3 Replies - 513 Views - Last Post: 27 July 2011 - 05:56 AM Rate Topic: -----

#1 kimkim92  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 11
  • Joined: 06-July 11

SQL syntax error HELP

Posted 27 July 2011 - 04:57 AM

Hi guys when i submit i got this error "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1".Can anyone pls help me spot it.

<?php

$link = mysqli_connect('localhost', '****', '****', 'sjas')or die(mysqli_connect_error());
    $query = "SELECT * FROM employee WHERE user_id =$_GET[id]";
  $result = mysqli_query($link,$query) or die(mysqli_error($link));
    $row= mysqli_fetch_array($result);
    

?>

<center><h2>SJAS -Editing</h2></center>
<hr>
<center><h3>You are editing a user</h3></center>
<form action="<?php echo $_SERVER['PHP_SELF'];?>"  method="post" >
            
    
                     
   Name<input type="text" name="name" value="<?php echo $row['name'];?>"/><br/>
  Nric<input type="text" name="nric" value="<?php echo $row['nric'];?>"/><br/>
      Age<input type="text" name="age" value="<?php echo $row['age'];?>"/><br/>
       Gender<input type="text" name="name" value="<?php echo $row['gender'];?>"/><br/>
          Email<input type="text" name="name" value="<?php echo $row['email'];?>"/><br/>
               Position<input type="text" name="name" value="<?php echo $row['position'];?>"/><br/>
                 SDF<input type="text" name="name" value="<?php echo $row['sdf'];?>"/>
                  
                     
    
       <center>    <input type="submit" name="submit" value="Edit" /></center>
                         <center>  <input type="hidden" name="id" name="submit" value="<?php echo $_GET['id'];?>" /></center>
                         </form>

<?php
if(isset($_POST['submit'])) {
    $u = "UPDATE employee SET fullname='$_POST[name]', nric='$_POST[nric]' , age='$_POST[age]', gender='$_POST[gender]', email='$_POST[email]', position ='$_POST[position]',sdf = '$_POST[sdf]' WHERE user_id=$_GET[id]";
mysqli_query($u) or die(mysqli_connect_error());
echo "User has been edited!";
}
?>

This post has been edited by Dormilich: 27 July 2011 - 05:08 AM
Reason for edit:: removed login credentials


Is This A Good Question/Topic? 0
  • +

Replies To: SQL syntax error HELP

#2 Dormilich  Icon User is offline

  • 痛覚残留
  • member icon

Reputation: 3515
  • View blog
  • Posts: 10,143
  • Joined: 08-June 10

Re: SQL syntax error HELP

Posted 27 July 2011 - 05:10 AM

Id say, $_GET['id'] is empty and the WHERE clause requires a value to be given.
Was This Post Helpful? 1
  • +
  • -

#3 codeprada  Icon User is offline

  • Changed Man With Different Priorities
  • member icon

Reputation: 946
  • View blog
  • Posts: 2,355
  • Joined: 15-February 11

Re: SQL syntax error HELP

Posted 27 July 2011 - 05:19 AM

If you're going to parse an element of an array in a string you must do two things.
  • Enclose the string in double quotes
  • Enclose the variable in curly braces { }


This is valid
echo "This is your IP {$_SERVER['REMOTE_ADDR']}";

Also you should enclose the key in single quotes unless it's a numerical array. In your case it is not.

With that said your script poses a very big security threat. As is it allows for SQL injections. You could use mysql_real_escape_string to help combat this problem or you could use Prepared statements which are immune to SQL injections. I suggest going for the Prepared statements. MySQLi and PDO offers such features.
Was This Post Helpful? 1
  • +
  • -

#4 kimkim92  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 11
  • Joined: 06-July 11

Re: SQL syntax error HELP

Posted 27 July 2011 - 05:56 AM

Thanks guys for your help.I managed solved it :bananaman:
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1