-5

Hi I keep getting SQL syntax error when i'm running my code in php, however when i remove the variables and do it manually in MYSQL, not a problem. I've tried 2 different versions of query one with (') and other with (") and nothing. Could you please help?

Thank you.

            $produpdateid = $_GET ['id'];
        $varcat = $_POST['category'];
        $vartitle = strip_tags($_POST['title']);
        $varoverview = strip_tags($_POST['overview']);
        $varfeatures = strip_tags($_POST['features']);
        $varspecification = strip_tags($_POST['specification']);
        $varmaker = strip_tags($_POST['maker']);
        $varsize = $_POST['size'];
        $varprice = $_POST['price'];
        $varstock = $_POST['stock'];
        $vartype = $_POST['stock'];

$q = 'UPDATE products SET products_category_id=' . $varcat . ', title=' . $vartitle . ', overview=' . $varoverview . ', features=' . $varfeatures . ', specification=' . $varspecification . ', size=' . $varsize . ', size_type=' . $vartype . ', maker=' . $varmaker . ', image=' . $varimg . ', price=' . $varprice . ', stock=' . $varstock .' WHERE id=' .$produpdateid;

/*$test = "UPDATE products SET products_category_id=" . $varcat . ", title=" . $vartitle . ", overview=" . $varoverview . ", features=" . $varfeatures . ", specification=" . $varspecification . ", size=" . $varsize . ", size_type=" . $vartype . ", maker=" . $varmaker . ", image=" . $varimg . ", price=" . $varprice . ", stock=" . $varstock ." WHERE id=" .$produpdateid;*/

$updateresult = mysqli_query($dbc,$q);
Jocelyn
  • 11,209
  • 10
  • 43
  • 60
user1810442
  • 3
  • 1
  • 1
    You probably need to quote the values. Also: Learn about [*prepared statements*](http://j.mp/T9hLWi). – PeeHaa Nov 13 '12 at 22:56
  • 1
    [You really need to escape your variables.](http://xkcd.com/327/) – Wesley Murch Nov 13 '12 at 22:59
  • tried to escape the variables and nothing, same error – user1810442 Nov 13 '12 at 23:03
  • No I mean you need to do it all the time, every time, even after you get this working. It wasn't a solution, just an important note. Not only to avoid malicious injection, but to allow characters (like a harmless single or double quote) that would break SQL syntax. See also: http://stackoverflow.com/questions/332365/xkcd-sql-injection-please-explain – Wesley Murch Nov 13 '12 at 23:10

1 Answers1

2

Use double quotes around text.

'UPDATE products SET products_category_id="' . $varcat . '", title="' . $vartitle . '",

etc..

Matt Clark
  • 27,671
  • 19
  • 68
  • 123