help with syntax

[Riparian]

Desperate for some help with this one !

 

Can someone please tell me what is wrong with this ... it work 90% of the time but then it kicks it out for no reason I can see.

 

 

in this example t027a exists and is in_stock.

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'where model_number RLIKE 't027[a-z]' and in_stock='T'' at line 1

 

 

Cheers

 

 

[PFMaBiSmAd]

The error is occurring before the WHERE. You would need to post what the query is up to that point.

 

Best guess is you are dynamically putting some variable into the query and it is either empty or contains something that breaks the sql syntax.

[Riparian]

Thank you.

 

You are spot on.

 

Bloody spiders are accessing the page and the dynamic '$use_table' is empty and hence not valid.

 

Thanks again

Cheers

[PFMaBiSmAd]

You must validate ALL external data.

 

If you are dynamically putting the table name into your query from external data without validating what it is, some hacker has probably already gotten all your data.

[Riparian]

Sorry... when you say validating the data can you expand on that just a bit ?

 

If it is dynamic and a hacker puts a different table name then an error occurs and I would have thought that the query is not executed?

 

Cheers