0

I recently updated PHP to 5.4 and I'm starting to get some errors on some old, existing code. I have content I'd like to update in MySQL like so:

It was therefore extremely fitting that the trip also included the release of 'Bunny', a juvenile

The code I have used to work:

$upsql = "UPDATE webpg_tbl SET txt = '$_POST[txt]' WHERE id='$_POST[modify]'";

I thought it may be a syntax issue, I added the double quote and "." into the query like so:

$upsql = "UPDATE webpg_tbl SET txt = '".$_POST[txt]."' WHERE id='".$_POST[modify]."'";

But when the query is executed:

$result = mysql_query($upsql) or print mysql_error() ;

I get:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Bunny', a juvenile green turtle rescued on the 4t' at line 3

I am pretty confident it's the quotes causing the issue. Is there something in PHP I can use to make it accept quotes? I'm aware the code I'm working with is outdated. But due to time/budget constraints. I'm forced to just make it work for the time being.

Akira Dawson
  • 1,247
  • 4
  • 21
  • 45
  • 2
    Y U NO ESCAPE QUERY INPUT? One of your last questions was [about prepared statements](http://stackoverflow.com/questions/26037684/php-prepare-statement-getting-errors-having-a-query-inside-a-while-loop) – mario Nov 24 '14 at 04:56
  • @mario I'm well aware of what I asked. I don't have the time or budget to redo the whole website and use prepared statements unfortunately. – Akira Dawson Nov 24 '14 at 04:58
  • @AkiraDawson: you could probably use search and replace to convert to prepared statements, with some manual help to fix the corner cases. – siride Nov 24 '14 at 05:00
  • @siride I would love to do that but time is not on my side for this project unfortunately. If I've done it a few times I may feel confident in doing it in the future. But using escape has gotten me out of the jam! Thank you for the help there Mario. Even if I did get downvoted. lol – Akira Dawson Nov 24 '14 at 05:05

1 Answers1

2

You really need to escape your code at the very least. And escaping your code should fix your issue too. Ideally, you should be using PDO and just binding your variables, but escaping your code should work if you're not using PDO

Gareth Parker
  • 5,012
  • 2
  • 18
  • 42
  • I wanted to go PDO but dealing with clients, you have this time/budget constraint which sucks sometimes. I did do an escape and it worked. Totally forgot about that functionality. Thanks for the help. Really got me out of a pickle! – Akira Dawson Nov 24 '14 at 05:03
  • That's cool. The problem occurred because if you echoed out $upsql, you would have seen that the quote in the value meant that it was thought $_POST['txt'] was SQL, not a string to be inserted. You could have done SET TEXT="' . $_POST['txt'] . '" instead, but then your SQL would have broken if $_POST['txt'] contained " instead of '. – Gareth Parker Nov 24 '14 at 05:06