-1

I have a little problem. I tried to update information in HTML form, and when I write "I'm example" I receive this error

A little help?

Error updating record: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'da', gender='2', locationUser='Here', userBirthday='26/05/1993' WHERE PlayerID='' at line 1

Code:

$sql = "UPDATE users SET descriptionProfile='$prezentare', gender='$gender', locationUser='$localisation', userBirthday='$anniversaire' WHERE PlayerID='$pr'";
Dharman
  • 30,962
  • 25
  • 85
  • 135
Kiuasgas
  • 1
  • print `$pr` and make sure has correct value – Ali Sheikhpour May 12 '19 at 08:19
  • $pr is playerid, not is this problem. – Kiuasgas May 12 '19 at 08:23
  • problem is in characters UTF8, example ', etc – Kiuasgas May 12 '19 at 08:23
  • You have to escape special characters before isnert and update. Please check this https://stackoverflow.com/questions/881194/how-do-i-escape-special-characters-in-mysql – Ali Sheikhpour May 12 '19 at 08:26
  • There can be a single or double quote which may be breaking your query. You can use binding or mysqli_real_escape_string function if this is the problem. – Rohit Mittal May 12 '19 at 08:41
  • 1
    Possible duplicate of [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Progman May 12 '19 at 08:48
  • **Warning:** You are wide open to [SQL Injections](http://php.net/manual/en/security.database.sql-injection.php) and should really use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](http://php.net/manual/en/pdo.prepared-statements.php) or by [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Never trust any kind of input, especially that which comes from the client side. Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). – Dharman May 12 '19 at 10:50

2 Answers2

0

A single or double quote break your query. Use this query 

$sql = "UPDATE users SET descriptionProfile='".$prezentare."', gender='".$gender."', locationUser='".$localisation."', userBirthday='".$anniversaire."' WHERE PlayerID='".$pr."'";
Ariful Islam
  • 19
  • 4
  • Error updating record: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '2', locationUser='România', userBirthday='26/05/1993' WHERE PlayerID='2'' at line 1 – Kiuasgas May 12 '19 at 10:16
0

Extend @Ariful answer,

For lower version of Mysql, you have to use below Query

$sql = "UPDATE `users` SET `descriptionProfile`='".$prezentare."', `gender`='".$gender."', `locationUser`='".$localisation."', `userBirthday`='".$anniversaire."' WHERE `PlayerID` ='".$pr."'";

Hope this will help.

Adarsh Sharma
  • 526
  • 5
  • 11
  • Error updating record: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '2', `locationUser`='România', `userBirthday`='26/05/1993' WHERE `PlayerID` ='2'' at line 1 – Kiuasgas May 12 '19 at 10:15
  • Can you check for the Data type of all the fields you have given in the your database table, and try to set the variables according to the fields datatype. – Adarsh Sharma May 13 '19 at 07:47