My SQL Error

[papillonstudios]

Im getting this error, after i submit the form

 

heres the error

Error message = You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' url = WHERE id =' at line 1

 

Heres my code

 

<?php
//Checks to see if theyre allowed to edit their profile
if ($uCan['admin']) {
    //Double security incase the admin hasn't set a guest membergroup
    if ($uId) {

        //If the form hasn't been submitted, show it.
        if (!$_POST['update']) {
?>
<form method="post">
    <table width="75%">
        <?php
        //Selecting the News From trhe Table news
        $query = "SELECT * FROM `nav`";
        $result = mysql_query($query) or die(mysql_error());

        while($row = mysql_fetch_assoc($result)) {
            echo '<tr><td><input type="text" size="25" maxlength="200" name="linkname" value="' . $row ['linkname'] .'"></td><td> <input type="text" size="25" maxlength="200" name="url" value="' . $row ['url'] .'"> </td><td><input type="submit" name="update" value="Change Link "' . $row[' id'] . '></td></tr>';
        }  
        ?>
    </table>
</form>


<?php

        }
        //Or else it has been submitted...
        else {
            //Get information from the forms secure it all.
            
            $sitename = secure($_POST['linkname']);
         $url = secure($_POST['url']);

         $update = mysql_query("UPDATE nav SET linkname = " . $_GET['linkname'] . " , url = " . $_GET['url'] . " WHERE id = " . $_GET['id'] . ";");
         
   
         
            if ($update)
                echo 'Link ' . $row['id'] . ' had been updated, click <a href="index.php?action=upnav">here</a> ';
            
            else
               echo "Error message = ".mysql_error(); 

            //A query to update everything


      }
   }
}


?>

[chmpdog]

what are the values for $_GET['url'] and $_GET['id']

[papillonstudios]

well url is coming from the form, id comes from the database

 

$query = "SELECT * FROM `nav`";
        $result = mysql_query($query) or die(mysql_error());

[chmpdog]

I dont think all the variables are being echoed inside the mysql_query. try echoing prior to the function to see if all the variables are there

[xtopolis]

You are not sanitizing your input which is very bad.  Also, I am not certain, but your values in the query should be surrounded by single quotes ' unless they are numeric.

 

edit: ok, maybe secure() is doing something, but why not use the friendly vars $url, $sitename instead of $_GET['url'], etc.?

[papillonstudios]

ok i commented the echo and added some code so that it echo the outputs and heres what it gives me when i change the download like or linkname

 

 

Contact Us

 

index.php?action=contact

[papillonstudios]

*bump*

[xtopolis]

You'll  have to repost what you currently have, but I remember thinking that the problem was that your query didn't have quotes around the values:

 

Yours:

$update = mysql_query("UPDATE nav SET linkname = " . $_GET['linkname'] . " , url = " . $_GET['url'] . " WHERE id = " . $_GET['id'] . ";");

Suggested:

$update = mysql_query("UPDATE nav SET linkname = '" . $_GET['linkname'] . "' , url = '" . $_GET['url'] . "' WHERE id = " . $_GET['id'] . ";");

(Though $_GET['id'] should be sanitized by doing something like: $_GET['id'] = intval($_GET['id']);  somewhere above

[papillonstudios]

i will try that , but first i have to get my cms setup again because i had an unexpected reformat.

[papillonstudios]

Ok i got it up again, and im going to try that code. I will post a report right away after i have tested the code later today.