Page 1 of 1

if command

Posted: Sun Nov 20, 2005 9:27 pm
by joecrack
hei i have this if command and its not working. the error is:
server version for the right syntax to use near 'WHERE projnr='8888' AND customernr='88.88.'' at line 1
But:
customernr='".$_POST['customernr']."
is right- isnt it???
The whole code is:

Code: Select all

if($actdeldate>0){
	$sql = "UPDATE sam_date_val SET plannedmonth='0000-00-00' WHERE projnr='" .$_POST['projnr']."' AND customernr='".$_POST['customernr']."'";

        mysql_query ( $sql ) or die ( 'MySQL-Fehler: ' . mysql_error () ); 

}

Posted: Sun Nov 20, 2005 9:45 pm
by wyred
I usually echo the $sql statement variable together in die() function, makes troubleshooting a lot easier. Why don't you try that and copy and paste the executed SQL statement here?

Posted: Sun Nov 20, 2005 9:58 pm
by joecrack
hai
i found the problem ... i have another if/update command before this one in the script, and if i take that one out it is working. it also has this in it:

Code: Select all

$sql = "UPDATE sam_date_val SET tovalue=$tovalue WHERE projnr='".$_POST['projnr']."' AND customernr='".$_POST['customernr']."'";
        mysql_query ( $sql ) or die ( 'MySQL-Fehler: ' . mysql_error () );
So could that be the problem ????
I mean it has to be because when i delete it - it is working!!!

Posted: Sun Nov 20, 2005 9:59 pm
by Charles256
not nessecarily..since we don't have all the code it's kind of hard to speculate....

Posted: Sun Nov 20, 2005 10:02 pm
by joecrack
No Prob there u go =)

Code: Select all

if($cortval3>0){
   $tovalue=$tovalue+$cortval1+$cortval2+$cortval3;	
}
    elseif($cortval2>0){
        $tovalue=$tovalue+$cortval1+$cortval2;
    }
        elseif($cortval1>0){
        $tovalue=$tovalue+$cortval1;
        } 
$sql = "UPDATE sam_date_val SET tovalue=$tovalue WHERE projnr='".$_POST['projnr']."' AND customernr='".$_POST['customernr']."'";

        mysql_query ( $sql ) or die ( 'MySQL-Fehler: ' . mysql_error () ); 



if($actdeldate>0){
	$sql2 = "UPDATE sam_date_val SET plannedmonth=$plannedmonth WHERE projnr='" .$_POST['projnr']."' AND customernr='".$_POST['customernr']."'";

        mysql_query ( $sql2 ) or die ( 'MySQL-Fehler: ' . mysql_error () );
}

Posted: Sun Nov 20, 2005 10:24 pm
by Charles256
hum...try this....maybe...

Code: Select all

if ($cortval3>0)
{
   $tovalue=$tovalue+$cortval1+$cortval2+$cortval3;    
}
else if($cortval2>0)
{
  $tovalue=$tovalue+$cortval1+$cortval2;
}
else if($cortval1>0)
{
  $tovalue=$tovalue+$cortval1;
}

$projnr=$_POST['projnr'];
$customernr=$_POST['customernr'];

$sql = "UPDATE sam_date_val SET tovalue='$tovalue' WHERE (projnr='$projnr' AND customernr='$customernr')";

mysql_query ( $sql ) or die ( 'MySQL-Fehler: ' . mysql_error () );


if($actdeldate>0)
{
     $sql2 = "UPDATE sam_date_val SET plannedmonth='$plannedmonth' WHERE (projnr='$projnr' AND customernr='$customernr')";

        mysql_query ( $sql2 ) or die ( 'MySQL-Fehler: ' . mysql_error () );
}

Posted: Sun Nov 20, 2005 11:17 pm
by joecrack
NO still same error:
server version for the right syntax to use near 'WHERE projnr='8888' AND customernr='88.88.'' at line 120
(line 120 is the second update command)
Why is it a problem to use it a second time ???
I mean it doesnt say anything about the first update!

Posted: Sun Nov 20, 2005 11:34 pm
by Charles256
echo the two SQL commands and compaer them..

Posted: Sun Nov 20, 2005 11:46 pm
by joecrack
hmmm .. i write the same echo after both UPDATEs and its not showing me the second one....
same: echo"$sql"
and nothing at the second UPDATE ????? 8O

Posted: Sun Nov 20, 2005 11:56 pm
by Charles256
because the second one is called sql2?:-d

Posted: Mon Nov 21, 2005 12:15 am
by joecrack
nope - renamed it !!!
both "sql " now !!!

Posted: Mon Nov 21, 2005 4:16 am
by Jenk
You'll need to see what the actual string of the SQL statement contains in order to suss the error, which you are on track to doing.

But another very vital point about your use of SQL and $_POST .. you are so, so open to SQL Injection attacks, please read up on PHP+MySQL security. (For example, take a look at the mysql_real_escape_string() function)

Posted: Mon Nov 21, 2005 7:48 pm
by joecrack
the script i haveis only available on the intranet of my firm....
do i still have to change things because of sql injections???

Posted: Mon Nov 21, 2005 8:49 pm
by Jenk
Yes. As SQL injection can be accidental as well as deliberate. (if any of your $_POST values contain an apostrophe for example, your script will break)

Posted: Mon Nov 21, 2005 9:02 pm
by joecrack
so do you have any suggestions???
or do you have a good url or tutorial???
and the script is finally working ... hbut still one thing i need to know.
if i updatet like this:

Code: Select all

$sql = "UPDATE sam_date_val SET tovalue=tovalue+$tovalue WHERE (projnr='$projnr' AND customernr='$customernr' AND contrdate='$contrdate')";
        mysql_query ( $sql ) or die ( 'MySQL-Fehler: ' . mysql_error () );
And now i want to save the value again (sam_date_val.tovalue).
How can i get this new Value so i can save it like
$newsamtoval=......;

thx
joe