You have an error in your SQL syntax; check the manual that correspond

Page 1 of 1

1 Replies - 744 Views - Last Post: 28 October 2008 - 10:41 PM Rate Topic: -----

#1 0saurus  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 3
  • Joined: 27-October 08

You have an error in your SQL syntax; check the manual that correspond

Posted 28 October 2008 - 10:34 PM

Had a prob with database, as per previous topic, tried to fix as per answers, but now have this error. This was the original problem is the instance. Am building a d/b for my brother, only a newbie at php, any help would be appreciated.

<?php require_once('includes/config.php'); ?>
<?php
include('includes/sc-includes.php');
$pagetitle = Contact;

$update = 0;
if (isset($_GET['id'])) {
$update = 1;
}
?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
	case "text":
	  $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
	  break;	
	case "long":
	case "int":
	  $theValue = ($theValue != "") ? intval($theValue) : "NULL";
	  break;
	case "double":
	  $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
	  break;
	case "date":
	  $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
	  break;
	case "defined":
	  $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
	  break;
  }
  return $theValue;
}
}

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}



//
if ($update==1) {
mysql_select_db($database_contacts, $contacts);
$query_contact = "SELECT * FROM contacts WHERE contact_id = ".$_GET['id']."";
$contact = mysql_query($query_contact, $contacts) or die(mysql_error());
$row_contact = mysql_fetch_assoc($contact);
$totalRows_contact = mysql_num_rows($contact);
}
//

//UPLOAD PICTURE
	$picture = $_POST['image_location'];
	$time = substr(time(),0,5);	
   if($HTTP_POST_FILES['image'] && $HTTP_POST_FILES['image']['size'] > 0){
	$ori_name = $_FILES['image']['name'];
	$ori_name = $time.$ori_name;
	$tmp_name = $_FILES['image']['tmp_name'];
	$src = imagecreatefromjpeg($tmp_name);
	list($width,$height)=getimagesize($tmp_name);
	$newwidth=95;
	$newheight=($height/$width)*95;
	$tmp=imagecreatetruecolor($newwidth,$newheight);
	imagecopyresampled($tmp,$src,0,0,0,0,$newwidth,$newheight,$width,$height);
	$filename = "images/". $ori_name;
	imagejpeg($tmp,$filename,100);
	$picture = $ori_name;
	imagedestroy($src);
	imagedestroy($tmp);	
}
//END UPLOAD PICTURE

if ($update==0) {
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
  $insertSQL = sprintf("INSERT INTO contacts (contact_first, contact_last, contact_title, contact_image, contact_profile, contact_company, contact_street, contact_city, contact_state, contact_zip, contact_phone, contact_cell, contact_email, contact_username, contact_password, contact_number, contact_fax, contact_web, contact_updated) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s,)",
					   GetSQLValueString(trim($_POST['contact_first']), "text"),
					   GetSQLValueString(trim($_POST['contact_last']), "text"),
					   GetSQLValueString(trim($_POST['contact_title']), "text"),
					   GetSQLValueString($picture, "text"),
					   GetSQLValueString(trim($_POST['contact_profile']), "text"),
					   GetSQLValueString(trim($_POST['contact_company']), "text"),
					   GetSQLValueString(trim($_POST['contact_street']), "text"),
					   GetSQLValueString(trim($_POST['contact_city']), "text"),
					   GetSQLValueString(trim($_POST['contact_state']), "text"),
					   GetSQLValueString(trim($_POST['contact_zip']), "text"),
					   GetSQLValueString(trim($_POST['contact_phone']), "text"),
					   GetSQLValueString(trim($_POST['contact_cell']), "text"),
					   GetSQLValueString(trim($_POST['contact_fax']), "text"),
					   GetSQLValueString(trim($_POST['contact_email']), "text"),
					   GetSQLValueString(trim($_POST['contact_username']), "text"),
					   GetSQLValueString(trim($_POST['contact_password']), "text"),
					   GetSQLValueString(trim($_POST['contact_number']), "text"),
					   GetSQLValueString(trim($_POST['contact_web']), "text"),
					   GetSQLValueString($_POST['contact_updated'], "int"));

