0

An error occur says ...

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Jaribio la 1' AND YEAR(Mdate)='' AND MONTH(Mdate)='2013') LIMIT 10' at line 1

and php code is

 $result1=mysql_query("SELECT `Scode`,`Sfname`,`Smname`,`Slname`,`SDarasa` FROM students WHERE SDarasa='$darasa' AND Scode NOT IN (SELECT `MScode` FROM `matokeo` WHERE `MTcode`='$Tcode' AND `Exam_name`='$somo' AND `Exam_type`='$ExamTyp' AND YEAR(Mdate)='$mwaka' AND MONTH(Mdate)='$mwezi') LIMIT 10") or die(mysql_error());

i do escape string with

    $ExamTyp=addcslashes(mysql_real_escape_string($phpVariable), "%_");

for all my variables.

Fas M
  • 429
  • 2
  • 11
  • 1
    for starters `$mwaka` clearly has no value – John Conde Sep 11 '14 at 22:03
  • 1
    If you write unparametrized SQL queries you shouldn't put an unescaped apostroph in `$ExamTyp`. – Niels Keurentjes Sep 11 '14 at 22:05
  • 2
    Escape your strings. Better yet, ditch that deprecated mysql library and start using prepared statements. – Wrikken Sep 11 '14 at 22:06
  • Use `stripslashes()` instead of `addcslashes()` which is most likely the cause. Use [**`mysqli` with prepared statements**](http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php), or [**PDO with prepared statements**](http://php.net/pdo.prepared-statements) which will be easier to use. – Funk Forty Niner Sep 11 '14 at 22:25
  • @Fred-ii- you're advising him to strip the slashes added by real_escape_string so he gets a mostly unescaped string back after all? – Niels Keurentjes Sep 11 '14 at 22:26
  • @NielsKeurentjes I use `stripslashes()` with `mysqli_real_escape_string()` with no problems at all. More than likely, OP is inserting apostrophes or other characters that SQL does not agree with. – Funk Forty Niner Sep 11 '14 at 22:27

2 Answers2

1

Your code is extremely insecure, and that's causing the error.

You're using outdated and deprecated mysql_ family of functions, with unescaped direct insertion of parameters. In your current problem, there's an apostroph in $ExamTyp, causing that part of the query to read something like:

...AND `Exam_type`='I love 'Jaribio la 1' AND...
                           ^--- problem here!

This is of course a big syntax error, as even the syntax highlighting here shows.

Plan of action:

  1. Switch to mysqli.
  2. Use prepared statements.
Niels Keurentjes
  • 41,402
  • 9
  • 98
  • 136
  • And/or use mysql_real_escape_string/mysqli_real_escape_string – Noodles Sep 11 '14 at 22:18
  • Erm no, **definitely** don't combine that with prepared statements since you'll get corrupt queries through double escaping. As an 'or' it could be valid, but you'd still be stuck in danger territory as it's [fake safety](http://stackoverflow.com/q/5741187/1729885). – Niels Keurentjes Sep 11 '14 at 22:18
  • Sorry, should have said "or" rather than and/or. You're right, don't mix prepared statements with escaping. – Noodles Sep 11 '14 at 22:19
  • `stripslashes()` is also handy to use in conjunction with `real_escape_string()`, if **not** using prepared statements. – Funk Forty Niner Sep 11 '14 at 22:22
0

Thanks guyz, the problem there was just a misunderstand in my code, since i use explode() to get $mwaka and $mwezi without passing them to isset() (to check whether it has got value to execute query or to display error msg.

Fas M
  • 429
  • 2
  • 11