Jump to content

[SOLVED] how to allow @ in sql query


pixeltrace

Recommended Posts

guys,

 

i need help, i have a form wherein you can copy and paste your text resume inside

everything is working fine in the form

except for the page wherein, it updates the database

 

i am getting an error message on the line where my email address falls:

error:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near [email protected]

 

how to fix this?

i already tried using stripslashes but i wasnt able to fix the problem

 

below is the code for my updateresume.php page

<?php
session_start();

if (session_is_registered("username")){
if($_SESSION['account_type'] == 'applicant'){

//if(($_SESSION['user_level'] == administrator) || ($_SESSION['user_level'] == staff)){

include '../admean/db_connect.php';

$username = $_POST['username'];
$appid = $_POST['appid'];
$resume = $_POST['resume'];

$resume = stripslashes($resume);

$sql="UPDATE applicant SET resume='$resume WHERE username='$username'";
	mysql_query($sql) or die("error:".mysql_error());

   echo '<script language=javascript> alert("Your resume has been updated!");top.location = "profile.php?id=1&appid='.$appid.'";</script>';

}else{
echo "<font face=\"Arial\">You are not authorized to access this page ... Please <a href='../index.php'>Login</a></font>";
}
}
?>

 

 

hope you could help me with this.

 

thanks!

Link to comment
https://forums.phpfreaks.com/topic/41973-solved-how-to-allow-in-sql-query/
Share on other sites

You're missing an ending single quote in this line:

<?php
$sql="UPDATE applicant SET resume='$resume WHERE username='$username'";
?>

it should be

<?php
$sql="UPDATE applicant SET resume='$resume' WHERE username='$username'";
?>

 

In addition, you really should be passing all text through the mysql_real_escape_string() function before putting the strings into the query:

<?php
$username = mysql_real_escape_string(stripslashes($_POST['username']));
$appid = $_POST['appid'];
$resume = mysql_real_escape_string(stripslashes($_POST['resume']));
$sql="UPDATE applicant SET resume='$resume' WHERE username='$username'";
$rs = mysql_query($sql) or die("Problem with the query<pre>$sql</pre><br>:".mysql_error());
?>

 

Ken

 

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.