Having trouble with UPDATE

Question

I trying to make a report system and need to update some values but it seems to give me this error every time I try and do something, I am using mysql and php:

Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in C:\xampp\htdocs\core\functions\offtopic.php on line 22

Here is the code:

if (isset($_GET['report']))
{
    $query = "UPDATE `offtopicposts` SET `reported`='1', `reported_by`=$_SESSION['user_id'] WHERE `post_id` = $_GET['report']";
    mysql_query($query) or die(mysql_error());
}

Is `$_SESSION['user_id']` set? You are very vulnerable to [SQL injections](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)! — kero, Nov 24 '13 at 00:26
I am checking if $_GET['report'] is set and the page would redirect them if the that session var is not set — Carefree4, Nov 24 '13 at 00:29
are you sure this is line 22? sounds like you might be missing a semi-colon on whatever precedes this line 22... — Joe T, Nov 24 '13 at 00:29
I took it out of a file, "$query = "UPDATE `offtopicposts` SET `reported`='1', `reported_by`=$_SESSION['user_id'] WHERE `post_id` = $_GET['report']";" is line 22. — Carefree4, Nov 24 '13 at 00:29

GolezTrol · Accepted Answer · 2013-11-24T00:35:07.073

Have you tried this:

$query = "UPDATE `offtopicposts` SET `reported`='1', `reported_by`={$_SESSION['user_id']} WHERE `post_id` = {$_GET['report']}";

The curly braces might do the trick.

Alternatively, you can concat the string like this:

$query = "UPDATE `offtopicposts` SET `reported`='1', `reported_by`=" . 
         $_SESSION['user_id'] . " WHERE `post_id` = " .
         (int)$_GET['report'];

That also allows you to sneak in the int cast, which is a dirty but effective way to make this script better protected against SQL injection. Even better would be to drop the deprecated mysql functions completely, switch to mysqli or PDO, and use prepared statements.

Cant accept for another 5 mins... and not enough reputation to up-vote... :-/ — Carefree4, Nov 24 '13 at 00:34

score 0 · Answer 2 · answered Nov 24 '13 at 00:32

you could do this;

$query = "UPDATE `offtopicposts` SET `reported`='1', `reported_by`=".$_SESSION['user_id']." WHERE `post_id` = ".$_GET['report'];

Or this

$user_id = $_SESSION['user_id'];
$report = $_GET['report'];
$query = "UPDATE `offtopicposts` SET `reported`='1', `reported_by`=$user_id WHERE `post_id` = $report";

Having trouble with UPDATE

2 Answers2