Jump to content

[SOLVED] Problem with Query...


Gnub

Recommended Posts

Got a problem with a query, i've posted the relevant code below, i know all the $_POST/$_GET's are right.  Even lists the data in the error.

 

Error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '. Didnt like this form .'Updated on: Friday 16th of March 2007 - 14:50:23 Happy' at line 1

 

RED = $Details

Orange = $DateStamp

Blue = $NewData

 

<?PHP
$RefNum = $_GET['RefNum'];
$Details = $_GET['OldDetail'];
$NewData = $_POST['NDetail'];

$DayStamp = date('l dS \of F Y ');
$TimeStamp = date('H:i:s');
$DateStamp = "Updated on: ".$DayStamp." - ".$TimeStamp." ";

$NewDetails = $Details.$DateStamp.$NewData;

$sql = "Update `Quotes` SET `Details` = '$NewDetails' WHERE `RefNo` = '$RefNum'";
?>

Link to comment
https://forums.phpfreaks.com/topic/42993-solved-problem-with-query/
Share on other sites

The first rule of $_POST and $_GET always mysql_real_escape_string() before doing a DB call with them!

The second rule of $_POST and $_GET, ALWAYS mysql_real_escape_string() BEFORE doing a DB call with them!

 

Always, and I mean Always mysql_real_escape_string() $_GET and $_POST data before putting them into a database as someone could easily do sql injection and wreck your data.

 

IE:

 

<?php
$RefNum = mysql_real_escape_string($_GET['RefNum']);
$Details = mysql_real_escape_string($_GET['OldDetail']);
$NewData = mysql_real_escape_string($_POST['NDetail']);

$DayStamp = date('l dS \of F Y ');
$TimeStamp = date('H:i:s');
$DateStamp = "Updated on: ".$DayStamp." - ".$TimeStamp." ";

$NewDetails = $Details.$DateStamp.$NewData;

$sql = "Update `Quotes` SET `Details` = '$NewDetails' WHERE `RefNo` = '$RefNum'";
?>

 

I would check your $_POST and $_GET data and make sure they are coming in right

 

print_r($_POST);

print_r($_GET);

I see, well, im going to blame my old lecturers for that mistake.  't was the way i was taught, and it's just stuck with me.

 

Thanks for pointing that out for me Frost.

 

You will soon find out that teachers are good for your first programming class so you get the basics of syntax etc. After that they know nothing more than the book. I self-taught myself before I took a class. Took the class just learned the correct syntax and technical terms and than took the rest online so I didn't have too listen to lectures.

 

The crazier thing is they do not care about security, such as the mysql_real_escape_string(); They do not have real world applications on the web that can be broken by a 12-yearold kid. They just preach the books =)

 

All in all in programming 9 out of 10 teachers are just stupid when it comes to real world.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.