Page 1 of 1

never was an update query I liked

Posted: Fri Aug 27, 2004 4:49 pm
by jonah
I'm having a horrific day. Reminds me of the one I had a couple of
weeks ago. Then it was VBScript now it's php and I still can't quite
get the UPDATE query syntax correct.

What is wrong with this particular query?

mysql_query("UPDATE Table1 SET Username=$_POST["Username"] WHERE Ident='$str'",$db) or die(mysql_error());

________________________________________________
I keep getting the parse error (in Apache error_log):

unexpected '\"', expecting T_STRING or T_VARIABLE or T_NUM_STRING in /var/www/htdocs/updateaction.php on line 9

If I try Username='$_POST["Username"]' , same error

If I try Username=$_POST['Username'] I get: Undefined index
so Double quotes are definitely needed here.

The last entry also throws a web page mysql_error:

You have an error in your SQL syntax near '[Username] WHERE Ident='Easy Saber'' at line 1. **Note 'value' of variable displays
________________________________________________

However, if I try mysql_query('UPDATE Table1 SET Username=$_POST["Username"] WHERE Ident="$str"',$db) or die(mysql_error());

I don't get a parse error in the Apache error_log but I do get a mysql_error:

You have an error in your SQL syntax near '["Username"] WHERE Ident="$str"' at line 1



Will someone kindly rid me of my headache?

Posted: Fri Aug 27, 2004 5:14 pm
by pickle

Code: Select all

mysql_query("UPDATE Table1 SET Username=$_POSTї"Username"] WHERE Ident='$str'",$db) or die(mysql_error());
1) "Username" is escaping out of the query.
2) You need to put the username in quotes
Try this:

Code: Select all

$sql = "UPDATE Table1 SET Username = '".$_POST["Username"]."' WHERE Ident = '$str'";
$mysql_query($query,$db) or die(mysql_error());
Notice the single and double quotes.

Posted: Fri Aug 27, 2004 6:02 pm
by jonah
Very interesting. I have not seen that syntax and it appears
peculiar.

1. Are the concatenation characters (.) necessary? What purpose to they
serve?

2. The parsing seems odd since the first " at '". would seem to conflict
with the next " at ["Username. Perhaps the parsing reads from the
inside out. It's hard to keep this straight between scripting languages.

3. Can you provide any principles about parsing specific to php
(mysql) query syntax?


Thanks for your help.

Posted: Fri Aug 27, 2004 6:31 pm
by feyd
principle 1: if a value you wish to pass is non-numeric, it MUST be quoted.
principle 2: sanitize ALL input outside of your control (anything that comes from the user, including forms)