  mysql_select_db($database_contacts, $contacts);
  $Result1 = mysql_query($insertSQL, $contacts) or die(mysql_error());
	set_msg('Contact Added');
	$cid = mysql_insert_id();
	$redirect = "contact-details.php?id=$cid";
	header(sprintf('Location: %s', $redirect)); die;
}
}

if ($update==1) {
if ((isset($_POST["MM_update"])) && ($_POST["MM_update"] == "form1")) {
  $updateSQL = sprintf("UPDATE contacts SET contact_first=%s, contact_last=%s, contact_title=%s, contact_image=%s, contact_profile=%s, contact_company=%s, contact_street=%s, contact_city=%s, contact_state=%s, contact_zip=%s, contact_phone=%s, contact_cell=%s, contact_fax=%s, contact_email=%s, contact_username=%s, contact_password=%s, contact_number=%s, contact_web=%s, contact_updated=%s WHERE contact_id=%s",
					   GetSQLValueString(trim($_POST['contact_first']), "text"),
					   GetSQLValueString(trim($_POST['contact_last']), "text"),
					   GetSQLValueString(trim($_POST['contact_title']), "text"),
					   GetSQLValueString($picture, "text"),
					   GetSQLValueString(trim($_POST['contact_profile']), "text"),
					   GetSQLValueString(trim($_POST['contact_company']), "text"),
					   GetSQLValueString(trim($_POST['contact_street']), "text"),
					   GetSQLValueString(trim($_POST['contact_city']), "text"),
					   GetSQLValueString(trim($_POST['contact_state']), "text"),
					   GetSQLValueString(trim($_POST['contact_zip']), "text"),
					   GetSQLValueString(trim($_POST['contact_phone']), "text"),
					   GetSQLValueString(trim($_POST['contact_cell']), "text"),
					   GetSQLValueString(trim($_POST['contact_fax']), "text"),
					   GetSQLValueString(trim($_POST['contact_email']), "text"),
					   GetSQLValueString(trim($_POST['contact_username']), "text"),
					   GetSQLValueString(trim($_POST['contact_password']), "text"),
					   GetSQLValueString(trim($_POST['contact_number']), "text"),
					   GetSQLValueString(trim($_POST['contact_web']), "text"),
					   GetSQLValueString(trim($_POST['contact_updated']), "int"),
					   GetSQLValueString(trim($_POST['contact_id']), "int"));

  mysql_select_db($database_contacts, $contacts);
  $Result1 = mysql_query($updateSQL, $contacts) or die(mysql_error());
	set_msg('Contact Updated');
	$cid = $_GET['id'];
	$redirect = "contact-details.php?id=$cid";
	header(sprintf('Location: %s', $redirect)); die;
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title><?php if ($update==0) { echo "Add Contact"; } ?><?php echo $row_contact['contact_first']; ?> <?php echo $row_contact['contact_last']; ?></title>
<script src="includes/lib/prototype.js" type="text/javascript"></script>
<script src="includes/src/effects.js" type="text/javascript"></script>
<script src="includes/validation.js" type="text/javascript"></script>
<script src="includes/src/scriptaculous.js" type="text/javascript"></script>
<script language="javascript">
function toggleLayer(whichLayer)
{
if (document.getElementById)
{
// this is the way the standards work
var style2 = document.getElementById(whichLayer).style;
style2.display = style2.display? "":"block";
}
else if (document.all)
{
// this is the way old msie versions work
var style2 = document.all[whichLayer].style;
style2.display = style2.display? "":"block";
}
else if (document.layers)
{
// this is the way nn4 works
var style2 = document.layers[whichLayer].style;
style2.display = style2.display? "":"block";
}
}
</script>
<link href="includes/style.css" rel="stylesheet" type="text/css" />
<link href="includes/simplecustomer.css" rel="stylesheet" type="text/css" />
</head>

