_POST[timezone]\"/></td>
	<td>What time zone do you live in?</td>
  </tr>
<tr class=\"cindex\">
   	<td>Play time:</td>
   	<td>$ptim</td>
	<td><input name=\"textfield\" type=\"text\" name=\"playtime\" size=\"30\" maxlength=\"30\" value=\"$_POST[playtime]\"/></td>		
	<td>What time of day do you usually play?</td>
  </tr>
<tr class=\"cindex\">
   	<td colspan=\"4\">Blog:</td>
  </tr>
    </tr>
<tr class=\"cindex\">
   	<td colspan=\"4\"><p>Just add more of your blog information at the top here.  If you delete any data here and submit it will be lost.  This data is going to be parsed with BBC code.  So some things that you can do to spruce up your coding look like this:  	
  </p>
  <p>This is for Bold					[b][/b]
  <br>	    
    This is for italix					[i][/i]
    <br>
    This is for underline				[u][/u]
    <br>
    This is for a hyperlink				[url][/url]
    <br>
    This is to align left				[align=left][/align]
    <br>
    This is to align center				[align=center][/align]
    <br>
    This is to align right				[align=right[/align]
        <br>
        This is for an image			    [img][/img] </p>
  <br>
  You will need to put your text between those tags so they will work.  If you accidantly screwed up on what you are adding and want to start over please go to another web address like www.thaczero.com then relog back in so you will not loose what you already have in the database.
  </td>
  </tr>

<tr class=\"cindex\">
<td colspan=\"2\"><div align=\"center\" align=\"top\">$origblog</div>
<td colspan=\"2\"><div align=\"center\"><textarea name=\"blog\" cols=\"75\" rows=\"30\">$_POST[blog]</textarea></div>
</tr>
</tr>
  </tr>
<tr class=\"cindex\">
   	<td colspan=\"4\"><div align=\"center\">
   	  <input type=\"submit\" name=\"Submit\" value=\"Submit\" />
      <input type=\"hidden\" name=\"op\" value=\"ds\">
	  </div></td>
  </tr>
</table>
</form>";


if ($_POST[op] != "ds") 
{ 
	// they need to see the form 
	echo $top_form; 
} 
else if ($_POST[op] == "ds") 
	{ 
	$blogging = $origblog.$_POST['blog'];
	database_connected();

	$postedrealname = $_POST['realname'];
	$postedmaintoonsname = $_POST['maintoonsname'];
	$postedulocation = $_POST['location'];
	$postedtimezone = $_POST['timezone'];
	$postedplaytime = $_POST['playtime'];



//$query = ("UPDATE `Character` SET `maintoonsname` = '$_POST[maintoonsname]' 
//, `location` = '$_POST[location]' 
//, `timezone` = '$_POST[timezone]' 
//, `playtime` = '$_POST[playtime]' 
//, `blog` = '$blogging'
//WHERE `id` = '$row[id]' ");


foreach ($_POST as $name => $value)
{
$_POST[$name] = mysql_real_escape_string($value);
}

$qinsert = "UPDATE `Character` SET `user` = '".$_POST['username']."',
`password` = '".$_POST['password']."', 
`realname` = '".$_POST['realname']."', 
`maintoonsname` = '".$_POST['maintoonsname']."', 
`location` = '".$_POST['location']."', 
`timezone` = '".$_POST['timezone']."', 
`playtime` = '".$_POST['playtime']."', 
`blog` = `$blogging`
WHERE `id`='$idd'";

mysql_query($qinsert) or die(mysql_error());
	}
include ('includes/thacofooter.php');
?>

[kenrbnsn]

You're not using mysql_real_escape_string on the $blogging value. That's where you're problem lies. If you use my solution, it is taken care of.

 

<?php
$qinsert = "UPDATE `Character` SET `user` = '".$_POST['username']."',
`password` = '".$_POST['password']."', 
`realname` = '".$_POST['realname']."', 
`maintoonsname` = '".$_POST['maintoonsname']."', 
`location` = '".$_POST['location']."', 
`timezone` = '".$_POST['timezone']."', 
`playtime` = '".$_POST['playtime']."', 
`blog` = '" . mysql_real_escape_string($blogging) . "'
WHERE `id`='$idd'";
?>

 

Ken

[Attila]

Thank you so much that worked.  I do have anothe rminor problem though.  The only thing I changed in the above code is what you reposted.  But now I have no data in the following fields:

 

$_POST['username']

$_POST['password']

$_POST['realname']

$_POST['maintoonsname']

$_POST['location']

$_POST['timezone']

$_POST['playtime']

 

 

Am I trying to do too much on the page did I loose the values somwhere?

[Attila]

Any thoughts here?