hasif5 Posted December 8, 2011 Share Posted December 8, 2011 Hi, I joined new here, and I am really having hard time figuring out what's wrong with the code below which isn't working. if (isset($_POST['privacy_submit'])) { if (($_SERVER['REQUEST_METHOD'] == "POST")) { $privacy_upd = mysql_query("UPDATE clf_privacy_terms SET 'p_bannerads' = '".$_POST['p_bannerads']."', 'p_shareinfo' = '".$_POST['p_shareinfo']."', 'p_crossmarketing' = '".$_POST['p_crossmarketing']."', 'p_tacking' = '".$_POST['p_tacking']."', 'p_sendcommunication' = '".$_POST['p_sendcommunication']."', 'p_under13' = '".$_POST['p_under13']."', 'p_internationally' = '".$_POST['p_internationally']."', 'p_discloselegal' = '".$_POST['p_discloselegal']."', 'p_server_country' = '".$_POST['p_server_country']."', 'p_forums' = '".$_POST['p_forums']."', 'p_newslettermodule' = '".$_POST['p_newslettermodule']."', 'p_membershipmodule' = '".$_POST['p_membershipmodule']."' ") or die(mysql_error()); $msg="Successfully Updated!"; } } else { $msg="<font color=\"red\">Incorrect method of submission.</font> Please try again."; } ?> <h2>Privacy Policy</h2> <?php if ($privacy_upd) { echo ($msg); } ?> <form class="box" name="privacy_upd" action="gen.php" method="post"> ......................................................................................... ........................ MySQL Error returns the following: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''p_bannerads' = 'do not', 'p_shareinfo' = 'do not', 'p_cross' at line 2 Let me know if any of your guys can solve it for me, I would appreciate since I am not able to solve it for last two days already. Thank you... Quote Link to comment Share on other sites More sharing options...
SergeiSS Posted December 8, 2011 Share Posted December 8, 2011 "'p_bannerads' = '".$_POST['p_bannerads']."'" and all others are incorrect! You have to use other type of quotes for column names (sorry, I don't know exact name) "`p_bannerads` = '".$_POST['p_bannerads']."'" Quote Link to comment Share on other sites More sharing options...
SergeiSS Posted December 8, 2011 Share Posted December 8, 2011 PS. You update is opened for SQL injection! You'd never use data from POST directly. Use special functions for conversion. Quote Link to comment Share on other sites More sharing options...
hasif5 Posted December 8, 2011 Author Share Posted December 8, 2011 What type of special functions I can use in order to avoid SQL injection? Any suggestion By the way thanks I had solved the issue. I had taken off all the quotes ' from the column names and its working great Quote Link to comment Share on other sites More sharing options...
SergeiSS Posted December 8, 2011 Share Posted December 8, 2011 What type of special functions I can use in order to avoid SQL injection? Any suggestion You would better look for this info in Google, just ask for "SQL injection PHP". There are some functions, some restrictions: a lot of articles discribe it. I don't like to repeat it here. By the way thanks I had solved the issue. I had taken off all the quotes ' from the column names and its working great You are welcome Be careful with quoutes: sometimes you have to put this quote ` around column names and table names when using MySQL. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.