1

I create a stored procedure, and I get an error when I call it.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''results0.79123800+1345985910.html')' at line 1

This is how I call it from my php code:

  mysql_query("CALL lastscan($task_id,'$file_name')") or die(mysql_error());

I have the sp in my database..

If it is a quote thing, how do I escape the variable I put inside, without modified the stored procedure?

Dmitry Makovetskiyd
  • 6,942
  • 32
  • 100
  • 160
  • Please, don't use `mysql_*` functions to write new code. They are no longer maintained and the community has begun [deprecation process](http://goo.gl/KJveJ). See the [*red box*](http://goo.gl/GPmFd)? Instead you should learn about [prepared statements](http://goo.gl/vn8zQ) and use either [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli). If you can't decide which, [this article](http://goo.gl/3gqF9) will help you. If you pick PDO, [here is good tutorial](http://goo.gl/vFWnC). – tereško Aug 26 '12 at 13:16
  • If it's a quote thing, then use prepared statements. – knittl Aug 26 '12 at 13:16
  • 1
    no need to spam such comments. I am using pdo..it is an old application that I am working on.. I dont care for now. knittl.. I cant swap between using mysql_query to mysqli/pdo.. – Dmitry Makovetskiyd Aug 26 '12 at 13:17
  • For those who interested in SQL Injection: http://stackoverflow.com/questions/11939226/sql-injections-and-adodb-library-general-php-website-security-with-examples/12123649 – Ilia Ross Aug 26 '12 at 13:19
  • 1
    It is a local application..it will never be uploaded to the web – Dmitry Makovetskiyd Aug 26 '12 at 13:26

1 Answers1

1

You have incorrect syntax here, use this please:

mysql_query("CALL lastscan('" .$task_id. "', '" .$file_name. "')") or die(mysql_error());
Ilia Ross
  • 13,086
  • 11
  • 53
  • 88