nbbcj Posted May 13, 2012 Share Posted May 13, 2012 Hi all me again thank god for sites like this here is my prob i have a page that edits then sends the info to a processing page to update the db but after i added a new bit i get a error Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order = '6', bi = '1', print = '1', online = '1', short_details = 'asdasda', ful' at line 1 im using get in my forms till its all working so i can see what is being passed to the processing page here is my code the update page <? //Set no caching header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); header("Cache-Control: no-store, no-cache, must-revalidate"); header("Cache-Control: post-check=0, pre-check=0", false); header("Pragma: no-cache"); ?> <? include("protect/password_protect.php"); ?> <?php error_reporting(E_ALL); include ("../includes/db_config.php"); mysql_connect($db_hostname,$db_username,$db_password); @mysql_select_db($db_database) or die( "Unable to select database"); $query="SELECT * FROM `$db_table` WHERE `id` ='".$_GET['id']."'"; $result=mysql_query($query); $num=mysql_num_rows($result); mysql_close(); $i=0; while ($i < $num) { $id=mysql_result($result,$i,"id"); $order=mysql_result($result,$i,"order"); $pro_name=mysql_result($result,$i,"pro_name"); $short_details=mysql_result($result,$i,"short_details"); $full_details=mysql_result($result,$i,"full_details"); $bi=mysql_result($result,$i,"bi"); $print=mysql_result($result,$i,"print"); $online=mysql_result($result,$i,"online"); ?> <table width="515" height="315" > <form name="form1" method="get" action="runupdate.php?id=<? echo"$id"?>"> <tr> <th width="22%" scope="row"><p>Id</p></th> <td width="78%"><input class="udp" name="id" type="text" id="id" value="<? echo "$id" ?>" size="3" maxlength="3" readonly="readonly"> Ordering: <select name="order"> <option value="<? echo"$order"?>" selected>Is Now<? echo"$order"?></option> <option value="1">1</option> <option value="2">2</option> <option value="3">3</option> <option value="4">4</option> <option value="5">5</option> <option value="6">6</option> <option value="7">7</option> <option value="8">8</option> <option value="9">9</option> <option value="10">10</option> </select> </td> </tr> <tr> <th scope="row"><p>Project Name</p></th> <td><input class="udp" name="pro_name" type="text" id="pro_name" value="<? echo "$pro_name" ?>" size="40" MAXLENGTH="40"></td> </tr> <tr> <th scope="row"><p>Category</p></th> <td> Brand Identity:<input <?php if (!(strcmp("$bi",1))) {echo "checked=\"checked\"";} ?> name="bi" type="checkbox" value="1" /> Print:<input <?php if (!(strcmp("$print",1))) {echo "checked=\"checked\"";} ?> name="print" type="checkbox" value="1" /> Online:<input <?php if (!(strcmp("$online",1))) {echo "checked=\"checked\"";} ?> name="online" type="checkbox" value="1" /></td> </tr> <tr> <th scope="row"><p>Short Details</p></th> <td><input class="udp" name="short_details" type="text" value="<? echo "$short_details" ?>" size="50" MAXLENGTH="60"/></td> </tr> <tr> <th height="163" valign="top" scope="row"><p>Full Details</p></th> <td><textarea class="udp" name="full_details" cols="50" rows="10" id="full_details"><? echo "$full_details"?> </textarea> <input class="udp" type="submit" name="Update" id="Update" value="Update" /></td> </tr> <tr> <th scope="row"> </form></th> </tr> </table> <? $i++; } ?> and this is the processing page can any one help with the sql injection protection here please just an example will do thanks. <?php error_reporting(E_ALL); include ("../includes/db_config.php"); $con = mysql_connect($db_hostname,$db_username,$db_password); @mysql_select_db($db_database) or die( "Unable to select database"); $bi=mysql_result($result,$i,"bi"); $print=mysql_result($result,$i,"print"); $online=mysql_result($result,$i,"online"); $ud_pn=$_GET['pro_name']; $ud_sd=$_GET['short_details']; $ud_fd=$_GET['full_details']; $ud_bi=$_GET['bi']; $ud_print=$_GET['print']; $ud_online=$_GET['online']; $ud_order=$_GET['order']; //// when i add order = '$ud_order' to the query it errors and i dont no why as it is layed out the same as pro_name and bi and print ect. $query = "UPDATE $db_table SET pro_name = '$ud_pn', order = '$ud_order', bi = '$ud_bi', print = '$ud_print', online = '$ud_online', short_details = '$ud_sd', full_details = '$ud_fd' WHERE id = '".$_GET['id']."'"; if (!mysql_query($query,$con)) { die('Error: ' . mysql_error()); } echo "$ud_pn record updated<p>With:<p>Short Details:<p>$ud_sd<p>Full Details:<p>$ud_fd<p>Category:<p>Brand Identity:$ud_bi</br> Print:$ud_print</br> Online:$ud_online</br><p> Ordering:$ud_order</br> "; mysql_close($con) ?> Quote Link to comment Share on other sites More sharing options...
DavidAM Posted May 13, 2012 Share Posted May 13, 2012 Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order = '6', bi = '1', print = '1', online = '1', short_details = 'asdasda', ful' at line 1 "order" is a reserved word in mySql. If you really must use it as a column name, you will have to surround it with backticks: UPDATE someTable SET `order`=100 ... I recommend NOT using reserved words for column names (or table names for that matter). Quote Link to comment Share on other sites More sharing options...
nbbcj Posted May 16, 2012 Author Share Posted May 16, 2012 Cool the for that iv changed :D col name now n it works Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.