Help with statements and syntax - PHP Development

Rank: 1

1^# Jump to »

jellerPost at 2010-6-22 00:49 | Show This Author's Posts Only

abstract:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'INSERT INTO submits (susite, sudir) VALUES ('1', '41,)' at line 1

I thought this the best place to ask for help even though it's mixed with php.
I'm a complete newbie to SQL and PHP so any help would be much appreciated :-)

Hi,
I'm getting an error in my sql syntax with this code:
PHP Code:
$sql
=
"DELETE FROM dirs_skips WHERE dirID = '"
.
mysql_real_escape_string
(
$_GET
[
'ID'
] ) .
"' AND urlID = '"
.
mysql_real_escape_string
(
$_GET
[
'urlID'
] ) .
"' AND username = "
.
mysql_real_escape_string
(
$_GET
[
'uID'
] ).
" INSERT INTO submits (susite, sudir) VALUES ('"
.
mysql_real_escape_string
(
$_GET
[
'urlID'
] ) .
"', '"
.
mysql_real_escape_string
(
$_GET
[
'ID'
] ).
",) "
;
The error message reads this:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'INSERT INTO submits (susite, sudir) VALUES ('1', '41,)' at line 1

I thought this the best place to ask for help even though it's mixed with php.
I'm a complete newbie to SQL and PHP so any help would be much appreciated :-)

Author Hot threads

Help with statements and syntax

TOP

Newbie

Rank: 1

2^#

requinixPost at 2010-6-22 00:49 | Show This Author's Posts Only

1. The username needs quotes too.
2. You can't run two queries at once like that.

TOP

Newbie

Rank: 1

3^#

chaosbringerPost at 2010-6-22 00:49 | Show This Author's Posts Only

i also suggest cleaning up those vars a bit better
something like
Code:

$your_var = ( isset( $_POST['username'] ) && !empty( $_POST['username'] ) ) ? trim( htmlspecialchars( str_replace( array( "\r\n", "\r", "\0" ), array( "\n", "\n", '' ), $_POST['username'] ), ENT_QUOTES, 'UTF-8' ) ) : '';

Copy Code

( Yes im very paranoid when it comes to user input into my database )
Otherwise you might have issues with people putting in code in usernames.
From PHP.net
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
characters like ( ) | ; etc are not quoted which can lead to possible injections or errors because of user input.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'INSERT INTO submits (susite, sudir) VALUES ('1', '41,)' at line 1

I thought this the best place to ask for help even though it's mixed with php.
I'm a complete newbie to SQL and PHP so any help would be much appreciated :-)

TOP

Back Forum

Author Hot threads

[Favorite Topic] [Add to My attention, if there is a New Reply]

[Through QQ, MSN Send to a friend]