Gnub Posted March 16, 2007 Share Posted March 16, 2007 Got a problem with a query, i've posted the relevant code below, i know all the $_POST/$_GET's are right. Even lists the data in the error. Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '. Didnt like this form .'Updated on: Friday 16th of March 2007 - 14:50:23 Happy' at line 1 RED = $Details Orange = $DateStamp Blue = $NewData <?PHP $RefNum = $_GET['RefNum']; $Details = $_GET['OldDetail']; $NewData = $_POST['NDetail']; $DayStamp = date('l dS \of F Y '); $TimeStamp = date('H:i:s'); $DateStamp = "Updated on: ".$DayStamp." - ".$TimeStamp." "; $NewDetails = $Details.$DateStamp.$NewData; $sql = "Update `Quotes` SET `Details` = '$NewDetails' WHERE `RefNo` = '$RefNum'"; ?> Link to comment https://forums.phpfreaks.com/topic/42993-solved-problem-with-query/ Share on other sites More sharing options...
per1os Posted March 16, 2007 Share Posted March 16, 2007 The first rule of $_POST and $_GET always mysql_real_escape_string() before doing a DB call with them! The second rule of $_POST and $_GET, ALWAYS mysql_real_escape_string() BEFORE doing a DB call with them! Always, and I mean Always mysql_real_escape_string() $_GET and $_POST data before putting them into a database as someone could easily do sql injection and wreck your data. IE: <?php $RefNum = mysql_real_escape_string($_GET['RefNum']); $Details = mysql_real_escape_string($_GET['OldDetail']); $NewData = mysql_real_escape_string($_POST['NDetail']); $DayStamp = date('l dS \of F Y '); $TimeStamp = date('H:i:s'); $DateStamp = "Updated on: ".$DayStamp." - ".$TimeStamp." "; $NewDetails = $Details.$DateStamp.$NewData; $sql = "Update `Quotes` SET `Details` = '$NewDetails' WHERE `RefNo` = '$RefNum'"; ?> I would check your $_POST and $_GET data and make sure they are coming in right print_r($_POST); print_r($_GET); Link to comment https://forums.phpfreaks.com/topic/42993-solved-problem-with-query/#findComment-208802 Share on other sites More sharing options...
Gnub Posted March 16, 2007 Author Share Posted March 16, 2007 I see, well, im going to blame my old lecturers for that mistake. 't was the way i was taught, and it's just stuck with me. Thanks for pointing that out for me Frost. Link to comment https://forums.phpfreaks.com/topic/42993-solved-problem-with-query/#findComment-208805 Share on other sites More sharing options...
per1os Posted March 16, 2007 Share Posted March 16, 2007 I see, well, im going to blame my old lecturers for that mistake. 't was the way i was taught, and it's just stuck with me. Thanks for pointing that out for me Frost. You will soon find out that teachers are good for your first programming class so you get the basics of syntax etc. After that they know nothing more than the book. I self-taught myself before I took a class. Took the class just learned the correct syntax and technical terms and than took the rest online so I didn't have too listen to lectures. The crazier thing is they do not care about security, such as the mysql_real_escape_string(); They do not have real world applications on the web that can be broken by a 12-yearold kid. They just preach the books =) All in all in programming 9 out of 10 teachers are just stupid when it comes to real world. Link to comment https://forums.phpfreaks.com/topic/42993-solved-problem-with-query/#findComment-208813 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.