Page 1 of 1

Problem with PHP CMS System

Posted: Fri Jul 11, 2008 10:55 am
by slaterino
Hi,
I have built a simple PHP CMS system based on a tutorial but am having some serious problems with it. The tutorial I used was for adding 2 fields to a database item and worked fine. However, I have amended the files so they now are capable of amending 3 fields (there will be more fields evenutally but thought I should start off with just one extra). This works fine in the add field to database section but in the edit fields section keeps throwing up this line after I press the update button:

Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = '5'' at line 1


The script used on this page is:

<?php
include 'library/config.php';
include 'library/opendb.php';

if(isset($_GET['id']))
{
$query = "SELECT id, name, description, add1 ".
"FROM suppliers_uk ".
"WHERE id = '{$_GET['id']}'";
$result = mysql_query($query) or die('Error : ' . mysql_error());
list($id, $name, $description, $add1) = mysql_fetch_array($result, MYSQL_NUM);

$description = htmlspecialchars($description);
}
else if(isset($_POST['name']))
{
$id = $_POST['id'];
$name = $_POST['name'];
$description = $_POST['description'];
$add1 = $_POST['add1'];

if(!get_magic_quotes_gpc())
{
$name = addslashes($name);
$description = addslashes($description);
$add1 = addslashes($add1);
}

// update the article in the database
$query = "UPDATE suppliers_uk ".
"SET name = '$name', description = '$description', add1 = '$add1', ".
"WHERE id = '$id'";
mysql_query($query) or die('Error : ' . mysql_error());

// then remove the cached file
$cacheDir = dirname(__FILE__) . '/cache/';
$cacheFile = $cacheDir . '_' . $_GET['id'] . '.html';

@unlink($cacheFile);

// and remove the index.html too because the file list
// is changed
@unlink($cacheDir . 'index.html');

echo "<p align='center'>Supplier updated</p>";

// now we will display $name & description
// so strip out any slashes
$name = stripslashes($name);
$description = stripslashes($description);
$add1 = stripslashes($add1);
}

include 'library/closedb.php';
?>
<form method="post" action="cms-edit.php">
<input type="hidden" name="id" value="<?=$id;?>">
<table width="700" border="0" cellpadding="2" cellspacing="1" class="box" align="center">
<tr>
<td width="100">name</td>
<td><input name="name" type="text" class="box" id="name" value="<?=$name;?>"></td>
</tr>
<tr>
<td width="100">description</td>
<td><textarea name="description" cols="50" rows="10" class="box" id="description"><?=$description;?></textarea></td>
</tr>
<tr>
<td width="100">add1</td>
<td><textarea name="add1" cols="50" rows="10" class="box" id="add1"><?=$add1;?></textarea></td>
</tr>
<tr>
<td width="100">&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td colspan="2" align="center"><input name="update" type="submit" class="box" id="update" value="Update Article"></td>
</tr>
</table>
<p align="center"><a href="cms-admin.php">Back to admin page[/url]</p>
</form>


When I changed from editing 2 fields to 3 fields I literally added an extra option for the $add1 field wherever I saw the other two fields. Was this the right thing to do? Can anyone please help me with this problem and let me know why this error is occurring.
Thanks

Re: Problem with PHP CMS System

Posted: Fri Jul 11, 2008 11:02 am
by Reviresco
Looks like it might be the extra comma after "add1".

Code: Select all

query = "UPDATE suppliers_uk SET name = '$name', description = '$description', add1 = '$add1' WHERE id = '$id' ";

Re: Problem with PHP CMS System

Posted: Fri Jul 11, 2008 6:11 pm
by Benjamin

Code: Select all

 
$query = "UPDATE suppliers_uk ".
"SET name = '$name', description = '$description', add1 = '$add1', ".
"WHERE id = '$id'";
 
There is an extra comma after "add1 = '$add1',". You're also failing to escape your data, which makes it easy to hack into your database.

http://us2.php.net/manual/en/function.m ... string.php

Re: Problem with PHP CMS System

Posted: Sun Jul 13, 2008 6:48 am
by slaterino
Hey,
Thanks so much for your help. In the end I tried a different way of creating my CMS system and works really well. But will remember your suggestions for future problem and will definately look at making my database more secure.
Thanks!!