PHP mysql query error HELP

Discussion in 'Web Design and Development' started by settings, Nov 10, 2009.

  1. settings macrumors newbie

    Oct 29, 2009
    $bd->definir_query("UPDATE tabposts SET nome = '$nome', email = '$email', post = '$post' WHERE id = $id");

    i'm using that query and is giving me an error and i already changed that a thousand times :s

    $bd is a class where i got a function called "definir_query" which i execute the arguments(the sql code).


  2. rowsdower macrumors 6502

    Jun 2, 2009
  3. angelwatt Moderator emeritus


    Aug 16, 2005
    The query part is fine so it must have something to do with the object you're interacting with or the actual values you're using in the variables, which may be damaging the query string, aka SQL-injection.
  4. settings thread starter macrumors newbie

    Oct 29, 2009
    " You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 "

    is showing me that, but i've other querys and is fine dont understand why here... take a look:

    if ($_POST["enviar"])
    $nome = $_POST["nome"];
    $email = $_POST["email"];
    $post = $_POST["post"];
    $horas = date('H:i:s');

    $bd->definir_query("INSERT tabposts(nome,email,post,data,hora) VALUES('%s','%s','%s','%s','%s')",$nome,$email,$post,date('Y-m-d'), $horas);


    this is to insert the posts.

    $id = $_REQUEST['id'];
    // $edit = $_REQUEST['edit'];
    $bd = new BD;

    $bd->definir_query("DELETE FROM tabposts WHERE ID = %d",$id);
    header("location: index.php");

    this is to remove a line from the table.

    so.. all of those except the update set are fine..
  5. designguy79 macrumors 6502

    Sep 24, 2009
    Sometimes to debug things like this, I have it echo the problematic query and then exit. What is the output if you enter this before trying to execute the query?

  6. angelwatt Moderator emeritus


    Aug 16, 2005
    designguy79's echo idea sounds like a good place to start.

    On a security note, I should let you know your code is very open to SQL-injection and could delete your entire DB. Consider your query,
    DELETE FROM tabposts WHERE ID = %d",$id
    If a malicious user sends the id as 1 OR 1=1 the query becomes:
    DELETE FROM tabposts WHERE ID = 1 OR 1=1
    and that returns true for all records and that table becomes empty. It's very easy for someone to send an id value as that string as well. They don't have to send the data from your web site. You should also avoid using the $_REQUEST super global variable in favor for $_GET and $_POST. You should always filter your data that you're receiving, specially when it's going into a SQL query.

    These vulnerabilities are not just for the id that I showed. You need to filter each and every piece of data you're getting from the user. Never blindly trust anything coming REQUEST, GET, POST, or even COOKIE.
  7. settings thread starter macrumors newbie

    Oct 29, 2009

    thanks for the advice guys i will check that and discuss that in my programming class.
  8. yg17 macrumors G5


    Aug 1, 2004
    St. Louis, MO
    What are the values for $name, $email, $post and $id variables? They don't have any quotes or special characters in them, do they?

    Let's say the name has an apostrophe (single quote) in it. Say the name you're entering is Bob D'Angelo. Once PHP builds that string and sends it off to MySQL, you now have the query:

    UPDATE tabposts SET name = 'Bob D'Angelo', email = ... etc.

    That'll cause MySQL to give you the error since it thinks the value of name should be Bob D, and Angelo' is extra garbage it doesn't know what to do with.

Share This Page