current community

your communities

more stack exchange communities

Stack Exchange
tour help
careers 2.0
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite

Possible Duplicate:
Can a number used to name a sql column

I am trying to figure out what is wrong with this code

$query = "UPDATE $table SET '$_GET[qty]'=$_GET[newprice] WHERE 'id'='1'";

this is what $query looks like - UPDATE retail_12x18 SET '25'=100 WHERE 'id'='1'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''25'=100 WHERE 'id'='1'' at line 1

I have put backticks ' every which way and cant get it to go through, always the same error message.

enter image description here

share|improve this question

marked as duplicate by Tim Post Nov 2 '11 at 3:22

This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
2  
Please show the error message. Also, this code has massive SQL injection vulnerabilities - stackoverflow.com/questions/332365/…. –  El Yobo Nov 1 '11 at 22:36
    
What happens when you run it ? mysql or php issue ? –  gregory Nov 1 '11 at 22:37
    
this is the query echo - UPDATE retail_12x18 SET 25 = 100 WHERE type=1 color / 1 side You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '25 = 100 WHERE type=1 color / 1 side' at line 1 –  Daniel Hunter Nov 1 '11 at 22:40
    
I have included a picture of the database structure.. Also, i am using a for each function to escape the $_get variables –  Daniel Hunter Nov 1 '11 at 22:44
    
This is the live link preferweb.com/accentps/lib/… –  Daniel Hunter Nov 1 '11 at 22:46

2 Answers 2

up vote 1 down vote accepted

use backtick around your field name:

UPDATE table SET `25` = '{thevalue}', `100` = '{thevalue}', `200` = '{thevalue}' WHERE wherefield = '{wherevalue}'

See here (look for backtick word): http://dev.mysql.com/doc/refman/5.0/en/identifiers.html

share|improve this answer
    
I believe the problem lies with the lack of `` in the query. Without `` it will treat 25 (as seen in OP's link) as a number rather than a row if I am not mistaken. –  MrE Nov 1 '11 at 22:50
    
Correct, only if the field name is a string can the backtick omitted. –  Melsi Nov 1 '11 at 22:51
up vote 0 down vote

It's a bit hard to know for sure, without seeing the table definition, but:

[1] It might be the column types. For instance this bit:

type=" .$_GET['type'];

is trying to set the value of the "type" column without using quotes. It will fail if the "type" column is type like varchar, for example.

[2] You need to use backtics if you're going to have numeric column names

[3] It really must be said that the main thing that's wrong with your code is that you are putting un-escaped $_GET values into your SQL query. Anyone could mount an SQL injection attack by putting SQL into the URL of the page. Very bad practice.

http://en.wikipedia.org/wiki/SQL_injection

share|improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.