mattwal Posted March 20, 2009 Share Posted March 20, 2009 Hello all, I'm having issues with a query where I want to SELECT comment_id, post_id, name, email, comment, date_entered FROM comments WHERE post_id=(** post_id **) The query: // Define the query $query = 'SELECT comment_id, post_id, name, email, comment, DATE_FORMAT(date_entered, \'%M %D, %Y\' AS date FROM comments WHERE post_id=$_GET['aid']'; I know its at the "WHERE post_id=$_GET['aid']" but I can't seem the right format to make it work? If anyone has the time I'd really appreciate the help with the right syntax. Full code: <?php //This script adds a comment entry to the database via the $_GET['aid'] variable. //address error handling ini_set ('display_errors', 1); error_reporting (E_ALL & ~E_NOTICE); include ('./assets/connect.php'); if(isset ($_POST['submit'])) { //Handles the form //Define the query $aid = $_GET["aid"]; $query = "INSERT INTO comments (comment_id, post_id, name, email, comment, date_entered) VALUES (0, '{$_POST['postid']}', '{$_POST['name']}', '{$_POST['email']}', '{$_POST['comment']}', NOW())"; //Execute the query if (@mysql_query ($query)) { print '<p>The blog entry has been added.</p>'; } else { print "<p>Could not add the entry because: <b>" . mysql_error() . "</b>. The query was $query.</p>"; } } //end of form handler //Display the form ?> <?php echo $_GET['aid']; ?> <form id="subForm" name="subForm" method="post" action="comment_form.php"> <p><label for="name" class="label">What is your name?</label> <input type="text" name="name" id="name" /></p> <p><label for="email" class="label">What is your email address?</label> <input type="text" name="email" id="email" /></p> <p> <label for="comments" class="label">comments? </label> <textarea name="comment" rows="4" id="comments"></textarea> </p> <p> <input type="hidden" name="postid" value="<?php echo $_GET['aid']; ?>" /> <input type="submit" name="submit" id="subscribe" value="Add Comment!" /> </p> </form> <br /><br /> <?php // Define the query $query = 'SELECT comment_id, post_id, name, email, comment, DATE_FORMAT(date_entered, \'%M %D, %Y\' AS date FROM comments WHERE post_id=$_GET['aid']'; if ($r = mysql_query ($query)) { //Run Query // Retrieve and print every record. while ($row = mysql_fetch_array ($r)) { echo $_GET['aid']; echo ' <tbody> <tr> <td>' . $row['name'] . '</td> <td>' . $row['comment'] . '</td> </tr> </tbody> </table>'; } } else { //query didnt run die ('<p>Could not retieve the data because: <b>' . mysql_error() . "</b>. The query was $query.</p>"); } // end of IF query. mysql_close(); ?> Link to comment https://forums.phpfreaks.com/topic/150412-parse-error/ Share on other sites More sharing options...
trq Posted March 20, 2009 Share Posted March 20, 2009 Variables are not interpolated within single quotes. $query = 'SELECT comment_id, post_id, name, email, comment, DATE_FORMAT(date_entered, \'%M %D, %Y\' AS date FROM comments WHERE post_id=' . $_GET['aid']; You also should be running your input through mysql_real_escape_string, the way you are doing it now opens your code to sql injection. Link to comment https://forums.phpfreaks.com/topic/150412-parse-error/#findComment-789947 Share on other sites More sharing options...
mattwal Posted March 20, 2009 Author Share Posted March 20, 2009 thank you for the help and also I do run it through mysql_real_escape_string it's just in an outside file. Link to comment https://forums.phpfreaks.com/topic/150412-parse-error/#findComment-789961 Share on other sites More sharing options...
redarrow Posted March 20, 2009 Share Posted March 20, 2009 I would love to see the code that protracts your database, as your posting straight throw the insert it self. i can not imagine a way, of a external file, protecting your insert no way. Link to comment https://forums.phpfreaks.com/topic/150412-parse-error/#findComment-789966 Share on other sites More sharing options...
