0

I've written this PHP script to update the tables via a form but MySQL gives that error. what should i do? where is my mistake?

case 'Save Changes':
    $note_id=(isset($_POST['note_id'])) ? $_POST['note_id'] : '';
    $title=(isset($_POST['title'])) ? $_POST['title'] : '';
    $note_text=(isset($_POST['note_text'])) ? $_POST['note_text'] : '';
    $color=(isset($_POST['color'])) ? $_POST['color'] : '' ;
    $remind_date=(isset($_POST['remind_date'])) ? $_POST['remind_date'] : '' ;
    $remind=(isset($_POST['remind'])) ? $_POST['remind'] : '' ;
    $user_id=(isset($_POST['user_id'])) ? $_POST['user_id'] : '';

    $sql = 'UPDATE nbk_notes SET
    title = "' . mysql_real_escape_string($title, $db) . '",
    note_text = "' . mysql_real_escape_string($note_text,$db) . '",
    color="'.$color.'",
    remind_date="'.$remind_date.'",
    remind="'.$remind.'",
    submit_date = "' . date('Y-m-d H:i:s') . '"
    WHERE
    note_id = ' . $note_id;
    ' AND user_id = ' . $user_id;

    mysql_query($sql, $db) or die(mysql_error($db));

    redirect('memory.php');
    break;

And this is the MySQL error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 9
Valentin Mercier
  • 5,256
  • 3
  • 26
  • 50
Majix
  • 49
  • 1
  • 7
  • 6
    [**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](http://j.mp/XqV7Lp). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). – esqew Jul 21 '14 at 16:15
  • Also, why are you only setting variables when they are set before, and clearing them to `''` when `isset()` returns false? You really need to review your logic. – esqew Jul 21 '14 at 16:16
  • 2
    The error message tells you exactly where the problem is. – Patrick Q Jul 21 '14 at 16:16
  • Can you dump out the value of `$sql` to show what line 9 is? – Steve Buzonas Jul 21 '14 at 16:16
  • Try `var_dump($note_id)`, what do you get? – Styphon Jul 21 '14 at 16:22
  • Hope you are not using two single quotes as a double quote, a student of mine did that once and we spent almost the whole day finding errors – George Jul 21 '14 at 16:51

3 Answers3

3

The problem lies with $note_id or $user_id, you have numerical values which if not posted you're leaving empty. Try this (note I fixed a typo you had after $note_id:

case 'Save Changes':
    $note_id=(isset($_POST['note_id'])) ? $_POST['note_id'] : '';
    $title=(isset($_POST['title'])) ? $_POST['title'] : '';
    $note_text=(isset($_POST['note_text'])) ? $_POST['note_text'] : '';
    $color=(isset($_POST['color'])) ? $_POST['color'] : '' ;
    $remind_date=(isset($_POST['remind_date'])) ? $_POST['remind_date'] : '' ;
    $remind=(isset($_POST['remind'])) ? $_POST['remind'] : '' ;
    $user_id=(isset($_POST['user_id'])) ? $_POST['user_id'] : '';

    if($note_id && $user_id) {
        $sql = 'UPDATE nbk_notes SET
        title = "' . mysql_real_escape_string($title, $db) . '",
        note_text = "' . mysql_real_escape_string($note_text,$db) . '",
        color="'.$color.'",
        remind_date="'.$remind_date.'",
        remind="'.$remind.'",
        submit_date = "' . date('Y-m-d H:i:s') . '"
        WHERE
        note_id = ' . $note_id . 
        ' AND user_id = ' . $user_id;

        mysql_query($sql, $db) or die(mysql_error($db));

        redirect('memory.php');
    } else {
        echo "No note ID or User ID.";
    }
    break;

A couple of other points,

  1. Why are you escaping Title and Note Text but not any other string field. Always escape all text fields, even if you think you know what the input is. Or even better, use prepared statements (using MySQLi / PDO, see below) so you don't need to escape them.
  2. Stop using mysql_*, it's depreciated. Learn MySQLi or PDO.
Styphon
  • 10,304
  • 9
  • 52
  • 86
  • If you're going to downvote please comment why so I can improve my answer. – Styphon Jul 21 '14 at 16:32
  • Didn't down vote, but a PDO answer would be a lot cleaner and a heck of a lot less buggy. – tadman Jul 21 '14 at 16:34
  • 1
    Yes, I just copied the OPs code and modified it rather than writing everything from scratch. – Styphon Jul 21 '14 at 16:35
  • I mostly mean that if you're giving advice, always best to demonstrate how that advice might be applied rather than just giving it lip service. – tadman Jul 21 '14 at 16:47
0

You have a typo here:

note_id = ' . $note_id;
' AND user_id = ' . $user_id;

