You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Cost`=`60',

[Chris721]

I have been looking at this code most of the morning and do not have a clue what is wrong with the code. I am hoping its not a stupid mistake, can someone please help me out? thank you 

 

 

 
<title>Inputing Travel Detials</title>
 
<header>
  <h1 align="center"> Adding Travel Detials </h1>
  
 
  <body>
    <p>  <center><img  src="cyberwarfareimage1.png" alt="Squadron logo" style="width:200px;height:200px" style="middle"></center>
        <table border="1">
          <tr>
            <td><a href="index.php"> Home Page </a></td>
            <td><a href="administratorhomepage.html">Administrator Home Page </a></td>
            <td><a href="viewhomepage.html">View Home Page </a></td>
            <td><a href="Inputhomepage.html">Input Home Page </a></td>
            <td><a href="traveldetials.html">Enter More Travel Detials </a></td>
        </table>
    </p>
 
 
<?php
 
include "connection.php";
 
$Applicant_ID = $_POST["Applicant_ID"];
$Method_Of_Travel = $_POST["Method_Of_Travel"];
$Cost = $_POST["Cost"];
$ETA = $_POST["ETA"];
$Main_Gate_Advised = $_POST["Main_Gate_Advised"];
 
$query = ("UPDATE `int_board_applicant` SET `Method_Of_Travel`=`$Method_Of_Travel', `Cost`=`$Cost', `ETA`='$ETA', `Main_Gate_Advised`='$Main_Gate_Advised' WHERE `Applicant_ID`='$Applicant_ID'");
   
 
$result = mysqli_query($dbhandle, $query) 
    or die(mysqli_error($dbhandle));
 
if($result){ echo "Success!"; }
 
  else{ echo "Error."; }
 
 
// successfully insert data into database, displays message "Successful".
 if($query){
  echo "Successful";
}
 
  else {
  echo "Data not Submitted";
}
 
 
//closing the connection
   mysqli_close($dbhandle)
   
 
 
 
 
?>

[Barand]

SET `Method_Of_Travel`=`$Method_Of_Travel', `Cost`=`$Cost', 
                                                   ^
                                                   |
                                                   single quote
                                                   required

if $cost is numeric then single quotes should not be used at all.

`..` are only required if the identifier is a reserved word or contains space or other special characters

Edited December 18, 2014 by Barand

[Chris721]

I have got rid of the single quotes as it is a numeric value but it is still coming up with the same error

[Ch0cu3r]

You have a ` (angled quote) before the $Method_Of_Travel variable in your query too. That should be a straight quote

[Chris721]

still getting the error but its moved down to method of travel

[Chris721]

code now looks like

 

 

 
<title>Inputing Travel Detials</title>
 
<header>
  <h1 align="center"> Adding Travel Detials </h1>
  
 
  <body>
  
<table border="1">
  <tr>
    <td><a href="index.php"> Home Page </a></td>
    <td><a href="administratorhomepage.html">Administrator Home Page </a></td>
    <td><a href="viewhomepage.html">View Home Page </a></td>
    <td><a href="Inputhomepage.html">Input Home Page </a></td>
  </tr>
</table>
   
<center><img  src="cyberwarfareimage1.png" alt="Squadron logo" style="width:200px;height:200px" style="middle"></center>
       
<table border="1">
  <tr>
   <td><a href="Changetraveldetials.html">Modify More Travel Detials </a></td>
  </tr>
</table>
 
<?php
 
include "connection.php";
 
$Applicant_ID = $_POST["Applicant_ID"];
$Method_Of_Travel = $_POST["Method_Of_Travel"];
$Cost = $_POST["Cost"];
$ETA = $_POST["ETA"];
$Main_Gate_Advised = $_POST["Main_Gate_Advised"];
 
$query = ("UPDATE int_board_applicant SET 'Method_Of_Travel'='$Method_Of_Travel', 'Cost'=$Cost, 'ETA'='$ETA', 'Main_Gate_Advised'='$Main_Gate_Advised' WHERE 'Applicant_ID'='$Applicant_ID'");
   
 
$result = mysqli_query($dbhandle, $query) 
    or die(mysqli_error($dbhandle));
 
if($result){ echo "Success!"; }
 
  else{ echo "Error."; }
 
 
// successfully insert data into database, displays message "Successful".
 if($query){
  echo "Successful";
}
 
  else {
  echo "Data not Submitted";
}
 
 
//closing the connection
   mysqli_close($dbhandle)
 
?>
 
</body>
 

[boompa]

In queries it's single quotes around non-numeric values, backticks around column names.

 

In any event, you need to look into prepared statements before you get hacked.

[Chris721]

its not going online or anything like it, its for a project at university 

[Chris721]

thank you for the help, that works now 

[ginerjm]

its not going online or anything like it, its for a project at university 

 

At University?  What BETTER place to include security in your appl?

[dennis-fedco]

You can generally skip out on backticks around column names

UPDATE int_board_applicant SET Method_Of_Travel='$Method_Of_Travel',...

See no quote marks of any kind around Method_Of_Travel?  Yep.  Save on typing.  Those are only required when you are using some reserved words that MySQL would try to interpret.

[dennis-fedco]

At University?  What BETTER place to include security in your appl?

 

At University all I cared about is get the project working and heck with security or anything else.

And Instructors did not care about security unless it was a security class.  Instructors cared about project working and project documentation being in place and a few other esoteric things.  Such is reality of University culture.  I taught labs and classes at a University for a bit.  I pretty much cared only about the concepts I was teaching and not anything else.  Security and other pretty may have gotten some folks bonus points, and a notice on my radar for i.e. job recommendations, but not a big effect on the grade, unless I was specifically looking for those.