<body>
<?php include('includes/header.php'); ?>
<div class="container">
  <div class="leftcolumn">
	<h2><?php if ($update==1) { echo Update; } else { echo Add; } ?> Contact </h2>
	<p> </p>
	<form action="<?php echo $editFormAction; ?>" method="POST" enctype="multipart/form-data" name="form1" id="form1">
	  <table width="100%" border="0" cellspacing="0" cellpadding="0">
		<tr> 
		  <td width="28%">First Name<br /> <input name="contact_first" type="text" id="contact_first" value="<?php echo $row_contact['contact_first']; ?>" size="25" /></td>
		  <td width="72%">Last Name<br /> <input name="contact_last" type="text" id="contact_last" value="<?php echo $row_contact['contact_last']; ?>" size="25" /> 
			<p></p></td>
		</tr>
		<tr> 
		  <td>Title<br /> <input name="contact_title" type="text" id="contact_title" value="<?php echo $row_contact['contact_title']; ?>" size="25" /> 
		  </td>
		  <td>Company<br /> <input name="contact_company" type="text" id="contact_company" value="<?php echo $row_contact['contact_company']; ?>" size="35" /></td>
		</tr>
		<tr> 
		  <td height="50" colspan="2">Email <br /> <input name="contact_email" type="text" id="contact_email" value="<?php echo $row_contact['contact_email']; ?>" size="35" /></td>
		</tr>
		<tr> 
		  <td height="50"> <p>Username<br />
			  <input name="contact_username" type="text" id="contact_username" value="<?php echo $row_contact['contact_username']; ?>" size="25" />
			</p></td>
		  <td> <p>Password<br />
			  <input name="contact_password" type="text" id="contact_password" value="<?php echo $row_contact['contact_password']; ?>" size="25" />
			</p></td>
		</tr>
		<tr> 
		  <td>Customer Number<br /> <input name="contact_number" type="text" id="contact_number" value="<?php echo $row_contact['contact_number']; ?>" size="25" /> 
		  </td>
		</tr>
		<tr> 
		  <td colspan="2"><hr /> 
			<?php if ($update!=1) { ?>
			<p><a href="#" onclick="new Effect.toggle('morecontact', 'slide'); return false;">+Add 
			  more contact information </a></p>
			<?php } ?>
			<div <?php if ($update!=1) { ?>id="morecontact" style="display:none"<?php } ?>> 
			  <table  width="100%" border="0" cellspacing="0" cellpadding="0">
				<tr> 
				  <td>Street<br /> <input name="contact_street" type="text" id="contact_street" value="<?php echo $row_contact['contact_street']; ?>" size="35" /></td>
				</tr>
				<tr> 
				  <td><table width="100%" border="0" cellspacing="0" cellpadding="0">
					  <tr> 
						<td width="39%">City<br /> <input name="contact_city" type="text" id="contact_city" value="<?php echo $row_contact['contact_city']; ?>" size="35" /></td>
						<td width="27%" valign="top">State<br /> <select name="contact_state" class="required validate-state" id="contact_state">
							<option value="">Select a state...</option>
							<option value="QLD" <?php if (!(strcmp("QLD", $row_contact['contact_state']))) {echo "selected=\"selected\"";} ?>>Queensland</option>
							<option value="VIC" <?php if (!(strcmp("VIC", $row_contact['contact_state']))) {echo "selected=\"selected\"";} ?>>Victoria</option>
							<option value="NSW" <?php if (!(strcmp("NSW", $row_contact['contact_state']))) {echo "selected=\"selected\"";} ?>>New 
							South Wales</option>
							<option value="WA" <?php if (!(strcmp("WA", $row_contact['contact_state']))) {echo "selected=\"selected\"";} ?>>Western 
							Australia</option>
							<option value="TAS" <?php if (!(strcmp("TAS", $row_contact['contact_state']))) {echo "selected=\"selected\"";} ?>>Tasmania</option>
							<option value="SA" <?php if (!(strcmp("SA", $row_contact['contact_state']))) {echo "selected=\"selected\"";} ?>>South 
							Australia</option>
