-5

Came across an error i have never seen before after writing the following code:

$query= "UPDATE `Pharm_Log` SET `text` = ". $bloodtest . " WHERE `id` = " . $patientid;
   $result = mysql_query($query) or die(mysql_error());

My error message was this

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Pressure Test: 235/43 WHERE id = 1' at line 1"

Any one have any idea on how to fix this? would be greatly appreciated

Jocelyn
  • 11,209
  • 10
  • 43
  • 60
user2064630
  • 7
  • 1
  • 1
    You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are probably also vulnerable to [SQL injection attacks](http://bobby-tables.com/) that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. Don't build SQL queries by mashing strings together. – Quentin Feb 12 '13 at 14:20
  • You have some PHP that generates some SQL. You have a problem with the SQL. The PHP is incomplete so we can't run it to see what the final value of `$query` is. Don't you think it would easier to debug the SQL if we could see the SQL? – Quentin Feb 12 '13 at 14:21

1 Answers1

8

the string literal (value of $bloodtest) must be wrap with single quotes,

$query= "UPDATE `Pharm_Log` SET `text` = '". $bloodtest . "' WHERE `id` = " . $patientid;
$result = mysql_query($query) or die(mysql_error());

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

Community
  • 1
  • 1
John Woo
  • 258,903
  • 69
  • 498
  • 492
  • Thanks for the reply i was asking that myself however, when it is wrapped in single quotes i get a T_CONSTANT_ENCAPSED_STRING error which is something to do with the quotes no? – user2064630 Feb 12 '13 at 14:19
  • 1
    how about `"UPDATE Pharm_Log SET text = '$bloodtest' WHERE id = $patientid";` ? – John Woo Feb 12 '13 at 14:22