MySQL syntax error - near '' at line 1 php

Question

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

That what I getting error right now. I searched in internet and I can not seem to find it. Others said it's '' in variable ('$order_id') but it didn't solve the error.

When I click Accept button which is submitAccept then it will pop up a message "Order Accepted" BUT instead of that it pops up the aformentioned error. How do I fix this?

Here my sql code:

<?php
if(isset($_POST['submitDelivered'])){  
  $order_id = trim(addslashes($_POST['t_order_id']));
  $query = "UPDATE order_tbl SET `order_status`='Delivered' WHERE `order_id` = $order_id";
  if (mysqli_query(connection2(), $query)) { 
         mysqli_query(connection2(), "COMMIT");
         $_SESSION['message'] = "Order Delivered"; } 
         else { 
         $_SESSION['message'] = mysqli_error(connection2());
         mysqli_query(connection2(), "ROLLBACK");
         }
  }

  if(isset($_POST['submitAccept'])){  
  $order_id = trim(addslashes($_POST['t_order_id']));
  $query = "UPDATE order_tbl SET `order_status`='Accepted' WHERE `order_id` = $order_id";
  if (mysqli_query(connection2(), $query)) { 
         mysqli_query(connection2(), "COMMIT");
         $_SESSION['message'] = "Order Accepted"; } 
         else { 
         $_SESSION['message'] = mysqli_error(connection2());
         mysqli_query(connection2(), "ROLLBACK");
         }
  }      

  if(isset($_POST['submitCancel'])){  
  $order_id = trim(addslashes($_POST['t_order_id']));
  $query = "UPDATE order_tbl SET `order_status`='Cancelled' WHERE `order_id` = $order_id";
  if (mysqli_query(connection2(), $query)) { 
         mysqli_query(connection2(), "COMMIT");
         $_SESSION['message'] = "Order Cancelled"; } 
         else { 
         $_SESSION['message'] = mysqli_error(connection2());
         mysqli_query(connection2(), "ROLLBACK");
         }
  }      
  ?>

Everytime someone runs a PHP query without prepared statements, a fuzzy kitten dies somewhere. Use prepared statements, which would likely already solve the problem you are having. — Tim Biegeleisen, Oct 01 '17 at 15:10
Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). — John Conde, Oct 01 '17 at 15:13
@timbiegeleisen How can I do that bro? Im not good in query :( — Dragon12, Oct 01 '17 at 15:16
@johnconde Yeah bro after I solve this problem that what Im gonna do. — Dragon12, Oct 01 '17 at 15:17
Just Google around for this, you will certainly find some good tutorials out there. — Tim Biegeleisen, Oct 01 '17 at 15:17
At least do us the favor of narrowing down the problem to a single statement. — Gordon Linoff, Oct 01 '17 at 15:17
Don't just dump here 40 lines of code if only 3 of them are necessary. E.g., what does your question have to do with $_SESSION? Nothing. Read about how to create a [mcve]. — Al.G., Oct 01 '17 at 15:18
@Timbiegeleisen I spent a couple of hrs searching for the answer bro. I wont be here bro if I find the answer. — Dragon12, Oct 01 '17 at 15:27
Are you trying to use transactions? http://php.net/manual/en/mysqli.begin-transaction.php You also can simplify this. Use a single query, and make the value being updated a variable. — chris85, Oct 01 '17 at 15:28
@Al.G. Sorry bro, Im new here and I just want to show the whole code just to be sure and clear. — Dragon12, Oct 01 '17 at 15:29
Which query is even giving you a headache? Remove everything else apart from that query — rndus2r, Oct 01 '17 at 15:29
@TimBiegelsen your stash of fuzzy kittens must be getting severely depleted — Strawberry, Oct 01 '17 at 15:47
@TimBiegeleisen I didn't mean that. Its just im stress and so much to work with. Sorry :( — Dragon12, Oct 01 '17 at 16:04

score 0 · Answer 1 · answered Oct 01 '17 at 20:46

Are you certain that MySQL error is derived from the PHP you display in the question? What was the value of $order_id when you got that error?

  $query = "UPDATE order_tbl SET `order_status`='Delivered' WHERE `order_id` = $order_id";
  $query = "UPDATE order_tbl SET `order_status`='Accepted' WHERE `order_id` = $order_id";
  $query = "UPDATE order_tbl SET `order_status`='Cancelled' WHERE `order_id` = $order_id";

There is no obvious SQL syntax error in any of the 3 queries shown UNLESS something bad has been put into $order_id.

Please note I am not commenting on your PHP as I'm not expert is that, but I do know you should be using prepared statements (and many have advised already).

MySQL syntax error - near '' at line 1 php

1 Answers1