never was an update query I liked

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
jonah
Forum Commoner
Posts: 31
Joined: Fri Jun 20, 2003 12:23 am

never was an update query I liked

Post by jonah »

I'm having a horrific day. Reminds me of the one I had a couple of
weeks ago. Then it was VBScript now it's php and I still can't quite
get the UPDATE query syntax correct.

What is wrong with this particular query?

mysql_query("UPDATE Table1 SET Username=$_POST["Username"] WHERE Ident='$str'",$db) or die(mysql_error());

________________________________________________
I keep getting the parse error (in Apache error_log):

unexpected '\"', expecting T_STRING or T_VARIABLE or T_NUM_STRING in /var/www/htdocs/updateaction.php on line 9

If I try Username='$_POST["Username"]' , same error

If I try Username=$_POST['Username'] I get: Undefined index
so Double quotes are definitely needed here.

The last entry also throws a web page mysql_error:

You have an error in your SQL syntax near '[Username] WHERE Ident='Easy Saber'' at line 1. **Note 'value' of variable displays
________________________________________________

However, if I try mysql_query('UPDATE Table1 SET Username=$_POST["Username"] WHERE Ident="$str"',$db) or die(mysql_error());

I don't get a parse error in the Apache error_log but I do get a mysql_error:

You have an error in your SQL syntax near '["Username"] WHERE Ident="$str"' at line 1



Will someone kindly rid me of my headache?
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

Code: Select all

mysql_query("UPDATE Table1 SET Username=$_POSTї"Username"] WHERE Ident='$str'",$db) or die(mysql_error());
1) "Username" is escaping out of the query.
2) You need to put the username in quotes
Try this:

Code: Select all

$sql = "UPDATE Table1 SET Username = '".$_POST["Username"]."' WHERE Ident = '$str'";
$mysql_query($query,$db) or die(mysql_error());
Notice the single and double quotes.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
jonah
Forum Commoner
Posts: 31
Joined: Fri Jun 20, 2003 12:23 am

Post by jonah »

Very interesting. I have not seen that syntax and it appears
peculiar.

1. Are the concatenation characters (.) necessary? What purpose to they
serve?

2. The parsing seems odd since the first " at '". would seem to conflict
with the next " at ["Username. Perhaps the parsing reads from the
inside out. It's hard to keep this straight between scripting languages.

3. Can you provide any principles about parsing specific to php
(mysql) query syntax?


Thanks for your help.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

principle 1: if a value you wish to pass is non-numeric, it MUST be quoted.
principle 2: sanitize ALL input outside of your control (anything that comes from the user, including forms)
Post Reply