-3

Im trying to update a table in MySQL database, but the data cannot be updated.

the value for $id is 2 and $status is empty. 

echo $id;

echo $status;

$sql="UPDATE maklumat_tempahan

SET

status = '$status',

WHERE id_tempahan = '$id' "; 

mysql_select_db('psmbaru');
$retval = mysql_query( $sql, $conn );
?>

 <?php    if(! $retval )
{
  die('Could not update data: ' . mysql_error());
}
echo "Permohonan Anda Dalam Proses\n";
mysql_close($conn);}?>

This is the error that came out Could not update data: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id_tempahan = '2'' at line 7

user3651630
  • 1
  • 3
    Remove `,` after `$status`. I foresee a couple of users trying to score some easy rep here. – asprin May 19 '14 at 07:23
  • Remove the comma after `status = '$status',` – Jens May 19 '14 at 07:23
  • You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You may also be **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin May 19 '14 at 07:27
  • @asprin — I find the best defense against that is to create a community wiki answer instead of a comment. – Quentin May 19 '14 at 07:27
  • @Quentin Nice idea. Hadn't thought of that before – asprin May 19 '14 at 07:29

2 Answers2

2

remove , after $status

$sql="UPDATE maklumat_tempahan

SET

status = '$status'

WHERE id_tempahan = '$id' ";
Haseeb
  • 2,214
  • 1
  • 22
  • 43
  • HELP, SQLi attack here. where is my defense ? – KarelG May 19 '14 at 07:30
  • 3
    @KarelG — There's no actual evidence that `$status` and `$id` aren't sanitized before the code in the question starts, and if they aren't then this answer doesn't introduce a vulnerability that isn't inherent in the OP's code design. – Quentin May 19 '14 at 07:31
0

Yes, remove comma after => status = '$status', and are you sure not to add mysql_real_escape_string() for your input brother?

Namikaze Badri
  • 1
  • 1