[SOLVED] CMS

[Crew-Portal]

I need update help: Code is

<?php
//Do not allow the page to be called directly.
if(basename($_SERVER['PHP_SELF']) == "homego.php") {
header("Location: error403.php");
exit;
}
$clan_id_var = $_GET['va'];
$query="select * from `air__".$clan_id_var."`";
$rt=mysql_query($query) or die('The Virtual Airline IATA ' . $clan_id_var . ' Does Not Exist In our Database Sorry');
//Make sure the user is logged in.
global $valid_user;
if(session_is_registered("valid_user")) {
//If no data is posted, show the default form.
if(!$_POST) {
include("?va=<?php echo $clan_id_var; ?>&info=home");
exit;
}
if($valid_user == $nt[ceo]) {
echo ''; }
else {
echo 'You Are Not An Administrator Of This Airline!';
}
//If data is posted, validate.
if($_POST) {

if($demo && $valid_user == "admin") {
include("?va=<?php echo $clan_id_var; ?>&info=home");
exit;
}
//If no errors, change password in database.
if(!$pass_error) {
$connection = @mysql_connect("$db_host", "$db_user", "$db_pass") or die("Couldn't connect.");
$db = @mysql_select_db($db_name, $connection) or die("Couldn't select database.");

$sql='UPDATE air__.$clan_id_var SET 1 = "$nt[1]"';

$result = @mysql_query($sql,$connection) or die("<b>A fatal MySQL error occured</b>.\n<br />Query: " . $query . "<br />\nError: (" . mysql_errno() . ") " . mysql_error());
?>
                        <table cellpadding="4" cellspacing="0">
                            <tr>
                                <td>
                                    <p><span class="success"><?php echo $lang['pwchange'] ?></span></p>
                                </td>
                            </tr>
                        </table>

<?php
include("?va=<?php echo $clan_id_var; ?>&info=home");
exit;
}
}
}
else
//If not logged in, show error.
{
include("?va=<?php echo $clan_id_var; ?>&info=unverified");
}
?>

But for some reason the code will not update and I get this error:

 

A fatal MySQL error occured.

Query: select * from `air__DEMO`

Error: (1064) You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1 = "$nt[1]"' at line 1

 

So if someone could help me it would be appreciated.

 

PS: The colum I am trying to update is called '1'

[deadimp]

Try getting some sort of SQL sandbox, phpMyAdmin if you have it, and enter in that query and see what happens.

Also, this line kind of got my attention (since it stopped the highlighter from working after that point):

include("?va=<?php echo $clan_id_var; ?>&info=home");

If you're actually sending code by a GET/POST variable to be executed by that other script, then I gotta say that that's a really bad idea. This could allow people to inject code into your script that really shouldn't be run.

[Crew-Portal]

Each ID is run on a serperate table. Each table has a username and password! If the table changes it reads it and see that your logged in username and password is wrong and Dies the script!! At least thats what it is supposed to do lol >

[teng84]

looking at = the code you dont  have the connection before the select is there any??

[Crew-Portal]

Yes my connection is fine I am just getting this error:

 

A fatal MySQL error occured.

Query: select * from `air__DEMO`

Error: (1064) You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1 = "$nt[1]"' at line 1

[teng84]

try

$sql='UPDATE air__.$clan_id_var SET `1` = "'.$nt["1"].'"';