1

i have a database and accessing trough PHP

I connected to database with required credentials

I have a form(html) from where i am getting the required values to enter into the database

i am doing something like this

Values from form
$value = $_POST['id'];
$value1 = $_POST['title'];

and using mysql syntax like this

$sql = "UPDATE table SET title='$value1' where id ='$value'";

Well is there any syntax error in "" or '' ??

And how to display errors in PHP??

Help appreciated

Dumb_Shock
  • 1,050
  • 1
  • 13
  • 23
  • Well is there any error reported or are you just checking to hear if the syntax you are using is correct? :) Everything is ok except the fact that you are not sanitizing form data before using it inside the query. –  Jul 27 '11 at 17:55
  • Related: http://stackoverflow.com/questions/6198104/reference-what-is-a-perfect-code-sample-using-the-mysql-extension – Pekka Jul 27 '11 at 17:56
  • http://php.net/manual/en/function.error-reporting.php <- link that will describe php error reporting – rlemon Jul 27 '11 at 17:59
  • @holodoc : what do u mean by sanitizing?? – Dumb_Shock Jul 27 '11 at 18:10
  • You need to sanitize data coming from your forms in order to prevent SQL injection - **http://php.net/manual/en/function.mysql-real-escape-string.php**. In case of prepared statements (MySQLi or PDO) you don't need to sanitize anything however since you didn't specifically said which extension you are using (MySQL, MySQLi, PDO) I presume you are using the basic MySQL which needs sanitation. –  Jul 27 '11 at 18:19

3 Answers3

2

Most likely you are inserting a single quote in $value1, which causes the string to terminate abbruptly.

An easy fix is to do this:

$value1 = mysql_real_escape_string($_POST['title']);

You should escape ALL values coming from an user input, as this is the first and foremost important step when securing an application. Without escaping the data, you application is very easily hackable.

raver
  • 149
  • 2
2

Your code looks fine, there is no problem with the syntax.

You should however look into escaping anything entered in a form (lookup: mysql_real_escape_string).

To display errors in PHP, either edit the PHP.INI file (search for 'error' and read the comments to determine how to set your level), or by code:

 error_reporting(E_ALL);
 ini_set("display_errors", 1);

Hope this helps, enjoy!

Codecraft
  • 8,291
  • 4
  • 28
  • 45
1

You possibly have a value in $value or $value1 that contains a '. This forces a syntax error, and also demonstrates that your code is vulnerable to SQL injection.

Escape both values with mysql_real_escape_string()

$value = mysql_real_escape_string($_POST['id']);
$value1 = mysql_real_escape_string($_POST['title']);

Suppose $value == "O'brien"

Your SQL becomes:

$sql = "UPDATE table SET title='$value1' where id ='O'brien'";

The MySQL engine sees the following, which contains an extra ' followed by invalid code.

UPDATE table SET title='something' where id ='O'brien';
Michael Berkowski
  • 267,341
  • 46
  • 444
  • 390