The semi-colon should be a concatenating period:

note_id = ' . $note_id .
' AND user_id = ' . $user_id;

That is not the cause of the SQL error, though. Most likely, $note_id is not set in the $_POST and is getting initialized to an empty string, which will cause an error in the SQL. If $note_id is supposed to be a string, you need to enclose it in quotes like you've done for title, note_text, etc:

note_id = "' . $note_id . '" AND user_id = ' . $user_id;

If it is supposed to be an integer, you can initialize it to 0 or something up top ... but most likely, you should re-evaluate your logic on how you want to proceed if $_POST['note_id'] is not set:

if($note_id != '') {
  //do my code
} else {
  //do some error handling
}

More clarification for @Majix

Line 2 of your code says this:

$note_id=(isset($_POST['note_id'])) ? $_POST['note_id'] : '';

What this means is "Set $note_id equal to what came through the form's POST in the 'note_id' field, BUT if nothing came through that field, set $note_id to an empty (or blank) string." When you get to the SQL portion of your code, if that $note_id variable is an empty string, then your SQL will read (shortened for clarity):

UPDATE nbk_notes SET title = 'Some Title', note_text = 'Text' WHERE note_id =

See how there's nothing after the =? SQL throws an error because this makes no sense. note_id = what? If note_id is supposed to be a string and not a number, and you really wanted to find something with an empty note_id, you might want your SQL to say:

UPDATE nbk_notes SET title = 'Some Title', note_text = 'Text' WHERE note_id = ''

Here it knows you're checking to see if note_id equals an empty string. However, it's very likely that note_id is supposed to be an integer, and the problem with your code is that you SHOULD have a number in that 'note_id' field, but for whatever reason, you don't. What you want the SQL to say is something like this (5 is just an example):

UPDATE nbk_notes SET title = 'Some Title', note_text = 'Text' WHERE note_id = 5

But $note_id isn't a number for you. Either 'note_id' is being submitted through the form as an empty string, OR it's not being submitted through the form at all and is being set to an empty string in the aforementioned Line 2. Perhaps you could post the code that generates the itself so we know why note_id is not coming through properly?

All this being said, I'm aware that you're a beginner and just want to get this code working, but you should read the links @esqew posted in the first comment and migrate away from mysql_* functions.

Sarthaz
  • 126
  • 9
  • That typo wouldn't cause the error. It's the uninitialised `$note_id`, but good catch. – Styphon Jul 21 '14 at 16:31
  • @Styphon, The typo is definitely the error – George Jul 21 '14 at 16:32
  • "That is probably not the cause of the SQL error, though. Most likely, $note_id is not set in the $_POST and is getting initialized to an empty string, which will cause an error in the SQL." I know it's not the cause of the SQL error, but he still needs to know about it and fix it. – Sarthaz Jul 21 '14 at 16:33
  • @JamesOkpeGeorge No, it's not. The typo doesn't cause a MySQL error because it doesn't even become part of the string that gets executed. Run that code and echo `$sql`, that last line won't even be in it. – Styphon Jul 21 '14 at 16:33
  • And you are right, hehe – George Jul 21 '14 at 16:43
  • @Sarthaz I fixed the typo, thanks. but because i'm a beginner programmer, i didn't get what you said **$note_id is not set in the $_POST and is getting initialized to an empty string, which will cause an error in the SQL**. I think this is my problem, but i'm a little confused and don't know what to do. can you help me? thanks – Majix Jul 21 '14 at 17:15
  • @Majix, I updated my post to clarify these comments for you. Hopefully it will help you better understand what's going on. Ultimately, something's wrong with your note_id field in the form (and possibly the user_id field as well). You'll need to identify WHY that is to solve your error. – Sarthaz Jul 21 '14 at 18:04
0

I have rewritten your sql query:

$sql = "UPDATE nbk_notes SET
title = '". mysql_real_escape_string($title, $db) . "',note_text ='". mysql_real_escape_string($note_text,$db) . "',
color='$color',
remind_date='$remind_date',
remind='$remind',
submit_date = '". date('Y-m-d H:i:s') . "'
WHERE
note_id = '$note_id'
AND user_id = '$user_id'";

Hope it works for you!

nexuscreator
  • 835
  • 1
  • 9
  • 17
  • 1
    That's somehow even more broken than the original. Please, if you don't know what you're doing, don't answer. This will insert, literally, `mysql_real_escape_string($title, $db)` into the database. – tadman Jul 21 '14 at 16:48
  • @tadman My bad. I didn't care for the functions part and was just checking for the string parts only. I have edited my errors. – nexuscreator Jul 21 '14 at 17:04
  • That's more functional now, but still rife with the same problems as the original: A reckless disregard for proper escaping and using string concatenation and interpolation to compose a query. – tadman Jul 21 '14 at 17:05