need help with special characters in an update statement

[Deamoner]

I am writing a script that takes a post, with information from a chat session. It will check if the chatlog is already in the database by checking the sessionid on the chatlog. If it is not there it creates it, but if it is there then it will use an update statement and this is where my problem comes into play, it is able to do an insert, but when I try to do the update, it is not working. It seems to hang on where I am updating the chalog, as that is where it says the error in my sql syntax is, below is the php of the sql statement, let me know what I am getting wrong.

 

$query2  = "UPDATE 'sessions' SET 'techid' ='".$TechID."', 'techname' = '".$TechName."', chatlog = chatlog.'$ChatLog', 'closingtime' = '".$ClosingTime."' WHERE 'id' ='".$row['id']."'";

 

I have tried it a number of ways and it seems to hang on the chatlog everytime. When I do the insert it looks like this

 

$query2  = "INSERT INTO sessions (SessionID,TechID,TechName,cname,cid,ChatLog,WaitTime,PickupTime,ClosingTime, billcode)

VALUES ('$SessionID', '$TechID', '$TechName', '$CField0', '$CField1', '$ChatLog', '$WaitingTime', '$PickupTime', '$ClosingTime', '$CField2')";

 

the insert works fine, but I need to have the previous stuff in the chatlog field still there in the database.

 

Let me know any thoughts you may have.

 

[effigy]

Always check your queries for errors and use mysql_real_escape_string on the data going into the database.

[Deamoner]

I tried using what you said. My new syntax is

 

$chatty = mysql_real_escape_string  ($chatty);

$Chatlog = mysql_real_escape_string  ($Chatlog);

$combined = mysql_real_escape_string  ($chatty.$Chatlog);

mail( "[email protected]", "Email Subject", "This is the combined ".$combined, "From: [email protected]" );

// this means that the session already exists in the table

$query2  = "UPDATE 'sessions' SET 'techid' ='".$TechID."', 'techname' = '".$TechName."', 'chatlog' = '".mysql_real_escape_string  ($combined)."', 'closingtime' = '".$ClosingTime."' WHERE 'id' ='".$row['id']."'";

 

 

I tried combining what, but it still gives the error below

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''sessions' SET 'techid' ='2107335', 'techname' = 'Matt Davis', 'chatlog' = '', '' at line 1

 

I just want it to go into the system and it seems like a special character in system is interrupting the update into the database. So what you said did not work, and p.s. the mysql update synxtax works when I do it with default values.  and when i try to print and email myself the values in $combined, it comes up with nothing.

 

[Deamoner]

let me just make a point that the "cl" that is in there should not be what is it the string.

[effigy]

Table names should not be surrounded in single quotes and all variables should be passed through the escaping function.