SQL syntax error edit post

Question

getting :

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Creed III', description='The plot is set in a fictional history of real ' at line 2

when trying to edit posts on a database.

heres my display and edit php:

        $result = mysql_query("SELECT * FROM gallery");
        while ($row = mysql_fetch_array( $result )){
                // while looping thru each record…
            // output each field anyway you like

            $title =  $row['title'] ;
            $description = $row['description'];
            $year = $row['year'];
            $rating = $row['rating'];
            $genre = $row['genre'];
            $filename =  $row['filename'];
            $imageid = $row['imageid'];

            include '../modules/edit_display.html';
        }



        // STEP 2: IF Update button is pressed , THEN UPDATE DB with the changes posted
        if(isset($_POST['submit'])){ 
            $thisTitle = $_POST['title'];
            $thisDescription = $_POST['description'];
            $thisYear = $POST['year'];
            $thisRating = $POST['rating'];
            $thisGenre = $POST['genre'];
            $thisNewFilename =  basename($_FILES['file']['name']);
            $thisOneToEdit = $_POST['imageid'];
            $thisfilename = $_POST['filename'];



            if ($thisNewFilename == ""){
                $thisNewFilename = $thisfilename ;
            } else {
                uploadImage();
                createThumb($thisNewFilename , 120, "../uploads/thumbs120/");
            }



            $sql = "UPDATE gallery SET
                    title='$thisTitle',
                    description='$thisDescription',
                    year='$thisYear',
                    rating='$thisRating',
                    genre='$thisGenre',
                    filename='$thisNewFilename'

                 WHERE 

                    imageid= $thisOneToEdit";

                $result = mysql_query($sql) or die (mysql_error());



        }

Answer 1

You have syntax error here. Use $_POST instead of $POST.

Replace

 $thisYear = $POST['year'];
 $thisRating = $POST['rating'];
 $thisGenre = $POST['genre'];

With

 $thisYear = $_POST['year'];
 $thisRating = $_POST['rating'];
 $thisGenre = $_POST['genre'];

Answer 2

You have alot of issues in your script.

1. You're trying to add ' character to database, you need to escape it properly with addslashes.

2. You're vulnerable to SQL Injection. Escape it properly with mysql_real_escape_string, or even better, use PDO.

3. Third, it is $_POST, not $POST. You're using it wrong in some areas.

4. Add quotes to $thisOneToEdit in query.

The error is causing because you're trying to add Assasin's Creed III string to database. The single quote breaks your query and creates a syntax error.

Answer 3

You're suffering from an imminent dose of SQL Injection due to using a dangerous user input model.

When you type "Assassin's Creed III" in the title field, that gets placed in single quotes in the UPDATE statement in your code (via the $_POST['title'] variable):

'Assassin's Creed III'

The problem there is that MySQL sees it as 'Assassin', followed by s Creed III'. It doesn't know what to do with the latter.

Of course, this becomes a HUGE problem if someone types in valid SQL at that point, but not what you expected. Have a look at How can I prevent SQL injection in PHP? or any of several other advices on avoiding SQL Injection.

Answer 4

Do a addslashes() on the values that might contain single or double quotes like below before using them in query

$thisTitle = addslashes($_POST['title']);

Answer 5

i have seen you are adding ' into database so you need to escape it using addslashes()

addslashes($thisTitle)

Answer 6

you need to escape your input like

$thisDescription = mysql_real_escape_string($_POST['description']);

do this for all input that contains quotation marks etc..

NOTE: mysql will soon be gone so its advised to write new code using mysqli instead