check the manual that corresponds to your MariaDB server

Question

$epic=$_REQUEST['epic'];
$sql = "UPDATE std_id SET epic_no='$epic'' WHERE v_fname='$name' AND v_lname='$lname' AND gen='$gen' AND age= '$age' AND as_id='$as_id'";

in second line of this code gettig this error:

check the manual that corresponds to your MariaDB server version for the right syntax to use near...

*"for the right syntax to use near..."* - Ok, keep going........ `near '` maybe? — Funk Forty Niner, Feb 14 '17 at 14:47
I would be **VERY** careful about how you're doing that, look into using PDO, because you're passing raw user input straight to your database, which is a huge problem. — Zachary Craig, Feb 14 '17 at 14:58

Theraloss · Answer 1 · 2017-02-14T14:48:46.373

1

First of all, please indent your code.

$epic = $_REQUEST['epic'];
$sql = "UPDATE std_id SET epic_no='$epic'' WHERE v_fname='$name' AND v_lname='$lname' AND gen='$gen' AND age= '$age' AND as_id='$as_id'";

First problem: you are not escaping variables ($epic and the others). Use addslashes() at least.

Second problem: you have two single apis near $epic, so correct your query as this:

UPDATE std_id SET epic_no='$epic' WHERE v_fname='$name' AND v_lname='$lname' AND gen='$gen' AND age= '$age' AND as_id='$as_id'

Third problem: please don't use $_REQUEST. It's so generic. Use $_GET or $_POST.

Fourth problem: table and columns names. It's not a really problem, but they are so weird and confusing.

edited Feb 14 '17 at 14:48

answered Feb 14 '17 at 14:45

Theraloss

700
2
7
30

Not my downvote here but I have a pretty good guess as to who did. You didn't deserve that. – Funk Forty Niner Feb 14 '17 at 14:48
We are clairvoyant "to a certain extent" aren't we? ;-) *lol* – Funk Forty Niner Feb 14 '17 at 14:49
Sorry I will not repeat this mistake – Shuja Patel Feb 14 '17 at 14:52
Rather than `addslashes()` a comment telling OP about [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) would be better – RiggsFolly Feb 14 '17 at 14:59
You might have an extra single quote after `epic_no='$epic''` as well – RiggsFolly Feb 14 '17 at 15:03
Riggs, you're right! It was a simple introduction to it. – Theraloss Feb 14 '17 at 15:03

check the manual that corresponds to your MariaDB server

1 Answers1