Play SAH Search Log in Register / Forams

MySQL Error

if( while ) switch{ coding } ++ — Page [1]

2009 Sep 6 • 2547
10 ₧

I don't even know where to begin....

Warning: mysql_query() [http://www.mysql.com/doc]: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''shouts' SET 'userid' = 2, 'date' = NOW(), 'message' = 'hjkl'' at line 1 in /var/www/shoutbox.php on line 50
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''shouts' SET 'userid' = 2, 'date' = NOW(), 'message' = 'hjkl'' at line 1

php code

<?php
else
        {
            mysql_query("INSERT INTO 'shouts' SET
                        'userid' = {$_SESSION['uid']},
                        'date' = NOW(),
                        'message' = '$shout' ") or die(mysql_error());
        }
?>

≡

2010 Sep 26 at 04:17 PDT

SRAW
Rocket Man

2007 Nov 6 • 2525
601 ₧

sprinkles said:

php code

<?php
else
        {
            mysql_query("INSERT INTO 'shouts' SET
                        'userid' = {$_SESSION['uid']},
                        'date' = NOW(),
                        'message' = '$shout' ") or die(mysql_error());
        }
?>

Superjer has syntax highlighting :O

≡

2010 Sep 26 at 05:46 PDT

sprinkles

2009 Sep 6 • 2547
10 ₧

It seems it didn't like the $_SESSION['uid'] and NOW(). I subsituted them for variables. And now its telling me:

  code
Warning: mysql_query() [http://www.mysql.com/doc]: Unknown column 'fdafda' in 'field list' in /var/www/shoutbox.php on line 52

line 49-52 code
mysql_query("INSERT INTO `shouts` SET
	`_userid` = $id,
`_date` = $now,
`_message` = $shout ");

≡

2010 Sep 26 at 09:21 PDT — Ed. 2010 Sep 26 at 09:22 PDT

SuperJer
Websiteman

2005 Mar 20 • 6629

In MySQL, table and column names do not need to be quoted. But if you want to anyway, you must use `backticks`.

For string values, you need to use 'quotes'.

MySQL code
UPDATE `sometable` SET `col`='$value';

Notice that if $value itself contains 'quotes' it will mess up the query, which is why you need mysql_real_escape_string(). So do something like this first:

php code

<?php
$value = mysql_real_escape_string($value);
?>

≡

2010 Sep 26 at 23:16 PDT

sprinkles

2009 Sep 6 • 2547
10 ₧

Superjer, you must have gone to "Learn everything about everything" college.

BTW:

php code

<?php
require_once 'protect.php';
?>

php code

<?php
if (isset($_POST['submit']))
{
    $shout = protect($_POST['shout']);
?>

php code

<?php
function protect($sValue)
{
    $sValue = mysql_real_escape_string($sValue);
    $sValue = htmlentities($sValue, ENT_QUOTES);
    $sValue = trim($sValue);
    return $sValue;
}
?>

Now that I look at it mysql_real_escape_string and htmlentities together kind of mess things up.

php code

<?php
$sValue = "Hello, e'erybody";
$sValue = mysql_real_escape_string($sValue);
?>

$sValue now equals "Hello, e\'erbody";

php code

<?php
$sValue = htmlentities($sValue, ENT_QOUTES);
?>

$sValue now equals "Hello, e\'erbody"

Right?
Haha, it converted the HTML representation of ' to '.
But you get what I mean right?

≡

2010 Sep 27 at 19:07 PDT — Ed. 2010 Sep 27 at 20:54 PDT

SuperJer
Websiteman

2005 Mar 20 • 6629

You shouldn't be using those two functions together like that. If you do, you need to decode/unescape them in the reverse order. But I don't see the point.

If you need html encoding and mysql escaping then you probably need 2 separate variables like $htmlValue and $sqlValue for instance. The 1st for display and the second for use in SQL queries.

≡

2010 Sep 30 at 12:31 PDT

Page [1]