1

At the moment I'm trying to make a mini blog/cms type of thing for myself to test my skills and hopefully learn a thing or two with PHP.

So I've got a form that has a text field inside it. When it's submitted it should run the following query, however I get the following error...

Resource id #4 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'cms, description = hello world, maintenance = off, regsi' at line 1

Here is the code around that area...

mysql_query("UPDATE settings SET name = " . $siteName . ", description = " . $siteDesc . ", maintenance = " . $siteMode . " [...] ") or die($settings . "<br/>" . mysql_error());

I've shortened it using "[...]" as it follows the same style (ie. "test1 = $test1, test2 = $test2" etc...).

Any help please? Thanks!

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Dan
  • 152
  • 2
  • 14
  • 2
    `'" . $siteName . "'` and do the same for the others. – Funk Forty Niner Sep 16 '14 at 19:53
  • 1
    I agree with @Fred-ii- . You can see from the error message that it tries to do ````description = hello world````. The string value has to be in quotes like ````description = 'hello world'````. – Alex Szabo Sep 16 '14 at 20:01
  • 1
    you should ask a new question rather than edit your existing one – andrew Sep 16 '14 at 20:16
  • @andrew I agree. I did a rollback. – Funk Forty Niner Sep 16 '14 at 20:21
  • I tried to post a new question but it blocked me requesting one post per 90 minutes? – Dan Sep 16 '14 at 20:27
  • 1
    Its probably because you are a new user and need to earn the rep, I gave you +5 points for this question to help you on your way but unfortunately you need to stick to protocol, one topic per post. take a look here in the meantime http://stackoverflow.com/questions/12020227/updating-from-mysql-to-mysqli – andrew Sep 16 '14 at 20:32
  • To answer you ahead of time, you're trying to connect using `mysql_` functions and then using `mysqli_` they do not mix together. It's either all `mysql_` or all `mysqli_` @Dan I wouldn't bother posting a new question, you risk getting downvotes and/or having the question closed. – Funk Forty Niner Sep 16 '14 at 20:37
  • Hey, I'm trying to sort out these errors I have but I'm just completely lost. Every question I look through doesn't seem to reference the same problem I'm having. I'm still getting the `mysqli_query() boolean` and `mysqli_error() parameter` errors. – Dan Sep 16 '14 at 20:56
  • Okay after some tweaks here and there I finally have one last error which is `Warning: mysqli_query() expects parameter 1 to be mysqli, string given`. Any help with this please? I'm sure it's something simple but I just can't figure it out. Please help me! – Dan Sep 16 '14 at 21:01
  • Doesn't matter now. After changing some things around and seeing what variables worked, I just needed to reference the database name and connection variables here and there. All works now! – Dan Sep 16 '14 at 22:10

1 Answers1

2

You don't actually need to be closing and reopening the string with the . (concatenation) operator

The php string parser will interpolate variables into the string.

So you can do it like this:

mysqli_query("UPDATE settings SET name = '$siteName', description = ...";

The single quotes tell mysql to treat the variables as string literals instead of column names.

What you should also be doing (if not already) is escaping your user input variables see How can I prevent SQL injection in PHP?

And what you should not be doing is using mysql*_ functions as they're depreciated. see the big red box here use mysqli*_ instead

Community
  • 1
  • 1
andrew
  • 9,313
  • 7
  • 30
  • 61
  • 1
    Thanks andrew and Fred -ii-. Yeah that works now. I put security on the bench for now as I'm still learning how to do stuff but if I replace mysql with mysqli, is that better/more secure? This is only for a personal project of mine anyway so nothing is going onto a live environment. – Dan Sep 16 '14 at 20:10
  • 2
    @Dan You're welcome. [**Use `mysqli` with prepared statements**](http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php), or [**PDO with prepared statements**](http://php.net/pdo.prepared-statements). – Funk Forty Niner Sep 16 '14 at 20:11
  • 1
    @Dan its not so much a security issue but one of functionality see http://stackoverflow.com/questions/548986/mysql-vs-mysqli-in-php, also bear in mind that many websites out there are all gonna break when people try to upgrade to future versions of php :) – andrew Sep 16 '14 at 20:12