Jump to content

Error in SQL Syntax HELP!!!


twilitegxa

Recommended Posts

I have this page:

 

<?php

session_start();

//connect to server and select database
$conn = mysql_connect("localhost", "root", "")
    or die(mysql_error());
$db = mysql_select_db("smrpg", $conn) or die(mysql_error());

//show scouts characters
$get_scouts = "select * from scouts where username = '".$_SESSION['userName']."'";
$get_scouts_res = mysql_query($get_scouts, $conn) or die(mysql_error());
    while ($list_scouts = mysql_fetch_array($get_scouts_res)) {
    $identity = ucwords($list_scouts['identity']);
    $topic_id = $list_scouts['id'];
    echo "<ul class=\"character_list\"><li><a href=\"fight.php?identity=$identity\">$identity</li></ul> ";
    }
?>

 

And it goes to this page:

 

<?php

session_start();

//connect to server and select database
$conn = mysql_connect("localhost", "root", "")
    or die(mysql_error());
$db = mysql_select_db("smrpg", $conn) or die(mysql_error());

//check for required info from the query string
if (!$_GET['identity']) {
    header("Location: train_fight.php");
    exit;
}

//get derived values

$derived = "select * from derived_values where identity = $_GET[identity]";
$derived_res = mysql_query($derived, $conn) or die(mysql_error());

$display_block = "<ul>";

while ($derived_info = mysql_fetch_array($derived_res)) {
$derived_id = $derived_info['id'];
$derived_identity = $derived_info['identity'];
$derived_health = $derived_info['health'];
$derived_energy = $derived_info['energy'];
$derived_acv1 = $derived_info['acv1'];
$derived_acv2 = $derived_info['acv2'];
$derived_dcv1 = $derived_info['dcv1'];
$derived_dcv2 = $derived_info['dcv2'];
$derived_total_cp = $derived_info['total_cp'];

$display_block .= "<li>$derived_identity</li>";

}

$display_block .= "</ul>";

?>

 

But I am getting this error:

 

You have an error in your SQL syntax; check the manual that correspondsto your MySQL server version for the right syntax to use atline 1

 

What am I doing wrong here? If I change my where statement or take it out, it is displaying the information, but I can't figure out what's wrong with my where statement or where I'm getting my "identity" from. Something's wrong but I can't find it. Can anyone help?

Link to comment
https://forums.phpfreaks.com/topic/190180-error-in-sql-syntax-help/
Share on other sites

Why isn't anyone mentioning this?:

 

Why don't you show him how to fix it instead of criticizing people for not mentioning it? At least explain what you are talking about.

 

@twilltegxa:

He is talking about SQL Injection, your code is prone to it with that syntax you will want to use mysql_real_escape_string to prevent it on any GET / POST data that you plan on entering into the database:

 

$derived = "select * from derived_values where identity = '".mysql_real_escape_string($_GET['identity'])."'";

 

Will prevent that, but be sure to check that magic_quotes are off to prevent double escaping. (This can be checked with get_magic_quotes_gpc if they are on, I would stripslashes on the data before applying the escape string or turn them off)

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.