-1

Wonder if you can help me with this. Has there been a change in PHP 8 which will cause issues for updating or inserting into a MYSQL table? I've looked through documentation and I can't find why code which previously worked on PHP 7 was working fine and now it doesnt work.

 $sql5 = "INSERT INTO player_awards (  award, season, rank, player_id ) 
  VALUES ('topplayer',  '$season' , '1' , '$playerid' )";

 if ($con->query($sql5) === TRUE) {
echo ("<div class=\"alert alert-success\" role=\"alert\"><span>Player($playerid) saved as top player for $season</span></div>");
        
} else {
  echo "Error: " . $sql5 . "<br>" . $con->error;
}

This was working perfectly previously, now I'm presented with "Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax"

Any pointers would really help, or if there is a way around it.

ADyson
  • 57,178
  • 14
  • 51
  • 63
Mrchuckles
  • 63
  • 6
  • 3
    Read the following: [How to include a PHP variable inside a MySQL statement](https://stackoverflow.com/questions/7537377/how-to-include-a-php-variable-inside-a-mysql-statement). Regardless of the php version, this is entirely the wrong way to build a sql query in php. The main difference in the upgrade is likely that mysqli error reporting is now on by default. The rest of the error message should give a clue about precisely where the syntax problem is, but I would strongly bet it would be cured by parameterising the query properly – ADyson Aug 14 '23 at 11:18
  • Well, the most obvious pointer you have already. Which is the error message that shows you the problem query part. Though it is highly unlikely that the problem is caused by the upgrade but rather by the data to be inserted. To fix that, refer to the linked answer – Your Common Sense Aug 14 '23 at 11:29
  • 2
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) – Dharman Aug 14 '23 at 13:33
  • @ADyson thank you and your guidance towards prepared statements. This didn't ultimately resolve the problem. But its a really helpful pointer, just a hobby for me this and although its painful I'm going to update the whole site to fix this shoddy and insecure coding. – Mrchuckles Aug 15 '23 at 13:16
  • Incidentally, the issue was I had a column name called "Rank" which you can not use in MySQL 8 onwards. – Mrchuckles Aug 15 '23 at 14:29
  • Ah OK. You didn't tell us you'd upgraded mysql as well. If we had seen the whole error message, it might have pointed us towards the Rank issue though. Are you totally sure you can't use it at _all_, even in backticks? – ADyson Aug 15 '23 at 16:03

0 Answers0