-1

Im trying to run a query(UPDATE) inside a while loop like this:

<?php
session_start();
include("../DB/thedb.php");

$user = $_POST['u'];
$ruta = $_POST['r'];
$select_all_p_from_user = @mysql_query("SELECT * FROM publicaciones WHERE from_user_p = '$user' AND user = '$user'");

while($rows_all_user = @mysql_fetch_array($select_all_p_from_user)){
$update_from_user = $rows_all_user['from_user_p'];
$update_user = $rows_all_user['user'];
$update_foto = $ruta;
$update_nombre = $rows_all_user['nombre'];
$update_comentario = $rows_all_user['comentario'];
$update_time = $rows_all_user['time'];
$update_date = $rows_all_user['date'];
$update_p_photo = $rows_all_user['p_photo'];
$update_to_delete = $rows_all_user['to_delete'];

//Process to update selected ROW
// This is the line 55
 $update_current_row = @mysql_query("UPDATE publicaciones SET from_user_p = '$update_from_user', user = '$update_user', foto = '$ruta', nombre = '$update_nombre', comentario = '$update_comentario', time = '$update_time', date = '$update_date', p_photo = 
'$update_p_photo', to_delete = '$update_to_delete' WHERE from_user_p = '$user' AND user = '$user'") or die mysql_error(); // End of the line

}
?>

I'm getting the following error: Parse error: syntax error, unexpected T_STRING on line 55

Improve this question
7
  • 1
    Don't use @ to suppress error messages. That's generally a bad programming practice. Commented Feb 26, 2014 at 20:42
  • 1
    Change die mysql_error(); to die(mysql_error()); Commented Feb 26, 2014 at 20:43
  • @RobertRozas: One would assume that it's the one that he commented as // This is line 55 Commented Feb 26, 2014 at 20:44
  • Excellent...try the answer of @Krish Commented Feb 26, 2014 at 20:45
  • @JohnConde Deleted the '@' and changed die mysql_error(); to die(mysql_error()); and It worked thanks you :) Commented Feb 26, 2014 at 20:46

2 Answers 2

Reset to default
1

Try this,

 or die (mysql_error());

instead of 

or die mysql_error();

Also, in update query, for the time and date columns need to be wrapped with backticks since those are all reserved words.

`time` = '$update_time', `date` = '$update_date'
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

The error you're encountering is a parse error. It does not have anything to do with MySQL. The error is that you have not placed the argument for or die inside parenthesis.

A couple of BIG warnings:

  1. You've not escaped the data you send to MySQL. If any of the fields you're fetching from the publicaciones table contains ' you'll get errors.
  2. If a user logs in with $_POST['u'] = "' OR ''='" the select statement will result in every record.

Please look into https://www.php.net/mysql_real_escape_string to fix your big security issues.

Illustrative comic:

SQL injection
(source: smashingmagazine.com)

Improve this answer

2 Comments

So, if i am sending a value from an input, i should use mysql_real_escape_string(); am i right?
Simple rule: Instead of "..... = '$variable' ...." you should ALWAYS use "..... = '".MySQL_real_escape_string($variable)."' ....". In addition, you should call MySQL_set_charset($charset) in the beginning of your script. $charset is "iso-8859-1" or "utf-8" often. utf-8 is the most versatile.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.