•  22-07-2023
  •  | 
  •  

Pergunta

I have some code written by someone else. This code is giving me a syntax error and I cannot figure out why. 

if (!isset($_POST['new'])) {$query.= 'WHERE `name` ="'.mysqli_real_escape_string($origName).'"';}
$query .= ';';
query($query);
$output = "Changes saved";

The specific error is:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE name =""' at line 1

I am hoping someone here can point out the obvious to me.

Thanks for the suggestions, but still getting the same basic error. Here is the chunk of code that deals with adding a new person:

if (isset($_POST['name'])) {    // Save new/updated presenter
    $newName = mysqli_real_escape_string(htmlentities($_POST['name'],ENT_QUOTES));
    $origName = mysqli_real_escape_string(htmlentities($_POST['origName'],ENT_QUOTES));

    if (isset($_POST['new'])) {
        $query = "INSERT INTO `presenters` SET `name`='$newName'";
    } else {
        $query = "UPDATE `presenters` SET `name`='$newName'";
    }
    unset($_POST['new'], $_POST['name'], $_POST['origName']);
    foreach ($_POST as $key=>$value) {
        $key = mysql_real_escape_string($key);
        $value = mysql_real_escape_string($value);
        $query .= ", `$key`='$value'";
    }
    if (!isset($_POST['new'])) {
    $query.= "WHERE `name` ='" . mysqli_real_escape_string($db, $origName) . "'";
    }
    $query .= ';';
    query($query);
    $output = "Changes saved";
Foi útil?

Solução

Clean formatting helps clean stuff like this up:

if (!isset($_POST['new'])) {
  $query.= "WHERE `name` = '" . mysqli_real_escape_string($origName) . "'";
}
$query .= ';';
query($query);
$output = "Changes saved";

First, the formatting of the WHERE in your example is off. I set that to double quotes for the whole query & single quotes for the value inside the query that comes from mysqli_real_escape_string($origName).

But that said, the mysqli_real_escape_string() format is incorrect. For the procedural style you need to have the actual DN connection (aka: link) set as the first parameter:

string mysqli_real_escape_string ( mysqli $link , string $escapestr )

So the mysqli_real_escape_string() as shown in your example needs to be changed to something like this:

mysqli_real_escape_string($db, $origName)

With $db actually being the real MySQL database connection link in your larger code structure.

Outras dicas

Probably just need to add a space in front of the WHERE

if (!isset($_POST['new'])) {$query.= ' WHERE `name` ="'.mysqli_real_escape_string($origName).'"';}

Could also be the double quotes, I believe MySQL uses single quotes around strings.

if (!isset($_POST['new'])) {$query.= " WHERE `name` ='".mysqli_real_escape_string($origName)."'";}

Though your first two mysqli_real_escape_string()s also need 2 parameters. The first one should be your db-link, the second one the string that needs to be escaped.

The use of htmlentities() can be removed inside mysqli_real_escape_string()

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top