Problem with PHP CMS System

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
slaterino
Forum Commoner
Posts: 46
Joined: Fri Jul 11, 2008 10:50 am

Problem with PHP CMS System

Post by slaterino »

Hi,
I have built a simple PHP CMS system based on a tutorial but am having some serious problems with it. The tutorial I used was for adding 2 fields to a database item and worked fine. However, I have amended the files so they now are capable of amending 3 fields (there will be more fields evenutally but thought I should start off with just one extra). This works fine in the add field to database section but in the edit fields section keeps throwing up this line after I press the update button:

Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = '5'' at line 1


The script used on this page is:

<?php
include 'library/config.php';
include 'library/opendb.php';

if(isset($_GET['id']))
{
$query = "SELECT id, name, description, add1 ".
"FROM suppliers_uk ".
"WHERE id = '{$_GET['id']}'";
$result = mysql_query($query) or die('Error : ' . mysql_error());
list($id, $name, $description, $add1) = mysql_fetch_array($result, MYSQL_NUM);

$description = htmlspecialchars($description);
}
else if(isset($_POST['name']))
{
$id = $_POST['id'];
$name = $_POST['name'];
$description = $_POST['description'];
$add1 = $_POST['add1'];

if(!get_magic_quotes_gpc())
{
$name = addslashes($name);
$description = addslashes($description);
$add1 = addslashes($add1);
}

// update the article in the database
$query = "UPDATE suppliers_uk ".
"SET name = '$name', description = '$description', add1 = '$add1', ".
"WHERE id = '$id'";
mysql_query($query) or die('Error : ' . mysql_error());

// then remove the cached file
$cacheDir = dirname(__FILE__) . '/cache/';
$cacheFile = $cacheDir . '_' . $_GET['id'] . '.html';

@unlink($cacheFile);

// and remove the index.html too because the file list
// is changed
@unlink($cacheDir . 'index.html');

echo "<p align='center'>Supplier updated</p>";

// now we will display $name & description
// so strip out any slashes
$name = stripslashes($name);
$description = stripslashes($description);
$add1 = stripslashes($add1);
}

include 'library/closedb.php';
?>
<form method="post" action="cms-edit.php">
<input type="hidden" name="id" value="<?=$id;?>">
<table width="700" border="0" cellpadding="2" cellspacing="1" class="box" align="center">
<tr>
<td width="100">name</td>
<td><input name="name" type="text" class="box" id="name" value="<?=$name;?>"></td>
</tr>
<tr>
<td width="100">description</td>
<td><textarea name="description" cols="50" rows="10" class="box" id="description"><?=$description;?></textarea></td>
</tr>
<tr>
<td width="100">add1</td>
<td><textarea name="add1" cols="50" rows="10" class="box" id="add1"><?=$add1;?></textarea></td>
</tr>
<tr>
<td width="100">&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td colspan="2" align="center"><input name="update" type="submit" class="box" id="update" value="Update Article"></td>
</tr>
</table>
<p align="center"><a href="cms-admin.php">Back to admin page[/url]</p>
</form>


When I changed from editing 2 fields to 3 fields I literally added an extra option for the $add1 field wherever I saw the other two fields. Was this the right thing to do? Can anyone please help me with this problem and let me know why this error is occurring.
Thanks
Reviresco
Forum Contributor
Posts: 172
Joined: Tue Feb 19, 2008 4:18 pm
Location: Milwaukee

Re: Problem with PHP CMS System

Post by Reviresco »

Looks like it might be the extra comma after "add1".

Code: Select all

query = "UPDATE suppliers_uk SET name = '$name', description = '$description', add1 = '$add1' WHERE id = '$id' ";
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Problem with PHP CMS System

Post by Benjamin »

Code: Select all

 
$query = "UPDATE suppliers_uk ".
"SET name = '$name', description = '$description', add1 = '$add1', ".
"WHERE id = '$id'";
 
There is an extra comma after "add1 = '$add1',". You're also failing to escape your data, which makes it easy to hack into your database.

http://us2.php.net/manual/en/function.m ... string.php
slaterino
Forum Commoner
Posts: 46
Joined: Fri Jul 11, 2008 10:50 am

Re: Problem with PHP CMS System

Post by slaterino »

Hey,
Thanks so much for your help. In the end I tried a different way of creating my CMS system and works really well. But will remember your suggestions for future problem and will definately look at making my database more secure.
Thanks!!
Post Reply