0

I am working on a MySQL & PHP project. It is based on a Music Database. I am getting the following error when I go to http://andrewb1.sgedu.site/editgenres.php:

Error: SQL Error: 
Errno: 1064
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

I'm a bit confused how I am getting an error on Line 1 as the only thing there is the open php tag

The code for the editgenres.php is:

<?php

include 'dbconnect.php';

$sql = "select * from Genres where GenreID = " . $_REQUEST['GenreID'];
if (!$result = $mysqli->query($sql)) {
    echo "Error: SQL Error: </br>";
    echo "Errno: " . $mysqli->errno . "</br>";
    echo "Error: " . $mysqli->error . "</br>";

    exit;
}

$row = $result->fetch_assoc();

?>

<form action="editgenressrv.php">
<input type="hidden" name="GenreID" value = "<?php echo $row["GenreID"]?>"/> 
GenreID:<input type="text" name="GenreID" value="<?php echo $row["GenreID"]?>"/></br>
GenreName:<input type="text" name="GenreName" value="<?php echo $row["GenreName"]?>"/></br>
<input type="submit"/>
</form>

Also, if needed here is the code for EditGenresSrv.php: 

include 'dbconnect.php';

$sql = "update Genres set ";
$sql .= "GenreID = '" . $_REQUEST["firstname"] ."'," ;
$sql .= "GenreName = '" . $_REQUEST["lastname"] ."'," ;
$sql .= "where GenreID= " . $_REQUEST['GenreID']; 
if (!$result = $mysqli->query($sql)) {
    echo "Error: SQL Error: </br>";
    echo "Errno: " . $mysqli->errno . "</br>";
    echo "Error: " . $mysqli->error . "</br>";

    exit;
}
?>
<script>
window.location='genres.php';
</script>

If needed, here is dbconnect.php (although I've already tested it and its fine): 

include 'dbconnect.php';

$sql = "insert into students (firstname,lastname,email) values (" . 
  "'" . $_REQUEST["GenreID"] ."','" .
  $_REQUEST["GenreName"] . "' ";

if (!$result = $mysqli->query($sql)) {
    echo "Error: SQL Error: </br>";
    echo "Errno: " . $mysqli->errno . "</br>";
    echo "Error: " . $mysqli->error . "</br>";

    exit;
}
?>
<script>
window.location='genres.php';
</script>

Here is the HTM file:

<form action="addgenressrv.php">
GenreID:<input type="text" name="GenreID"/></br>
GenreName:<input type="text" name="GenreName"/></br>

<input type="submit"/>
</form>
DJPharaohCHS
  • 181
  • 1
  • 3
  • 13
  • 2
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! The error is line 1 of your query. – Jay Blanchard Apr 17 '17 at 21:28
  • It means that your `$_REQUEST['GenreID']` is blank. Can you add the form you're using to your question? – Jay Blanchard Apr 17 '17 at 21:31
  • I just added the HTM file to the bottom of my post if that's what you meant? – DJPharaohCHS Apr 17 '17 at 21:34
  • Add `print_r($_REQUEST);` to the top of the script and see if it is populated. In your first form you have two items named `GenreID` – Jay Blanchard Apr 17 '17 at 21:37
  • When I put this at the top: – DJPharaohCHS Apr 17 '17 at 21:40
  • So the `$_REQUEST` array is empty which means you're not sending anything to the PHP for the SQL to process. – Jay Blanchard Apr 17 '17 at 21:41
  • Where is the form that sends info to editgenres.php ? – Jay Blanchard Apr 17 '17 at 21:44
  • one of the PHP files? you aren't referring to editgenresrv.php are you? – DJPharaohCHS Apr 17 '17 at 21:57
  • I don't see any form where the action is editgenres.php – Jay Blanchard Apr 18 '17 at 11:35

2 Answers2

1

Be carefull with the comma before where.

$sql = "update Genres set ";
$sql .= "GenreID = '" . $_REQUEST["firstname"] ."'," ;
$sql .= "GenreName = '" . $_REQUEST["lastname"] ."' " ;
$sql .= "where GenreID= " . $_REQUEST['GenreID'];
Sefik Cevik
  • 48
  • 5
  • That isn't where the error is being reported from, but it would be the next syntax issue. – Jay Blanchard Apr 17 '17 at 21:36
  • Why wouldn't there be a comma on that third line? – DJPharaohCHS Apr 17 '17 at 21:38
  • The error on line 1, is line 1 of the MySQL statement, not a PHP syntax error. You can use `"\n"` to break up the statement into multiple lines. – Will B. Apr 17 '17 at 22:06
  • @fyrye Are you referring to : $sql = "select * from Genres where GenreID = " . $_REQUEST['GenreID']; ? Why would that need multiple lines? Or are you referring to editgenressrv.php with $sql = "update Genres set "; $sql .= "GenreID = '" . $_REQUEST["GenreID"] ."'," ; $sql .= "GenreName = '" . $_REQUEST["GenreName"] ."' " ; $sql .= "where GenreID = " . $_REQUEST['GenreID']; ? – DJPharaohCHS Apr 17 '17 at 22:32
  • You referenced PHP code. The reported error in your question was the SQL error from `$mysqli->error`, not a PHP error. Effectively all of your queries will report on line 1, as they are only one line. The individual lines are concatenated to a single string value, supplied as the `$sql` argument to be executed by the mySQL service where the error is generated. See https://3v4l.org/ItvoE So since PHP doesn't raise an error, it doesn't account for the lines where the code is written. You could use `echo "Error: SQL Error on line " . __LINE__ . "";` to reference the PHP line the code is on. – Will B. Apr 18 '17 at 01:47
1

You need to pass GenreID to your page, check out following link

http://andrewb1.sgedu.site/editgenres.php?GenreID=1

and you will understand everything. If not then I will explain you. there should be value for $_REQUEST['GenreID'] from your previous page.

$sql = "select * from Genres where GenreID = " . $_REQUEST['GenreID'];

THis line giving your the error message because your are not passing your GenreID to the file editgenres.php whether using POST method or GET.

In your form put <form action="editgenres.php"> and then

GenreID:<input type="text" name="GenreID"/></br>
GenreName:<input type="text" name="GenreName"/></br>

Because as you said error with editgenres.php then you must call this page by a form as above. check your action of your first page which will call http://andrewb1.sgedu.site/editgenres.php

BetaDev
  • 4,516
  • 3
  • 21
  • 47
  • @JayBlanchard he is passing to other service file `editgenressrv.php` not to `editgenres.php` and error message is from `editgenres.php`. So the previous page which calls `editgenres.php` must send `GenreID`. – BetaDev Apr 17 '17 at 21:41
  • editgenres.php has
    . You are saying I should have a file editgenres.htm that has
    ?
     – DJPharaohCHS Apr 17 '17 at 22:52