/    Sign up×
Community /Pin to ProfileBookmark

MySQL – syntax to use near ” at line 1 [Unknown]

Copy linkTweet thisAlerts:
Jun 22.2021

Got the error from SQL when my wordings included ‘ Please help to fix it.

Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ” at line 1

“`
<?php
$host=”XXXXX”;
$user=”XXXXX”;
$pass=”XXXXX”;
$dbname=”XXXXX”;
$con=mysqli_connect($host,$user,$pass,$dbname);
if (mysqli_connect_errno($con))
{
echo “<h1>Failed to connect to MySQL: ” . mysqli_connect_error() .”</h1>”;
}
$guestID = $_GET[‘guestID’];
$guestSubject=$_POST[‘guestSubject’];
$guestSecSubject=$_POST[‘guestSecSubject’];
$guestContent=$_POST[‘guestContent’];
$sql=”UPDATE meiabbook SET guestSubject = ‘$guestSubject’, guestSecSubject` = ‘$guestSecSubject’, `guestContent` = ‘$guestContent’ WHERE `guestID` = $guestID”;
if (!mysqli_query($con,$sql))
{
die(‘Error: ‘ . mysqli_error($con));
}
else
echo “<script type=’text/javascript’>”;
echo “alert(‘Has been edited !’);”;
echo “window.location.href=’index.php’;”;
echo “</script>”;
mysqli_close($con);
?>
“`

to post a comment
PHP

12 Comments(s)

Copy linkTweet thisAlerts:
@SempervivumJun 22.2021 — The opening backtick is missing at guestSecSubject<span><code></CODE>
This should be correct:
<CODE>`<i>
</i>UPDATE meiabbook
SET guestSubject = '$guestSubject', guestSecSubject = '$guestSecSubject', guestContent = '$guestContent'
WHERE guestID = $guestID<i>
</i>`</CODE>

BTW: Single backticks (probably created by the button <C>&lt;/&gt;</C>) won't work reliably when posting code. You better use code tags: <C>your code here` or triple backticks.

I edited your posting accordingly.
Copy linkTweet thisAlerts:
@KLALMEauthorJun 22.2021 — @Sempervivum#1633235