mattwal Posted March 21, 2009 Author Share Posted March 21, 2009 in the order in which the files are called: 1) the comment_form.php <<< in the root folder. <?php // Comment Form Page // Define Page TITLE define('TITLE', 'MWDesigns: Comment'); // Define SECTION define('SECTION', 'Comments'); // Define PAGE define('PAGE', 'Comment Form'); // Address ERROR Handling ini_set ('display_errors', 1); error_reporting (E_ALL & ~E_NOTICE); // Include header information require ('./assets/header.php'); // Sart of Main Content // include ('./pages/comment_form.php'); // End of Main Content // //Include Footer information require ('./assets/footer.php'); ?> 2)the comment_form.php <<< the main content file (updated code stil need some work) <?php //This script adds a comment entry to the database via the $_GET['aid'] variable. //address error handling ini_set ('display_errors', 1); error_reporting (E_ALL & ~E_NOTICE); include ('./assets/connect.php'); if(isset ($_POST['submit'])) { //Handles the form //Define the query $aid = $_GET["aid"]; $query = "INSERT INTO comments (comment_id, post_id, name, email, comment, date_entered) VALUES (0, '{$_POST['postid']}', '{$_POST['name']}', '{$_POST['email']}', '{$_POST['comment']}', NOW())"; //Execute the query if (@mysql_query ($query)) { print '<p>The blog entry has been added.</p>'; } else { print "<p>Could not add the entry because: <b>" . mysql_error() . "</b>. The query was $query.</p>"; } } //end of form handler //Display the form ?> <?php echo $_GET['aid']; ?> <form id="subForm" name="subForm" method="post" action="comment_form.php"> <p><label for="name" class="label">What is your name?</label> <input type="text" name="name" id="name" /></p> <p><label for="email" class="label">What is your email address?</label> <input type="text" name="email" id="email" /></p> <p> <label for="comments" class="label">comments? </label> <textarea name="comment" rows="4" id="comments"></textarea> </p> <p> <input type="hidden" name="postid" value="<?php echo $_GET['aid']; ?>" /> <input type="submit" name="submit" id="subscribe" value="Add Comment!" /> </p> </form> <br /><br /> <table id="responses"> <caption align="top">Reader's Comments</caption> <colgroup> <col /> <col /> </colgroup> <thead> <tr> <th width="99" id="reader" scope="col">Reader</th> <th width="753" id="comment" scope="col">Comment</th> </tr> </thead> <tbody> <?php // Define the query $query = 'SELECT comment_id, post_id, name, email, comment, DATE_FORMAT(date_entered, \'%M %D, %Y\') AS date FROM comments WHERE post_id=' . $_GET['aid']; if ($r = mysql_query ($query)) { //Run Query // Retrieve and print every record. $bg = '#FFFFFF'; // Set background color while ($row = mysql_fetch_array ($r)) { $bg = ($bg=='#FFFFFF' ? '#CCCCCC' : '#FFFFFF'); // Switch background colors echo '<tr bgcolor="' . $bg . '"> <td>' . $row['name'] . '</td> <td>' . $row['comment'] . '</td></tr>'; } } else { //query didnt run die ('<p>Could not retieve the data because: <b>' . mysql_error() . "</b>. The query was $query.</p>"); } // end of IF query. mysql_close(); ?> </tbody> </table> 3) the connection file where the mysql_real_escape_string and funbction for magic quotes. <?php # Script 8.1 - mysql_connect.php // This file contains the database access information. // This file also establishes a connection to MySQL and selects the database. // This file also defines the escape_data() function. // Set the database access information as constants. DEFINE ('DB_USER', 'USERNAME'); DEFINE ('DB_PASSWORD', 'PASSWORD'); DEFINE ('DB_HOST', 'localhost'); DEFINE ('DB_NAME', 'DATABASE'); // Make the connection. $dbc = @mysql_connect (DB_HOST, DB_USER, DB_PASSWORD) OR die ('Could not connect to MySQL: ' . mysql_error() ); // Select the database. @mysql_select_db (DB_NAME) OR die ('Could not select the database: ' . mysql_error() ); // Create a function for escaping the data. function escape_data ($data) { // Address Magic Quotes. if (ini_get('magic_quotes_gpc')) { $data = stripslashes($data); } // Check for mysql_real_escape_string() support. if (function_exists('mysql_real_escape_string')) { global $dbc; // Need the connection. $data = mysql_real_escape_string (trim($data), $dbc); } else { $data = mysql_escape_string (trim($data)); } // Return the escaped value. return $data; } // End of function. ?> But now that you mention it i need to check the inputted information against the function in my connection file lol... as of right now your right lol... Aslo i need to make an if statement on the 2nd part of the main content file (2nd code listing) so if there are no comment it will print out something like "be the first to comment". Link to comment https://forums.phpfreaks.com/topic/150412-parse-error/#findComment-789997 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.