You have an error in your SQL syntax; check the manual that corresponds to your MySQL

Question

<?php
include"include/db.php";
                $sql=mysql_query("select * from order where user='".$_SESSION['user']."' and flag=0") or die(mysql_error());
                $i=0;
                $sum=0;
                $sum2=0;

                while($rows=mysql_fetch_assoc($sql))
                {
                $sum2+=$rows['tedad'];
                $sum+=getproductPrice($rows['pid']);
                echo "<tr style=\"border:#00CCFF thin dotted\"><td><img src='images/bullet_delete.png' ></td>
                <td align=center>".$rows['tedad']."</td>
                <td align=left>".getproductPrice($rows['pid'])."</td>
                <td align=right>".getproductName($rows['pid'])."</td>
                <td align=center>".++$i."</td></tr>";

?>

This is my code, how do I correct it wrong my error is :

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order where user='zahra20' and flag=0' at line 1

Please show your Query, with SELECT BLA BLA, we can't answer anything from that showen code, we need the query ^^ — Jesper, Feb 28 '15 at 22:19
$sql=mysql_query("select * from order where user='".$_SESSION['user']."' and flag=0") or die(mysql_error()); — zahra, Feb 28 '15 at 22:20

score 1 · Answer 1 · answered Feb 28 '15 at 22:22

$sql=mysql_query("select * from `order` where user='".$_SESSION['user']."' and flag=0") or die(mysql_error());

This should work, since you're having a table called 'order', you have to use '`' before and after the name, BECAUSE there's a SQL function called order, and since you can't SELECT * FROM ORDER, because ORDER is a function, then you're getting an error.

You should also consider using PDO or MySQLi for queries, since old mysql is not secure at all.

score 0 · Accepted Answer · answered Feb 28 '15 at 22:23

0

Looking at your query:

"select * from order where user='".$_SESSION['user']."' and flag=0"

There are a couple of things wrong here.

First, order is a reserved word. In order to use it as an identifier you need to enclose it in back-ticks:

"select * from `order` where user='".$_SESSION['user']."' and flag=0"

Second, your query is wide open to SQL Injection Attacks. That session value could have anything in it. Since you're effectively executing that value as code then you don't control the syntax of the code you're executing. I recommend fixing that.

answered Feb 28 '15 at 22:23

David

208,112
36
198
279

I do not understand your second solution can explain once again – zahra Feb 28 '15 at 22:33
@zahra: The solution is to enclose identifiers in back-ticks. This *must* be done for identifiers which are reserved words, but can be done for any identifier. (An identifier is a table name or a column name.) *In addition to this*, you should read the supplied link regarding SQL injection attacks. Your code is currently vulnerable to them. This means your users can execute code on your server without asking. You'll want to fix that. The linked article will help. – David Feb 28 '15 at 22:35
sorry,My problem is not resolved – zahra Feb 28 '15 at 22:52
@zahra: Can you be more specific? What's changed? How have you updated the code and what is the new behavior? I can't see your screen, you have to describe the problem. – David Feb 28 '15 at 22:54
Why, when I delete the following code gives the error :or die(mysql_error()) Warning: mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in C:\Program Files (x86)\EasyPHP-5.3.5.0\www\shopping\sabad-u.php on line 47 – zahra Feb 28 '15 at 22:57
@zahra: That means the value of `$sql` is a boolean, most likely `false`. Which means the SQL query is failing. Use `mysql_error()` to get the error which explains why the SQL query is failing. Update your question to include the updated code and the updated error. Again, I can't advise you on an error that you're not showing. – David Feb 28 '15 at 23:03
I use mysql_error() and error is You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''order' where user='zahra20' and flag=0' at line 1 – zahra Feb 28 '15 at 23:05
@zahra: Then you didn't apply the solution in this answer, which would explain why the problem isn't resolved. Did you change your code at all? If so, show the updated code in your question. I really don't know how to explain this any more clearly... *I can't tell you what's wrong with code you're not showing.* ***I can't see your screen.*** – David Feb 28 '15 at 23:08
this is my code : – zahra Feb 28 '15 at 23:13
@zahra: You used single-quotes instead of back-ticks. Single-quotes are used to wrap a string. Use back-ticks to wrap a database identifier. – David Feb 28 '15 at 23:18
I do not understand back-ticks means – zahra Feb 28 '15 at 23:23
@zahra: It's a character on the keyboard. On a US keyboard it's to the left of the "1". You can feel free to *copy* and *paste* the back-ticks used in my answer. I'm not sure what your browser is showing you, but on mine there is a *clear* difference between a single-quote and a back-tick. – David Feb 28 '15 at 23:26

You have an error in your SQL syntax; check the manual that corresponds to your MySQL

2 Answers2