ansaurus

Question

MySQL Syntax Error

Answer 1

+1 A:

echo $sql and see what it actually becomes. It looks like an easy target for SQL injection, unless you took care of that.

Alex 2009-12-12 11:48:35

Answer 2

+7 A:

Is desc not a keyword that you can not use as a column name?

Overbeeke 2009-12-12 11:49:36

I just tried `SELECT desc FROM Table1` fails, but quoted it succeeds.

Mark Byers 2009-12-12 11:52:11

It is indeed. http://dev.mysql.com/doc/refman/5.0/en/reserved-words.html - note that with many (all?) of these reserved words, if you surround the column name in backticks (which you should be doing anyway imho) it will work just fine.

Steven Richards 2009-12-12 11:53:20

Thank you, that was the very problem. It didn't even occur to me when I wrote it.As for the injection, this is the stripped down version that I was at while trying to discover the problem.

RedElement 2009-12-12 12:13:01

Answer 3

+7 A:

You have a column called desc, which is a reserved word. You will need to quote it with backticks.

`desc`='$desc'

Ben James 2009-12-12 11:50:43

Answer 4

A:

yes, make sure you first sanitize the data, using mysql_real_escape_string for instance.

Then echo your mysql error (mysql_error() ) it will give you more hints as to where is the error;

<?php
$link = mysql_connect("localhost", "mysql_user", "mysql_password");

mysql_select_db("nonexistentdb", $link);
echo mysql_errno($link) . ": " . mysql_error($link). "\n";

mysql_select_db("kossu", $link);
mysql_query("SELECT * FROM nonexistenttable", $link);
echo mysql_errno($link) . ": " . mysql_error($link) . "\n";
?>

pixeline 2009-12-12 11:51:24

Answer 5

+4 A:

Did you sanitize all the parameters before mixing them with the sql statement?
desc is a reserved word in MySQL, you have to explicitly mark it as an identifier:

An identifier may be quoted or unquoted. If an identifier contains special characters or is a reserved word, you must quote it whenever you refer to it. [...]
The identifier quote character is the backtick (“`”):

$mysql = mysql_connect(...

$sql = "
    UPDATE
     galleries
    SET
     name='" . mysql_real_escape_string($_POST['name'], $mysql) . "',
     `desc`='" . mysql_real_escape_string($_POST['desc'], $mysql) . "',
     mainthumb='"  . mysql_real_escape_string($_POST['mt'], $mysql) . "' 
  WHERE
    id='"  . mysql_real_escape_string($_POST['id'], $mysql) . "'
 ";

or even better: use prepared statements

VolkerK 2009-12-12 11:54:06

+1 for prepared statements and `mysqli`.

Alex 2009-12-12 11:55:07

acutally I had pdo in mind ;-) link added

VolkerK 2009-12-12 11:56:07

Answer 6

A:

$sql = "UPDATE `galleries` SET 
           name='".$name."', 
           desc='".$desc."', 
           mainthumb='".$mt."' 
        WHERE id='".$id."'";

This could be one alternative way to handle it. Although I would gone PDO as VolkerK suggested it. I would also Echo to see what it would output as well. Also as Ben suggested, Desc may be a reserve word.

Anraiki 2009-12-12 11:58:18

ansaurus

tags:

views:

answers:

MySQL Syntax Error

related questions