php securing problems

Discussion in 'Web Design and Development' started by Cabbit, Oct 13, 2007.

  1. Cabbit macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #1
    hey all im working on securing my php but this bit errors out any help please.
    PHP:
    $sql sprintf("UPDATE `forum-topics` (`lastpost`, `lastposttime`, `lasttopic`, `lastid`) VALUES ('%s', '%s', '%d', '%s') WHERE `id` = '$topic'",
                
    mysql_real_escape_string($username),
                
    mysql_real_escape_string($today),
                
    mysql_real_escape_string($_POST['subject']),
                
    mysql_real_escape_string($number),
                
    mysql_real_escape_string($topic));
    $query mysql_query($sql);
    if(!
    $query) {
    ///// error out /////
    echo "There was an error, please try again.";
    print 
    mysql_error();

    error

    There was an error, please try again.You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(`lastpost`, `lastposttime`, `lasttopic`, `lastid`) VALUES ('JerryLouise', 'Octo' at line 1
     
  2. Zortrium macrumors 6502

    Joined:
    Jun 23, 2003
    #2
    I think the SQL syntax you're trying to use is invalid; instead of "UPDATE table (col1,col2,coln) VALUES (val1,val2,valn)" try "UPDATE table SET col1=val1, col2=val2, coln=valn".

    Also, you're passing 5 extra parameters to the sprintf, but only using 4. I think you want to replace the $topic in your query with %s.
     
  3. bbarnhart macrumors 6502a

    bbarnhart

    Joined:
    Jan 16, 2002
    Location:
    Stilwell, Kansas
    #3
    I'm not an expert in SQL, but that UPDATE syntax looks wrong. Also, I think you should remove a bunch of those single quotes.

    Update syntax that I've been using

    UPDATE tablename SET column_name=new_value where column_id=5

    Edit: I checked the syntax and I don't think the keyword "VALUES" is valid for an UPDATE.
     
  4. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #4
    ^_^ yey i fixed it,

    PHP:
    $sql sprintf("UPDATE `forum-topics` SET `lastpost`='%s', `lastposttime`='%s', `lasttopic`='%s', `lastid`=%d WHERE `id` = %d"
                
    mysql_real_escape_string($username), 
                
    mysql_real_escape_string($today), 
                
    mysql_real_escape_string($_POST['subject']), 
                
    mysql_real_escape_string($number), 
                
    mysql_real_escape_string($_GET['catagory'])); 
    $query mysql_query($sql);
    Turns out i was trying to make it like a insert instead of a update. So dose this make the code secure or do i need to do more.
     

Share This Page