							<option value="NT" <?php if (!(strcmp("NT", $row_contact['contact_state']))) {echo "selected=\"selected\"";} ?>>Northern 
							Territories</option>
							<option value="ACT" <?php if (!(strcmp("ACT", $row_contact['contact_state']))) {echo "selected=\"selected\"";} ?>>ACT</option>
						  </select></td>
						<td width="34%">Zip<br /> <input name="contact_zip" type="text" id="contact_zip" value="<?php echo $row_contact['contact_zip']; ?>" size="10" /></td>
					  </tr>
					</table></td>
				</tr>
				<tr> 
				  <td><table width="100%" border="0" cellspacing="0" cellpadding="0">
					  <tr> 
						<td width="39%">Phone<br /> <textarea name="contact_phone" cols="35" id="contact_phone"><?php echo $row_contact['contact_phone']; ?></textarea></td>
						<td width="61%"><p>Cell<br />
							<input name="contact_cell" type="text" id="contact_cell" value="<?php echo $row_contact['contact_cell']; ?>" size="35" />
						  </p>
						  <p>Fax<br/>
							<input name="contact_fax" type="text" id="contact_fax" value="<?php echo $row_contact['contact_fax']; ?>" size="35" />
						  </p></td>
					  </tr>
					</table></td>
				</tr>
				<tr> 
				  <td>Image<br /> <input name="image" type="file" id="image" /> 
					<?php if ($row_contact['contact_image']) { ?>
					<br /> <img src="images/<?php echo $row_contact['contact_image']; ?>" width="95" /> 
					<?php } ?>
				  </td>
				</tr>
				<tr> 
				  <td>Website<br /> <input name="contact_web" type="text" id="contact_web" value="<?php echo $row_contact['contact_web']; ?>" size="45" /></td>
				</tr>
				<tr> 
				  <td>Background/Profile<br /> <textarea name="contact_profile" cols="60" rows="3" id="contact_profile"><?php echo $row_contact['contact_profile']; ?></textarea></td>
				</tr>
			  </table>
			</div>
			<p> </p></td>
		</tr>
		<tr> 
		  <td colspan="2"><p> 
			  <input type="submit" name="Submit2" value="<?php if ($update==1) { echo Update; } else { echo Add; } ?> contact" />
			  <input name="contact_updated" type="hidden" id="contact_updated" value="<?php echo time(); ?>" />
			  <input type="hidden" name="MM_insert" value="form1" />
			  <input name="contact_id" type="hidden" id="contact_id" value="<?php echo $row_contact['contact_id']; ?>" />
			  <input name="image_location" type="hidden" id="image_location" value="<?php echo $row_contact['contact_image']; ?>" />
			</p></td>
		</tr>
	  </table>
	  <p> </p>
	  <input type="hidden" name="MM_update" value="form1">
	</form>
  </div>
  <?php include('includes/right-column.php'); ?>
  <br clear="all" />
</div>

<?php include('includes/footer.php'); ?>

</body>
</html>


Is This A Good Question/Topic? 0
  • +

Replies To: You have an error in your SQL syntax; check the manual that correspond

#2 no2pencil  Icon User is offline

  • Original Digital Gansta
  • member icon

Reputation: 4466
  • View blog
  • Posts: 24,914
  • Joined: 10-May 07

Re: You have an error in your SQL syntax; check the manual that correspond

Posted 28 October 2008 - 10:41 PM

Never trust $_GET & $_POST for face value...

if ($update==1) {
  if(empty($_GET['id'])) die ("Id was not set");
  mysql_select_db($database_contacts, $contacts);
  $query_contact = "SELECT * FROM contacts WHERE contact_id = ".$_GET['id']."";
  $contact = mysql_query($query_contact, $contacts) or die(mysql_error());
  $row_contact = mysql_fetch_assoc($contact);
  $totalRows_contact = mysql_num_rows($contact);
}


You should go through the code & check for all sql statements that directly use $_GET or $_POST values. They should be verified & checked for malicious code 1st, & then processed.
Was This Post Helpful? 0
  • +
  • -
Page 1 of 1