Toggle sidebar Toggle sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

php securing problems

Cabbit

Cabbit

macrumors 68020
Original poster
hey all im working on securing my php but this bit errors out any help please.
PHP: 
$sql = sprintf("UPDATE `forum-topics` (`lastpost`, `lastposttime`, `lasttopic`, `lastid`) VALUES ('%s', '%s', '%d', '%s') WHERE `id` = '$topic'",
			mysql_real_escape_string($username),
			mysql_real_escape_string($today),
			mysql_real_escape_string($_POST['subject']),
			mysql_real_escape_string($number),
			mysql_real_escape_string($topic));
$query = mysql_query($sql);
if(!$query) {
///// error out /////
echo "There was an error, please try again.";
print mysql_error();
}

error

There was an error, please try again.You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(`lastpost`, `lastposttime`, `lasttopic`, `lastid`) VALUES ('JerryLouise', 'Octo' at line 1
 
I think the SQL syntax you're trying to use is invalid; instead of "UPDATE table (col1,col2,coln) VALUES (val1,val2,valn)" try "UPDATE table SET col1=val1, col2=val2, coln=valn".

Also, you're passing 5 extra parameters to the sprintf, but only using 4. I think you want to replace the $topic in your query with %s.
 
I'm not an expert in SQL, but that UPDATE syntax looks wrong. Also, I think you should remove a bunch of those single quotes.

Update syntax that I've been using

UPDATE tablename SET column_name=new_value where column_id=5

Edit: I checked the syntax and I don't think the keyword "VALUES" is valid for an UPDATE.
 
^_^ yey i fixed it,

PHP: 
$sql = sprintf("UPDATE `forum-topics` SET `lastpost`='%s', `lastposttime`='%s', `lasttopic`='%s', `lastid`=%d WHERE `id` = %d", 
            mysql_real_escape_string($username), 
            mysql_real_escape_string($today), 
            mysql_real_escape_string($_POST['subject']), 
            mysql_real_escape_string($number), 
            mysql_real_escape_string($_GET['catagory'])); 
$query = mysql_query($sql);

Turns out i was trying to make it like a insert instead of a update. So dose this make the code secure or do i need to do more.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back