Forum SQL syntax Error

Question

Hello I am trying to build a forum, but when I click over the topic of my forum I can view the page. I get the following error:

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''7'' at line 1

Here is my code from the view_topic.php page that I am trying to build:

    <?php
    session_start(); 

    ?>
    <!DOCTYPE html>
    <html>
    <head>
         <title>View Category</title>
         <link rel="stylesheet" type="text/css" href="style.css">
    </head>
    <body>
    <div id="wrapper">
           <h2>Timkipptutorials</h2>


        <?php
         if(!isset($_SESSION ['uid'])){
             echo "<form action='login_parse.php' method='post'>
              Username: <input type='text' name='username'>&nbsp;
              Password <input type='text' name='password'>&nbsp;
              <input type='submit' name='submit' value='Log In'>" ;
        }
         else{
           echo "<p>You are logged in as ".$_SESSION['username']." &bull; <a            href='logout_parse.php'> Logout</a>";
        }
           ?>

    <hr>
    <div id="content">
            <?php
                include_once("connect.php");

                $cid = $_GET['cid'];
                $tid = $_GET['tid'];
                $sql = "SELECT * FROM topics WHERE category_id='".$cid."' AND           id='".$tid."' LIMIT 1";
                    $res = mysql_query($sql) or die(mysql_error());
                if(mysql_num_rows($res) == 1){
                    echo "<table width='100%'>";
                    if(isset($_SESSION['uid'])){
                            echo "<tr><td colspan='2'><input type='submit'          value='Add Reply' onClick=\"window.location = 'post_reply.php?          cid=".$cid."$tid=".$tid."'\"/><hr>";
                    }else{
                        echo "<tr><td colspan='2'><p>Please log in to add a reply</p><hr></td></tr>";
                    }
                    while ($row = mysql_fetch_assoc($res)) {
                        $sql2 = "SELECT * FROM posts WHERE category_id = '".$cid."' AND topic_id '".$tid."'";
                        $res2 = mysql_query($sql2) or die(mysql_error());
                        while($row2 = mysql_fetch_assoc($res2)){
                            echo "<tr><td valign='top' style='border: 1px           solid #000000;'><div style='min-height: 125px;'>".$row['topic_title']."<br> by          ".$row2['post_creator']. " - ".$row2['post_date']."<hr>".$row2['post_content']."        </div></td><td width='200' valign='top' align='center' style='border: 1px solid         #000000;'>User Info Here</td></tr><tr><td colspan='2'><hr></td></tr>";
                        }
                        $old_views = $row['topic_views'];
                        $new_views = $old_views + 1;
                        $sql3 = "UPDATE topics SET topic_views='".$new_views."' WHERE category_id='".$cid."' AND id='".$tid."' LIMIT 1";
                        $res3 = mysql_query($sql3) or die(mysql_error());
                    }

                    echo "</table>";

                }else{
                    echo "<p>This topic does not exist.</p>";
                }
            ?> 

        </div>
    </div>
    </body>
    </html>

Please help me with that. Thanks

Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). — Alex Howansky, Jun 07 '17 at 15:49
Don't use the `mysql_*` functions. They have been deprecated since v5.5 (Jun 2013) and removed since v7.0 (Dec 2015). Instead use the [**mysqli_***](https://secure.php.net/manual/en/book.mysqli.php) or [**PDO**](https://secure.php.net/manual/en/book.pdo.php) functions with [**prepared statements**](https://secure.php.net/manual/en/pdo.prepare.php) and [**bound parameters**](https://secure.php.net/manual/en/pdostatement.bindparam.php). — Alex Howansky, Jun 07 '17 at 15:49
Ok. But, is that the reason to my problem? What do you think? — Kaloyan, Jun 07 '17 at 15:52
@Kaloyan in $sql2 you missed the "=" - AND topic_id '".$tid."' — Vlad, Jun 07 '17 at 15:55
@Vlad Thank you. I really appreciate your help. I went through the code several times and did not find the mistake. Thank you so much. — Kaloyan, Jun 07 '17 at 16:15

score 0 · Answer 1 · answered Jun 07 '17 at 15:59

0

$sql2 = "SELECT * FROM posts WHERE category_id = '".$cid."' AND topic_id '".$tid."'";

is missing the = sign on the second compare... as in

$sql2 = "SELECT * FROM posts WHERE category_id = '".$cid."' AND topic_id = '".$tid."'";

answered Jun 07 '17 at 15:59

Dan

1

Thank you so much Dan. That solved my issue. I appreciate your effort. – Kaloyan Jun 07 '17 at 16:15

score 0 · Answer 2 · answered Jun 07 '17 at 15:59

You have a typo in your code which is leading to an error. Your code is

$sql2 = "SELECT * FROM posts WHERE category_id = '".$cid."' AND topic_id '".$tid."'";

At the very end you forgot to add an "=" to check the equality of topic_id to $tid. It should be

$sql2 = "SELECT * FROM posts WHERE category_id = '".$cid."' AND topic_id = '".$tid."'";

Forum SQL syntax Error

2 Answers2