Highland3r Posted January 12, 2010 Share Posted January 12, 2010 I have been wrighting a cms script for quite a while now and have recently added the fck editor now i can upload a couple of lins of text but anything mor and i get this error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to usethis is my code here <?php require_once('../includes/DbConnector.php'); require_once('../includes/Validator.php'); include_once "../fckeditor/fckeditor.php"; $id = $_GET["id"]; $cmd = $_GET["cmd"]; $connector = new DbConnector(); $validator = new Validator(); mysql_select_db(" web116-edit"); //If cmd has not been initialized if(!isset($cmd)) { $result = mysql_query("select * from cmsarticles order by id"); while($r=mysql_fetch_array($result)) { $title=$r["title"];//take out the title $id=$r["ID"];//take out the id echo "<br>"; } } if($_GET["cmd"]=="edit" || $_POST["cmd"]=="edit") { if (!isset($_POST["Submit"])) { $sql = "SELECT thearticle FROM cmsarticles WHERE id='$id'"; $result = mysql_query($sql); $myrow = mysql_fetch_array($result); ?> <form action="index.php?cmd=<?php echo $cmd; ?>&id=<?php echo $id; ?>" method="post"> <p><? echo $myrow["title"] ?> <?php // Configure and output editor $oFCKeditor = new FCKeditor('thearticle'); $oFCKeditor->BasePath = "/fckeditor/"; $oFCKeditor->Value = $myrow["thearticle"]; $oFCKeditor->Width = 540; $oFCKeditor->Height = 400; echo $oFCKeditor->CreateHtml(); ?> </p> <p> <input type="hidden" name="cmd" value="edit" /> <input name="Submit" type="Submit" value="Publish" /> <? echo $myrow["links"] ?></p> </form> <p> <?php } if ($_POST["Submit"]) { $thearticle = $_POST["thearticle"]; $title = $_POST["title"]; $sql = "UPDATE cmsarticles SET title='$title', thearticle='$thearticle' WHERE id='$id'"; //replace thearticle with your table name above $result = mysql_query($sql) or die(mysql_error()); echo "Thank you! Information updated."; } } ?> Any help appreciated. Link to comment https://forums.phpfreaks.com/topic/188178-error-updating-mysql/ Share on other sites More sharing options...
PFMaBiSmAd Posted January 12, 2010 Share Posted January 12, 2010 Since you are not escaping the string data being put into the query, it is highly likely that SQL special characters in the data, such as ' or ", are breaking the SQL syntax. See this link - mysql_real_escape_string. Using mysql_real_escape_string on the string data being put into a query will also protect against sql injection in that data. Link to comment https://forums.phpfreaks.com/topic/188178-error-updating-mysql/#findComment-993455 Share on other sites More sharing options...
Highland3r Posted January 12, 2010 Author Share Posted January 12, 2010 ok so i kinda understand that but what part of my code would i need to add mysql_real_escape_string($user), mysql_real_escape_string Link to comment https://forums.phpfreaks.com/topic/188178-error-updating-mysql/#findComment-993459 Share on other sites More sharing options...
Highland3r Posted January 12, 2010 Author Share Posted January 12, 2010 finaly some progress managd to sort it out thanks for the link . Link to comment https://forums.phpfreaks.com/topic/188178-error-updating-mysql/#findComment-993510 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.