Syntax error in mysqli update query

Question

I'm having trouble with an SQL query. The SQL statement has been passed through mysqli_real_escape_string but I'm still getting an SQL syntax error. The code works fine with 99.9% of the site but the following doesn't work. It's probably something really simple but I can't spot it. Any help would be greatly appreciated.

"UPDATE text_t SET copy=\'<table cellspacing=3>\r\n  <tr><td  class=\"infogrey\">Secretary</td><td class=\"infogrey\">Some Name</td><td class=\"infogrey\">Telephone: 01794 123456 <br><a href=\"contact.php?type=Contact_Secretary\" target=\"content\" class=\"infogrey\" onMouseOver=\"window.status=\'contact\'; return true\" onMouseOut=\"window.status=\'\'; return true\"><strong>Email Some Name</strong></a></td></tr>\r\n  <tr><td class=\"infogrey\">Chairman</td><td class=\"infogrey\">Some Name</td><td class=\"infogrey\"><a href=\"contact.php?type=Contact_Chairman\" target=\"content\" class=\"infogrey\" onMouseOver=\"window.status=\'contact\'; return true\" onMouseOut=\"window.status=\'\'; return true\"><strong>Email Some Name</strong></a></td></tr>\r\n\r\n  <tr><td class=\"infogrey\">Club Kit</td><td class=\"infogrey\">Some Name</td><td class=\"infogrey\"><a href=\"contact.php?type=Club_Kit\" target=\"content\" class=\"infogrey\" onMouseOver=\"window.status=\'contact\'; return true\" onMouseOut=\"window.status=\'\'; return true\"><strong>Email Some Name</strong></a></td></tr>\r\n\r\n  <tr><td colspan=2 class=\"infogrey\">For General queries </td> <td><a href=\"contact.php?type=General_Query\" target=\"content\" class=\"infogrey\" onMouseOver=\"window.status=\'contact\'; return true\" onMouseOut=\"window.status=\'\'; return true\"><b>Email Cycling Club</b></a></td></tr>\r\n  <tr><td colspan=2 class=\"infogrey\">Any membership queries </td><td><a href=\"contact.php?type=Contact_Editor\" target=\"content\" class=\"infogrey\" onMouseOver=\"window.status=\'contact\'; return true\" onMouseOut=\"window.status=\'\'; return true\"><strong>Email Some Name</strong></a></td></tr>\r\n 
... </table>\' WHERE id=8"

Your idea of using mysqli_real_escape_string is wrong. – Your Common Sense Jul 12 '13 at 10:55 — Your Common Sense, Jul 12 '13 at 10:55

score 1 · Answer 1 · edited May 23 '17 at 11:49

1

Since you're using double quotes " to wrap the query string, you shouldn't escape the two single quotes ' in the column copy:

$query = "UPDATE text_t 
    SET copy='" . mysqli_real_escape_string($dblink, $string) . "' 
    WHERE id=8";

Also looks like you might want to revise the mysqli_real_escape_string PHP function and the difference between single and double quotes in PHP :)

edited May 23 '17 at 11:49

Community

1
1

answered Jul 12 '13 at 11:10

Sean Bone

3,368
7
31
47

I'm trying to fix inherited code and I overlooked the fact that the whole SQL is escaped rather than just the params. Thanks – Ian Jul 12 '13 at 12:50

Syntax error in mysqli update query

1 Answers1