Error in SQL Syntax but character isnt in line

Question

I am getting the following error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

There's not even a '"' on line 1 or near it... Doesn't make sense at all.

<?php
session_start();
if ($_SESSION['uid']) {
    if (isset($_POST['reply_submit'])) {
        include_once("connect.php");
        $creator = $_SESSION['uid'];
        $cid = $_POST['cid'];
        $tid = $_POST['tid'];
        $reply_content = $_POST['reply_content'];
        $sql = "INSERT INTO posts (category_id, topic_id, post_creator, post_content, post_date) VALUES ('".$cid."', '".$tid."', '".$creator."', '".$reply_content."', 'now())'";
        $res = mysql_query($sql) or die(mysql_error());
        $sql2 = "UPDATE categories SET last_post_date=now(), last_user_posted'".$creator."' WHERE id='".$cid."' LIMIT 1";
        $res2 = mysql_query($sql2) or die(mysql_error());
        $sql3 = "UPDATE topics SET topic_reply_date=now(), topic_last_user'".$creator."' WHERE id='".$tid."' LIMIT 1";
        $res3 = mysql_query($sql3) or die(mysql_error());

        // Email Sending

        if (($res) && ($res2) && ($res3)) {
            echo "<p>Success</p>";
        } else {
            echo "<p>Error</p>";    
        }

    } else {
        exit(); 
    }
} else {
    exit(); 
}
?>

Here's where the form is...

    <?php
session_start();
error_reporting(E_ALL ^ E_DEPRECATED);
if ((!isset($_SESSION['uid'])) || ($_GET['cid'] == " ")) {
    header("Location: index.php");
    exit();
}
$cid = $_GET['cid'];
$tid = $_GET['tid'];
?>
<!doctype html>
<html>
    <head>
        <meta charset="utf-8">
        <meta name="author" value="Joel Evans">
        <title>MCArcade - Forums: Reply to Thread</title>
        <link rel="stylesheet" type="text/css" href="css/main.css">
        <link rel="stylesheet" type="text/css" href="css/mobile.css">
        <link rel="stylesheet" type="text/css" href="css/font-icon.css">
        <script src="js/jquery.js"></script>
        <script>
        $(document).ready(function(){
            $('li').hover(function(){
                $(this).find('ul>li').stop().slideToggle("fast", function(){
                });
            });
        });
        </script>
    </head>

    <body>

        <div class="forum-header">
            <div class="container">
                <h2>MCArcade</h2>
            </div>
        </div>
        <ul class="forum-navbar">
            <div class="container">
                <li><a href="http://www.mcarcade.com">Home</a></li>
                <li><a href="http://www.mcarcade.com/community/">Community</a>
                    <ul>
                        <li><a href="http://www.mcarcade.com/forums/">Forums</a></li>
                        <li><a href="http://www.mcarcade.com/servers/">Servers</a></li>
                    </ul>
                </li>
                <li><a href="http://www.mcarcade.com/purchase/">Purchase</a></li>
                <li><a href="http://www.mcarcade.com/support/">Support</a></li>

                <?php
                    if (!isset($_SESSION['uid'])) {
                        echo "<li><a href='http://www.mcarcade.com/login.php'>Login</a></li>";
                    } else {
                        echo "<li>Welcome, ".$_SESSION['username']."!</li><li><a href='logout_parse.php'>Logout</a>";   
                    }
                ?>
            </div>
        </ul>

        <div class="container">

            <form action="post_reply_parse.php" method="post">
                <p>Reply Content</p>
                <textarea name="reply_content" rows="5" cols="75"></textarea>
                <br /><br />
                <input type="hidden" name="cid" value="<?php echo $cid; ?>" />
                <input type="hidden" name="tid" value="<?php echo $tid; ?>" />
                <input type="submit" name="reply_submit" value="Post Reply" />
            </form>

        </div>

    </body>
</html>

Answer 1

There are a few things wrong with your code.

Remove the quotes around 'now())'

change that to:

...'".$reply_content."', now())";

plus,

Missing an equal sign for last_user_posted'".$creator."'

change it to:

last_user_posted = '".$creator."'

and for topic_last_user'".$creator."'

change it to:

topic_last_user = '".$creator."'

---

Add error reporting to the top of your file(s), which is not present query code.

error_reporting(E_ALL);
ini_set('display_errors', 1);

which would have signaled errors in code.

---

SQL injection

Your present code is open to SQL injection because you are not escaping any data input.
Use mysqli with prepared statements, or PDO with prepared statements.

---

Sidenote: It appears as if you have spaces before your opening <?php tag in your form; you may be outputting before header.

    <?php
^^^^ // <= counts as output
session_start();
error_reporting(E_ALL ^ E_DEPRECATED);
if ((!isset($_SESSION['uid'])) || ($_GET['cid'] == " ")) {
    header("Location: index.php");
    exit();
}

If there are indeed spaces, remove them, they count as outputting before header.

Having error reporting ON for that file also, would have triggered a warning:

Warning: Cannot modify header information - headers already sent by...

As per documentation:

Remember that header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP. It is a very common error to read code with include, or require, functions, or another file access function, and have spaces or empty lines that are output before header() is called. The same problem exists when using a single PHP/HTML file.

---

Using error_reporting(E_ALL ^ E_DEPRECATED); isn't enough, you need to display them.

ini_set('display_errors', 1);

Answer 2

You have errors in all the three queries

// 'now())' too wrong, now() is mysql function that don't need quotes
$sql = "
    INSERT INTO posts   
        (category_id, topic_id, post_creator, post_content, post_date)
    VALUES 
        ('".$cid."', '".$tid."', '".$creator."', '".$reply_content."', now())
";

$res = mysql_query($sql) or die(mysql_error());

// missing '=' -> last_user_posted'".$creator."'
$sql2 = "
    UPDATE categories 
    SET 
        last_post_date=now(), 
        last_user_posted='".$creator."' 
    WHERE id='".$cid."' 
    LIMIT 1
";
$res2 = mysql_query($sql2) or die(mysql_error());

// same as above
$sql3 = "
    UPDATE topics 
    SET 
        topic_reply_date=now(), 
        topic_last_user='".$creator."' 
    WHERE id='".$tid."' 
    LIMIT 1
";

Answer 3

your Error is here , last value 'now())' should be now())

$sql = "INSERT INTO posts (category_id, topic_id, post_creator, post_content, post_date) VALUES ('".$cid."', '".$tid."', '".$creator."', '".$reply_content."', 'now())'";

Answer 4

$sql2 = "UPDATE categories SET last_post_date=now(), last_user_posted'".$creator."' WHERE id='".$cid."' LIMIT 1";

There is no = after last_user_posted, fix that and you should solve your problems.

Two things I want to point out: 1. You need to do a better job of isolating your problem when you post here, i.e. there are 3 SQL queries. You need to put the time in to find out where the exact stoppage is - and often that allows you to figure it out yourself. 2. MySQL treats a 1 line query often with the answer you give. If you'll put your query on multiple lines (if warranted), it makes it easier to debug.