update a field in a table showing error

Question

I've a customer table i that table in one i need to store data of customer as a text a declare that in db that varchar(1500) while am trying to update that field i getting following erro

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's standard dummy text ever since the 1500s, when an unknown printer took a galle' at line 1"

field name is "comments1 varchar(1500);"

My query is

$sql="UPDATE customer SET comments1='".$comments1."' WHERE sno='$sno'";

how to solve it...

Answer 1

before your query add this code

$comments1=mysql_real_escape_string($comments1);

<----your query goes here--->

Answer 2

According to the error message:

...or the right syntax to use near 's standard dummy text ever since
                        error starts here ^

Probably you are inserting a value that has single quote (which breaks the sql statement causing syntax error) on it. This is an indicator that you have not sanitized the values before inserting it on the database. There are several ways to avoid from sql injection:

• by using PDO
• and the other one: MySQLi.

For more details, please browse on this link.

• How to prevent SQL injection in PHP?

---

you can also use mysql_real_escape_string (but will soon be deprecated)

$var = mysql_real_escape_string($comments1);
$sql="UPDATE customer SET comments1='$var' WHERE sno='$sno'";

Answer 3

Your comment variable contains single quotes you need to escape them with addslashes function.

Try this

$sql="UPDATE customer SET comments1='".addslashes($comments1)."' WHERE sno='$sno'";

Answer 4

It seems your column name is comments not comments1. field name is "comments varchar(1500);" so change

$sql="UPDATE customer SET comments1='".$comments1."' WHERE sno='$sno'";

to

 $sql="UPDATE customer SET comments='".$comments1."' WHERE sno='$sno'";

Answer 5

Better try to use this function mysql_real_escape_string()