0

I'm trying to use the following code however it is giving me errors.

Code:

$id = $_GET['id'];
$action = '['command'=>'get','target'=>'location']';

$query = "UPDATE ZeusUsers SET action = '$action' WHERE notification_id = '$id'";
$result = mysqli_query($link,$query) or exit("Error in query: $query. " . mysqli_error());

Error: 

Parse error: syntax error, unexpected 'command'

If I change the $action to a standard word the statement works fine, it just seems to have issues with the single quotes and square brackets.

I've also tried using \ in front of the single quotes and it still fails.

Any ideas?

Ben Clarke
  • 47
  • 5
  • What is that $action supposed to be? The syntax is completely broken as is. Should it be an array? – Erik Apr 02 '15 at 13:44
  • It's JSON that I need to call later on, so storing it in the DB until I need to call it. – Ben Clarke Apr 02 '15 at 13:46
  • If `$id` is an int cast it that way as the minimum to prevent injections. `$id = (int)$_GET['id'];`. Other ways to prevent injections, http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – chris85 Apr 02 '15 at 13:53

1 Answers1

2

let php build the json string for you

$action = json_encode(array('command'=>'get','target'=>'location'));

You are starting and stoping a string literal with the single quotes so php is interpreting command as php code but it doesn't know what that keyword is.

D-Rock
  • 2,636
  • 1
  • 21
  • 26
  • Produces the the following error: `Warning: mysqli_error() expects exactly 1 parameter, 0 given in /assets/scripts/location.php on line 10 Error in query: UPDATE ZeusUsers SET action = '['command'=>'get','target'=>'location']' WHERE notification_id = '1111'. ` – Ben Clarke Apr 02 '15 at 13:52
  • Just used \ before all single quotes and seems to fix it! Thanks! – Ben Clarke Apr 02 '15 at 13:54
  • just noticed how you are interpolating the $action variable in the query. You really should be using prepared statements there. That would have solved the problem and is more secure. – D-Rock Apr 02 '15 at 18:51