Thank you for the help. However it is still error after revising those codes.
Copy linkTweet thisAlerts:
@SempervivumJun 22.2021 — Please output the resulting SQL and post the output:
``<i>
</i> $guestID = $_GET['guestID'];
$guestSubject=$_POST['guestSubject'];
$guestSecSubject=$_POST['guestSecSubject'];
$guestContent=$_POST['guestContent'];
$sql="UPDATE meiabbook SET guestSubject = '$guestSubject', guestSecSubject = '$guestSecSubject', guestContent = '$guestContent' WHERE guestID = $guestID";
var_dump($sql);
```
Copy linkTweet thisAlerts:
@KLALMEauthorJun 22.2021 — @Sempervivum#1633237

Please find the output.

string(133) "UPDATE meiabbook SET guestSubject = '20 June 2021', guestSecSubject<span><code> = 'Ngau Tau Kok', </code></span>guestContent<span><code> = 'tesing'd' WHERE </code></span>guestID<span><code> = &quot; Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '</code></span> = 'Ngau Tau Kok', <span><code>guestContent</code></span> = 'tesing'd' WHERE <span><code>guestID</code></span> =' at line 1
Copy linkTweet thisAlerts:
@SempervivumJun 22.2021 — Sorry, I posted the erroneous query, please use the corrected one and try again:
``<i>
</i> $guestID = $_GET['guestID'];
$guestSubject=$_POST['guestSubject'];
$guestSecSubject=$_POST['guestSecSubject'];
$guestContent=$_POST['guestContent'];
$sql="UPDATE meiabbook SET guestSubject = '$guestSubject', guestSecSubject = '$guestSecSubject', guestContent = '$guestContent' WHERE guestID = $guestID";
var_dump($sql);<i>
</i>``
Copy linkTweet thisAlerts:
@KLALMEauthorJun 22.2021 — @Sempervivum#1633239

string(134) "UPDATE meiabbook SET guestSubject = '20 June 2021', <span><code>guestSecSubject</code></span> = 'Ngau Tau Kok', <span><code>guestContent</code></span> = 'tesing'd' WHERE <span><code>guestID</code></span> = " Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'd' WHERE <span><code>guestID</code></span> =' at line 1

Even I don't type the ' in textrea

string(133) "UPDATE meiabbook SET guestSubject = '20 June 2021', <span><code>guestSecSubject</code></span> = 'Ngau Tau Kok', <span><code>guestContent</code></span> = 'tesingr' WHERE <span><code>guestID</code></span> = " Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1
Copy linkTweet thisAlerts:
@SempervivumJun 22.2021 — 
  • 1. guestID is empty, obviously the corresponding GET parameter is missing.

  • 2. What type is guestID of? When you are using quotes it should be a string. However IDs tend to be numeric.
    • Copy linkTweet thisAlerts:
    @KLALMEauthorJun 22.2021 — @Sempervivum#1633241

    'GuestID' is using int(5) with AUTO_INCREMENT and PRIMARY KEY.

    For the edit page, actually I can call those data under specified 'GuestID'. Coding in edit page as below/

    <i>
    </i>&lt;a href="edit.php?guestID=&lt;?php echo $row['guestID']; ?&gt;"&gt;&lt;/a&gt; 


    <i>
    </i>&lt;?php
    $host="XXXXX";
    $user="XXXXX";
    $pass="XXXXX";
    $dbname="XXXXX";
    $con=mysqli_connect($host,$user,$pass,$dbname);
    if (mysqli_connect_errno($con))
    {
    echo "Disconnected with database under " . mysqli_connect_error();
    }
    session_start();
    $guestID = $_GET["guestID"];
    $result = mysqli_query($con,"SELECT * FROM meiabbook WHERE guestID = '$guestID'");
    ?&gt;


    <i>
    </i>&lt;?php
    while($row = mysqli_fetch_array($result)){
    ?&gt;
    &lt;article id="form" class="container box style3"&gt;
    &lt;center&gt;
    &lt;form name="guest" action="editsys.php" method="post"&gt;
    &lt;table width="80%"&gt;
    &lt;tr&gt;&lt;td&gt;Title&lt;/td&gt;&lt;/tr&gt;
    &lt;tr&gt;&lt;td&gt;&lt;input type="text" name="guestSubject" value="&lt;?php echo $row['guestSubject']; ?&gt;" required /&gt;&lt;/td&gt;&lt;/tr&gt;
    &lt;tr&gt;&lt;td&gt;Subtitle&lt;/td&gt;&lt;/tr&gt;
    &lt;tr&gt;&lt;td&gt;&lt;input type="text" name="guestSecSubject" value="&lt;?php echo $row['guestSecSubject']; ?&gt;" required /&gt;&lt;/td&gt;&lt;/tr&gt;
    &lt;tr&gt;&lt;td&gt;Content&lt;/td&gt;&lt;/tr&gt;
    &lt;tr&gt;&lt;td&gt;&lt;textarea style="white-space: pre-wrap;" cols="50" rows="10" name="guestContent" required &gt;&lt;?php echo $row['guestContent']; ?&gt;&lt;/textarea&gt;&lt;/td&gt;&lt;/tr&gt;
    &lt;/table&gt;&lt;br&gt;
    &lt;input class="button style1" type="submit" name="submit" value="Edit"&gt;
    &lt;/form&gt;
    &lt;input class="button style2" type="button" value="Back" onclick="history.back()"&gt;
    &lt;/center&gt;
    &lt;/article&gt;
    &lt;?php
    }
    mysqli_close($con);
    ?&gt;


    I also checked the error log
    <i>
    </i>[22-Jun-2021 12:08:09 America/New_York] PHP Notice: A session had already been started - ignoring session_start() in edit.php on line 19
    22-Jun-2021 12:08:14 America/New_York] PHP Notice: Undefined index: guestID in /editsys.php on line 11
    Copy linkTweet thisAlerts:
    @SempervivumJun 22.2021 — >'GuestID' is using int(5) with AUTO_INCREMENT and PRIMARY KEY.

    Then you should omit the quotes around it in the query.

    However the main issue seems to be this:
    >PHP Notice: Undefined index: guestID

    Obviously there is no GET parameter 'guestID'. Is this a POST parameter in reality?

    Edit: Or is it a session variable?
    Copy linkTweet thisAlerts:
    @NogDogJun 22.2021 — Side note: you should be adding those submitted parameters to your query by using a prepared query with bound parameters (best), or at least escaping their values and/or casting them to appropriate numeric types (messier and more prone to error than prepared statements); otherwise risking the possibility of SQL injection (whether malicious or accidental). Something like:
    [code=php]
    $sql = "UPDATE meiabbook SET guestSubject = ?, guestSecSubject = ?, guestContent = ? WHERE guestID = ?";
    $stmt = mysqli_prepare($sql);
    mysqli_stmt_bind_param($stmt, "sssi", $guestSubject, $guestSecSubject, $guestContent, $guestID);
    if(mysqli_stmt_execute($stmt) == false) {
    die('Error: ' . mysqli_error($con)); // Yuck: better to log the error details and just let the user know it failed
    }
    [/code]

    SQL Injection XKCD![SQL Injection XKCD](https://imgs.xkcd.com/comics/exploits_of_a_mom.png)
    Copy linkTweet thisAlerts:
    @KLALMEauthorJun 23.2021 — @Sempervivum#1633243

    After I added the <?php echo $row['guestID']; ?> into edit page, it can now get parameter from 'guestID'. However, it is still error when typing wordings with '
    Copy linkTweet thisAlerts:
    @SempervivumJun 23.2021 — Check if this helps to fix it:

    https://stackoverflow.com/questions/881194/how-do-i-escape-special-characters-in-mysql
    ×

    Success!

    Help @KLALME spread the word by sharing this article on Twitter...

    Tweet This
    Sign in
    Forgot password?
    Sign in with TwitchSign in with GithubCreate Account
    about: ({
    version: 0.1.9 BETA 5.5,
    whats_new: community page,
    up_next: more Davinci•003 tasks,
    coming_soon: events calendar,
    social: @webDeveloperHQ
    });

    legal: ({
    terms: of use,
    privacy: policy
    });
    changelog: (
    version: 0.1.9,
    notes: added community page

    version: 0.1.8,
    notes: added Davinci•003

    version: 0.1.7,
    notes: upvote answers to bounties

    version: 0.1.6,
    notes: article editor refresh
    )...
    recent_tips: (
    tipper: @Yussuf4331,
    tipped: article
    amount: 1000 SATS,

    tipper: @darkwebsites540,
    tipped: article
    amount: 10 SATS,

    tipper: @Samric24,
    tipped: article
    amount: 1000 SATS,
    )...