0

Hi I get this error message:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'id']; ?>'' at line 1

When running this code:

    $id = isset($_GET['id']) ? $_GET['id'] : '';
    $sql="SELECT * FROM $tbl_name WHERE id='$id'";
    $result=mysqli_query($con, $sql);
    if (!$check1_res) {
    printf("Error: %s\n", mysqli_error($con));
    exit();
    }

$rows=mysqli_fetch_array($result);
?>

<table width="400" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<td><table width="100%" border="0" cellpadding="3" cellspacing="1" bordercolor="1" bgcolor="#FFFFFF">
<tr>
<td bgcolor="#F8F7F1"><strong><?php echo $rows['topic']; ?></strong></td>
</tr>

<tr>
<td bgcolor="#F8F7F1"><?php echo $rows['detail']; ?></td>
</tr>

<tr>
<td bgcolor="#F8F7F1"><strong>By :</strong> <?php echo $rows['name']; ?> <strong>Email : </strong><?php echo $rows['email'];?></td>
</tr>

<tr>
<td bgcolor="#F8F7F1"><strong>Date/time : </strong><?php echo $rows['datetime']; ?></td>
</tr>
</table></td>
</tr>
</table>
<BR>

<?php

$tbl_name2="forum_answer"; // Switch to table "forum_answer"
$sql2="SELECT * FROM $tbl_name2 WHERE question_id='$id'";
$result2=mysqli_query($con, $sql2)or die(mysql_error());
while($rows=mysqli_fetch_array($result2)){

?>

<table width="400" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<td><table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td bgcolor="#F8F7F1"><strong>ID</strong></td>
<td bgcolor="#F8F7F1">:</td>
<td bgcolor="#F8F7F1"><?php echo $rows['a_id']; ?></td>
</tr>
<tr>
<td width="18%" bgcolor="#F8F7F1"><strong>Name</strong></td>
<td width="5%" bgcolor="#F8F7F1">:</td>
<td width="77%" bgcolor="#F8F7F1"><?php echo $rows['a_name']; ?></td>
</tr>
<tr>
<td bgcolor="#F8F7F1"><strong>Email</strong></td>
<td bgcolor="#F8F7F1">:</td>
<td bgcolor="#F8F7F1"><?php echo $rows['a_email']; ?></td>
</tr>
<tr>
<td bgcolor="#F8F7F1"><strong>Answer</strong></td>
<td bgcolor="#F8F7F1">:</td>
<td bgcolor="#F8F7F1"><?php echo $rows['a_answer']; ?></td>
</tr>
<tr>
<td bgcolor="#F8F7F1"><strong>Date/Time</strong></td>
<td bgcolor="#F8F7F1">:</td>
<td bgcolor="#F8F7F1"><?php echo $rows['a_datetime']; ?></td>
</tr>
</table></td>
</tr>
</table><br>

<?php
}

$sql3="SELECT view FROM $tbl_name WHERE id='$id'";
$result3=mysqli_query($con, $sql3);
$rows=mysql_fetch_array($result3);
$view=$rows['view'];

// if have no counter value set counter = 1
if(empty($view)){
$view=1;
$sql4="INSERT INTO $tbl_name(view) VALUES('$view') WHERE id='$id'";
$result4=mysqli_query($con, $sql4);
}

// count more value
$addview=$view+1;
$sql5="update $tbl_name set view='$addview' WHERE id='$id'";
$result5=mysqli_query($con, $sql5);
mysql_close();
?>

<BR>
<table width="400" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="form1" method="post" action="add_answer.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td width="18%"><strong>Name</strong></td>
<td width="3%">:</td>
<td width="79%"><input name="a_name" type="text" id="a_name" size="45"></td>
</tr>
<tr>
<td><strong>Email</strong></td>
<td>:</td>
<td><input name="a_email" type="text" id="a_email" size="45"></td>
</tr>
<tr>
<td valign="top"><strong>Answer</strong></td>
<td valign="top">:</td>
<td><textarea name="a_answer" cols="45" rows="3" id="a_answer"></textarea></td>
</tr>
<tr>
<td>&nbsp;</td>
<td><input name="id" type="hidden" value="<?php echo $id; ?>"></td>
<td><input type="submit" name="Submit" value="Submit"> <input type="reset" name="Submit2" value="Reset"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>

I can not figure this problem out. Need help. Thanks!

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Daniel Smith
  • 35
  • 1
  • 5

1 Answers1

0

Likely you were getting an error resulting in sql injection and or that you were using single quotes around an integer. To safeguard against sql injection the best way is to use prepared statements, however prepared statements only work for fields, so the best practice when dynamically changing table names in a query is use a white list where you are checking a value against a white list and setting the table with a static value to prevent injection. Also it's ideal to validate $_GET and $_POST values using filter_input.

$id=filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
if ($id === false) {
    //filter failed
    die('id not a number');
}
if ($id === null) {
    //variable was not set
    die('id not set');
}

//white list table 
$safe_tbl_name = '';
switch($tbl_name){
    case 'Table1': 
        $safe_tbl_name = 'MyTable1';
        break;
    case 'Table2':
        $safe_tbl_name = 'MyTable2';
        break;
    default:
        $safe_tbl_name = 'MyDataTable';
};

$sql="SELECT * FROM `$safe_tbl_name` WHERE id=?";
$stmt = $con->prepare($sql);
$stmt->bind_param("i", $id);
$stmt->execute();
$stmt->bind_result($result);
if (!$check1_res) {
     printf("Error: %s\n", mysqli_error($con));
     exit();
}

$rows = $stmt->fetch_all(MYSQLI_ASSOC);

EDIT

Also worth noting, you're using mysqli however you've used the following mysql functions that should be changed to their mysqli counter parts.

mysql_close()
mysql_error()
mysql_fetch_array()

EDIT

As @Barmar noted you're creating invalid HTML, I would strongly recommend running your output page through the W3C HTML Validator and correcting issue.

Jpsh
  • 1,697
  • 12
  • 17