Page 1 of 1

You have an error in your SQL syntax; check the manual that

Posted: Wed Apr 17, 2013 7:58 pm
by dekon
could someone help me solve this error in this code please i get this error and don't know why :wink:

Code: Select all

<?php
//create_cat.php
include 'mysql.php';
include 'header.php';

if($_SERVER['REQUEST_METHOD'] != 'POST')
{
	//someone is calling the file directly, which we don't want
	echo 'This file cannot be called directly.';
}
else
{
	//check for sign in status
	if(!$_SESSION['loggedIn'])
	{
		echo 'You must be signed in to post a reply.'. mysql_error();
	}
	else
	{
		//a real user posted a real reply
		 $topicid = mysql_insert_id(); 
		$sql = "INSERT INTO 
                            post(content, 
                                  date, 
                                  topic, 
                                  postby)
				  VALUES 
                            ('" . mysql_real_escape_string($_POST['content']) . "', 
                                 NOW(),
						" . mysql_real_escape_string($_GET['id']) . ",
						" . $_SESSION['user_id'] . ")";
		$result = mysql_query($sql);
						
		if(!$result)
		{
			echo 'Your reply has not been saved, please try again later.'. mysql_error();
		}
		else
		{
			echo 'Your reply has been saved, check out <a href="topic.php?id=' . htmlentities($_GET['id']) . '">the topic</a>.';
		}
	}
}
include 'footer.php';
?>

Re: You have an error in your SQL syntax; check the manual t

Posted: Wed Apr 17, 2013 8:04 pm
by dekon
this is the full error message
Your reply has not been saved, please try again later.You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' 4)' at line 9

Re: You have an error in your SQL syntax; check the manual t

Posted: Wed Apr 17, 2013 8:28 pm
by requinix
What is the value of $sql? Output it (or add it to the error message temporarily) to see.

Also,

Code: Select all

" . mysql_real_escape_string($_GET['id']) . "
That is not secure. Yes, I know you're using mysql_real_escape_string(), but that's only supposed to be used for strings. Protecting against SQL injection isn't just as simple as "use mysql_real_escape_string() on everything". If $_GET['id'] is a number then make sure it's a number:

Code: Select all

" . (int)$_GET['id'] . "