MySQL syntax:You have an error in your SQL syntax

Question

I have written a very simple function:

function editCategory() {
    $ID         = urlencode($_GET['id']);
    $cname   = mysql_fix_string($_POST['cname']);
    $kabst   = mysql_fix_string($_POST['kabst']);
    $kselect    = $_POST['kselect'];
    $subsl      = $_POST['subsl'];
    $kradio     = $_POST['kradio'];
    $ksubmit    = $_POST['ksubmit'];

    if (isset($ksubmit)) {
        $query = "UPDATE category SET name = '$cname', description = '$kabst', published = '$kselect',  home = '$kradio', subcat = '$subsl'  WHERE id = $ID ";

        $result = mysql_query($query);
        if (mysql_affected_rows () == 1) {
            echo "ok";
        }
        else{
            echo mysql_error();
        }
    }
}

function mysql_fix_string($string)
{
    if (get_magic_quotes_gpc())
        $string = stripslashes(($string));
    return mysql_real_escape_string($string);
}

Error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

What is wrong?

Answer 1

Here is an example of a very simple CRUD application, just to show how to pass an id:

<?
mysql_connect();
mysql_select_db("new");
$table="test";
if($_SERVER['REQUEST_METHOD']=='POST') { //form handler part:
  $name = mysql_real_escape_string($_POST['name']);
  if ($id=intval($_POST['id'])) {
    $query="UPDATE $table SET name='$name' WHERE id=$id";
  } else {
    $query="INSERT INTO $table SET name='$name'";
  }
  mysql_query($query) or trigger_error(mysql_error()." in ".$query);
  header("Location: http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
  exit;
}
if (!isset($_GET['id'])) { //listing part:
  $LIST=array();
  $query="SELECT * FROM $table";
  $res=mysql_query($query);
  while($row=mysql_fetch_assoc($res)) $LIST[]=$row;
  include 'list.php';
} else { // form displaying part:

  if ($id=intval($_GET['id'])) {
    $query="SELECT * FROM $table WHERE id=$id";
    $res=mysql_query($query);
    $row=mysql_fetch_assoc($res);
    foreach ($row as $k => $v) $row[$k]=htmlspecialchars($v);
  } else {
    $row['name']='';
    $row['id']=0;
  }
  include 'form.php';
}
?>

File form.php:

<form method="POST">
<input type="text" name="name" value="<?=$row['name']?>"><br>
<input type="hidden" name="id" value="<?=$row['id']?>">
<input type="submit"><br>
<a href="?">Return to the list</a>
</form>

File list.php:

<a href="?id=0">Add item</a>
<? foreach ($LIST as $row): ?>
<li><a href="?id=<?=$row['id']?>"><?=$row['name']?></a>
<? endforeach ?>

Answer 2

$ID         = intval($_GET['id']); //using urlencode here is weird
$cname      =  mysql_real_escape_string($_POST['cname']); 
//and the same for the rest ALL.
$kradio     = mysql_real_escape_string($_POST['kradio']); 

Also,

$ksubmit    = $_POST['ksubmit']; 
if (isset($ksubmit)) { 

is senseless. $ksubmit would be always set it should be

if (isset($_POST['ksubmit'])) { 

To be sure you have all variables, please add these lines at the top of the script:

ini_set('display_errors',1);
error_reporting(E_ALL);

Answer 3

You have to make sure that :

• For fields that are strings (varchar/char) in the DB :
  • the values you're passing are properly enclosed with quotes
  • the content of the values you're passing must be escaped : if there is a quote in what the user POSTed, it must be escaped -- see mysql_real_escape_string
• For fields that are integers in the DB :
  • You must pass integer values
  • which can be ensured by calling intval on the values POSTed by the user

Here, you should probably :

• Use intval() on $_GET['id']
• Use mysql_real_escape_string on some other fields.
  • JUdging from the query, in which all fields, except id are enclosed with single-quotes, I'd say you have to use mysql_real_escape_string on all fields -- except id, of course.

As a sidenote :

• You are using $_GET for id
• And $_POST for everything else.

Is that on purpose ?

Answer 4

Sounds like an empty variable.

And do something against SQL injection, everybody can hack your database. With a little luck, you're the one killing your database... Use mysql_real_escape_string() for all user input into your queries.