By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,204 Members | 1,161 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,204 IT Pros & Developers. It's quick & easy.

Error in SQL syntax

P: 17
Hi, I seem to be having a problem inserting data into a database

Expand|Select|Wrap|Line Numbers
  1. // check to make sure fields are entered
  2.  if ($name == '' ||  $address1== '' || $address2 == '' || $town == '' || $county == '' || $postcode == '' || $info == '' || $price == '')
  3.  {
  4.  // generate error message
  5.  $error = 'ERROR: Please fill in all required fields!';
  6.  
  7.  // if either field is blank, display the form again
  8.  renderForm($name, $address1, $address2, $address1, $town, $county, $postcode, $info, $price, $error);
  9.  }
  10.  else
  11.  {
  12.  // save the data to the database
  13.  mysql_query("INSERT houses SET name='$name', address1='$address1',
  14.  address2='$address2', town='$town', county='$county', postcode='$postcode', info='$info', price='$price' WHERE id='$id'")
  15.  or die(mysql_error()); 
  16.  
  17.  // once saved, redirect back to the view page
  18.  header("Location: admin.php"); 
  19.  }
  20.  }
  21.  else
  22.  // if the form hasn't been submitted, display the form
  23.  {
  24.  renderForm('','','','','','','','','');
  25.  }
  26. ?> 
  27.  
  28.  
The error i'm getting is

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id=''' at line 2
Nov 26 '11 #1

✓ answered by Artnessde

As from what i see in your code (which is not escaping anything - may the good SQL Injections be with you) your $id variable is simply empty.

That's what the SQL Error tells you.

ALWAYS sanitize ANY Userinput and verifyt the where clause has valid and filled variables (as in any other usecase where you handle external user-input which is always possibly filtrated with potential exploit code)

Share this Question
Share on Google+
2 Replies


100+
P: 1,059
1. Read Insert Query structure again(If you read before) from the documentation.
2. read about sql injection from wiki
3. read about mysq_real_escape_string from php.net
Nov 26 '11 #2

P: 13
As from what i see in your code (which is not escaping anything - may the good SQL Injections be with you) your $id variable is simply empty.

That's what the SQL Error tells you.

ALWAYS sanitize ANY Userinput and verifyt the where clause has valid and filled variables (as in any other usecase where you handle external user-input which is always possibly filtrated with potential exploit code)
Nov 26 '11 #3

Post your reply

Sign in to post your reply or Sign up for a free account.