-1

So guys, I got an error message :

Error : You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ' '')' at line 1


From this codes, Whenever I click Add button
todo.php

<?php
include '../database/database.php';
session_start();

$user_id = $_SESSION['user_id'];

$querydisplay = "SELECT * FROM todo WHERE user_id=$user_id";
$result = mysqli_query($conn, $querydisplay);

?>

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">

    <title>To Do List</title>

    <!-- Bootstrap core CSS -->
    <link href="../assets/css/bootstrap.css" rel="stylesheet">

    <!-- Custom styles for this template -->
    <link href="../assets/css/custom.css" rel="stylesheet">

  </head>

  <body>

    <div class="container">
      <div class="header clearfix">
        <nav>
          <ul class="nav nav-pills pull-right">
            <li role="presentation" class="active"><a href="#">Home</a></li>
            <li role="presentation"><a href="#">About</a></li>
            <li role="presentation"><a href="#">Contact</a></li>
          </ul>
        </nav>
        <h3 class="text-muted">To Do List <?php echo $_SESSION['name'];?></h3>
      </div>

      <div class="panel panel-default">
        <div class="panel-heading"></div>
        <div class="panel-body">
            <div class="row">
                <div class="col-md-2"></div>
                <div class="col-md-8">
                    <ul class="list-group text-left">
                        <?php while($data=mysqli_fetch_array($result)) :?>
                            <?php if($data['done'] == 0) : ?>
                                <li class="list-group-item"><span class="task_list"><?php echo $data['task'] ?></span><a href="../models/done_process.php?id=<?php echo $data['list_id']?>"><span class="label label-default">Mark As Done</span></a></li>
                            <?php else : ?>
                                <li class="list-group-item"><span class="task_list"><strike><?php echo $data['task'] ?></strike></span><a href="../models/delete_process.php?id=<?php echo $data['list_id']?>"><span class="label label-danger">Delete</span></a></li>
                            <?php endif; ?>
                        <?php endwhile; ?>
                    </ul>

                    <form class="form-horizontal" method="POST" action="../models/newtask_process.php">
                        <div class="form-group">
                            <div class="col-sm-12">
                                <input name="newtask" type="text" class="form-control" placeholder="Enter New Task">
                            </div>
                        </div>                       
                        <div class="form-group">
                            <div class="col-sm-offset-2 col-sm-10">
                                <button name="submit" type="submit" class="btn btn-sm btn-primary">Add</button>
                            </div>
                        </div>
                    </form>

                </div>
                <div class="col-md-2"></div>
            </div>
        </div>
        </div>

      <footer class="footer text-center">
        <p>&copy; Company 2017</p>
      </footer>

    </div> <!-- /container -->

  </body>
</html>

newtask_process.php

<?php
include '../database/database.php';
session_start();

if(isset($_POST['submit']))
    $user_id = $_SESSION['user_id'];
    $task = mysqli_real_escape_string($conn, $_POST['newtask']);

if(!isset($user_id) || $user_id = "" || !isset($task) || $task = "")
{
    echo '<script language="javascript">alert("You Write an Empty Task. Process Failed.");
              document.location="../views/todo.php";</script>';
}
else
{
    $queryinsert = "INSERT INTO todo (user_id, task) VALUES ($user_id, '$task')";

    if(mysqli_query($conn, $queryinsert))
    {
        header("Location: ../view/todo.php");
        exit();

    }
    else
    {
        die ('Error : ' .mysqli_error($conn));
    }

}


mysqli_close($conn);

?>


Please help me debug this insert query or something like that.

I haven't even move to the update or delete query yet.

I already look the similiar question like this, and I already try them, but no success,

Maybe there is something I miss

I know this is not safe way to execuse query (I dont use PDO or something like that).

But I'm just trying to get a hang of it, maybe later I will move to the PDO and OOP concept.

phapha pha
  • 319
  • 1
  • 5
  • 16
  • 2
    Which query is the one that's failing? Your code is wide open to SQL injection, which means that you're not really controlling the syntax being used and the values could change that syntax at runtime. When the error occurs, what's the actual query being executed? That is, after replacing the variables, what's the resulting query that's sent to the database? – David May 01 '17 at 12:53
  • can you do `echo $queryinsert;` – Agam Banga May 01 '17 at 12:53
  • You are wide open for SQL injection. Since you're using mysqli, take advantage of [prepared statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [bind_param](http://php.net/manual/en/mysqli-stmt.bind-param.php). This will also fix the pesky quoting issue that you're running into. – aynber May 01 '17 at 13:00
  • I believe the $queryinsert is the one that failing – phapha pha May 01 '17 at 13:11
  • Yes it is. You can echo out `$queryinsert` to see where the error lies. I'm guessing it's a quoting issue. Using prepared statements with bind_param will fix it where `mysqli_real_escape_string` will not. – aynber May 01 '17 at 13:13
  • @aynber, this is what happened when I echo $query insert. INSERT INTO todo (user_id, task) VALUES (, '') Error : You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ' '')' at line 1 – phapha pha May 01 '17 at 13:16
  • Looks like user_id and task are empty. If you look at your `if` line, you're using single quotes, which is the assignment operator. Use `==` instead, use `empty` instead of the isset and empty string checks. – aynber May 01 '17 at 13:22

3 Answers3

2

As mentioned in my comment, this line is rewriting your variables:

if(!isset($user_id) || $user_id = "" || !isset($task) || $task = "")

Change it to use the empty function instead:

if(empty($user_id) || empty($task))

Unless one of them will be 0 or null, then this will work and your variables will pass through.

aynber
  • 22,380
  • 8
  • 50
  • 63
  • This is actually the solution. How the hell is it about the checking condition? I thought the $queryinsert is the problem. – phapha pha May 01 '17 at 13:33
  • 1
    It looked that way until you echoed out the query and your variables were empty. The if statement passes through because both variables were set, and the blank string assignments worked. – aynber May 01 '17 at 13:35
  • should I include the isset checking condition too? Or is it just the same? – phapha pha May 01 '17 at 13:37
  • 1
    No, it's the same. [empty](http://php.net/manual/en/function.empty.php) checks to make sure that the variable is set and that it is not null or false and does not contain an empty string, or 0. – aynber May 01 '17 at 13:38
-2

this could work $querydisplay = "SELECT * FROM todo WHERE user_id='$user_id'";

Learnator
  • 47
  • 2
-2

possibly this:

$queryinsert = "INSERT INTO todo (user_id, task) VALUES ('" . $user_id . "', '" . $task . "')";
Arie B.
  • 290
  • 1
  • 10
  • I got this error. Error : Cannot add or update a child row: a foreign key constraint fails (`todolist`.`todo`, CONSTRAINT `fk_user` FOREIGN KEY (`user_id`) REFERENCES `user` (`user_id`) ON DELETE NO ACTION ON UPDATE CASCADE) – phapha pha May 01 '17 at 13:18
  • That means we're one step closer to the answer :) See [here](http://stackoverflow.com/questions/12096790/why-to-use-foreign-keys-with-no-action-on-delete-or-update) for more info on this foreign key constraint business – Arie B. May 01 '17 at 13:24