Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

php securing problems

Cabbit

Cabbit

macrumors 68020
Original poster
Jan 30, 2006
2,128
1
Scotland
hey all im working on securing my php but this bit errors out any help please.
PHP: 
$sql = sprintf("UPDATE `forum-topics` (`lastpost`, `lastposttime`, `lasttopic`, `lastid`) VALUES ('%s', '%s', '%d', '%s') WHERE `id` = '$topic'",
			mysql_real_escape_string($username),
			mysql_real_escape_string($today),
			mysql_real_escape_string($_POST['subject']),
			mysql_real_escape_string($number),
			mysql_real_escape_string($topic));
$query = mysql_query($sql);
if(!$query) {
///// error out /////
echo "There was an error, please try again.";
print mysql_error();
}

error

There was an error, please try again.You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(`lastpost`, `lastposttime`, `lasttopic`, `lastid`) VALUES ('JerryLouise', 'Octo' at line 1
 
Z

Zortrium

macrumors 6502
Jun 23, 2003
461
0
I think the SQL syntax you're trying to use is invalid; instead of "UPDATE table (col1,col2,coln) VALUES (val1,val2,valn)" try "UPDATE table SET col1=val1, col2=val2, coln=valn".

Also, you're passing 5 extra parameters to the sprintf, but only using 4. I think you want to replace the $topic in your query with %s.
 
bbarnhart

bbarnhart

macrumors 6502a
Jan 16, 2002
824
1
I'm not an expert in SQL, but that UPDATE syntax looks wrong. Also, I think you should remove a bunch of those single quotes.

Update syntax that I've been using

UPDATE tablename SET column_name=new_value where column_id=5

Edit: I checked the syntax and I don't think the keyword "VALUES" is valid for an UPDATE.
 
Cabbit

Cabbit

macrumors 68020
Original poster
Jan 30, 2006
2,128
1
Scotland
^_^ yey i fixed it,

PHP: 
$sql = sprintf("UPDATE `forum-topics` SET `lastpost`='%s', `lastposttime`='%s', `lasttopic`='%s', `lastid`=%d WHERE `id` = %d", 
            mysql_real_escape_string($username), 
            mysql_real_escape_string($today), 
            mysql_real_escape_string($_POST['subject']), 
            mysql_real_escape_string($number), 
            mysql_real_escape_string($_GET['catagory'])); 
$query = mysql_query($sql);

Turns out i was trying to make it like a insert instead of a update. So dose this make the code secure or do i need to do more.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom