current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Stack Overflow is a community of 4.7 million programmers, just like you, helping each other.

Join them; it only takes a minute:

Sign up
Join the Stack Overflow community to:
  1. Ask programming questions
  2. Answer and help your peers
  3. Get recognized for your expertise
up vote 0 down vote favorite

I have the following code

$id_post = mysql_real_escape_string($_POST['id']);
$forumid = (int)mysql_real_escape_string($_POST['forumid']);
$message = mysql_real_escape_string($_POST['message']);

mysql_query("UPDATE forum_reactions SET message = ".$message." WHERE id = ".$id_post." ");

message is the TEXT column

It gives this error

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'staat niet in het woordfilter lol WHERE id = 39' at line 1

share|improve this question
1  
SQL INJECTION AHEAD!!! – Barranka Sep 12 '13 at 21:16
1  
DO NOT USE mysql_** functions! You'd better use PDO. – mpyw Sep 12 '13 at 21:17
2  
@Barranka OP is escaping $_POST['message'] and storing it in $message, not passing in un-sanitized user data. – Chris Rasco Sep 12 '13 at 21:17
1  
@Barranka, that would be correctly escaped by mysql_real_escape_string, and would be stored as that string literal. – halfer Sep 12 '13 at 21:23
1  
I see nothing that is using $forumid. – Andy Lester Sep 12 '13 at 21:24
up vote 3 down vote accepted

You aren't encompassing the string for $message so SQL is attempting to use those as keywords, which they aren't. Try this:

$id_post = mysql_real_escape_string($_POST['id']);
$forumid = (int)mysql_real_escape_string($_POST['forumid']);
$message = mysql_real_escape_string($_POST['message']);

mysql_query("UPDATE forum_reactions SET message = '".$message."' WHERE id = ".$id_post." ");

The mysql_* functions are deprecated and you should move to mysqli_* or PDO.

http://php.net/manual/en/function.mysql-query.php

This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used. See also MySQL: choosing an API guide and related FAQ for more information. Alternatives to this function include:

mysqli_query() PDO::query()

share|improve this answer
    
Although this solves the OP issue, this is still prone to SQL Injection attacks. Prepared statements should be used to avoid this problem. – Barranka Sep 12 '13 at 21:17
    
He should do the same for id shouldn't he? – Jordan Sep 12 '13 at 21:20
    
@Jordan Only strings need to be enclosed in queries, but it wouldn't hurt. Similarly OP could cast it as an int or use intval() like they did for $forumid. – Chris Rasco Sep 12 '13 at 21:21
    
@ChrisRasco Because the OP didn't do it for the id, I assumed the id was a string, silly as that would be. – Jordan Sep 12 '13 at 21:24
    
Thanks guys, I am not sure why I missed the ' in the first place, I guess I shouldn't do this coding at night haha! – user1857116 Sep 12 '13 at 21:24
up vote 0 down vote

PDO Sample Usage:

<?php

try {

    // config
    $dsn = 'mysql:dbname=testdb;host=127.0.0.1;charset=utf8';
    $username = 'root';
    $password = '';
    $options = array(
        PDO::MYSQL_ATTR_USE_BUFFERED_QUERY => true,
        PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
        PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
    ); // You should always use these options

    // conncect
    $pdo = new PDO($dsn, $username, $password, $options);

    // check posted values
    if (
        !isset($_POST['id'], $_POST['message']) ||
        !is_string($_POST['id']) ||
        !is_string($_POST['message'])
    ) {
        throw new RuntimeException('invalid parameters');
    }

    // SQL execution
    $stmt = $pdo->prepare('UPDATE forum_reactions SET message = ? WHERE id = ?');
    $stmt->execute(array($_POST['message'], $_POST['id']));

    // check result
    if ($stmt->rowCount()) {
        echo 'successfully updated';
    } else {
        echo 'specified ID not found.';
    }

} catch (Exception $e) {

    echo $e->getMessage();

}
share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.