Mysql query appears to be working but still get error?

Question

I am running the following and it appears to be extracting the data from the array as the error contains all the data I have queried, so im not sure why I am getting an error for :

<?php
$user = $_POST[cf_id];
$form = $_POST[uid];
$date = date("d-m-Y"); 
$query = mysql_query("UPDATE hqfjt_chronoforms_data_addupdatelead SET '".$form."' = '".$date."' WHERE cf_id = '".$user."' ")
or die(mysql_error());
?>

The error I am getting is :

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''185cfb5654aacf3038e3f26491f227356b5d768f' = '30-12-2011' WHERE cf_id = '32'' at line 1

As you can see the data is being pulled in, so not sure I have a syntax error somewhere ?

Answer 1

The issue here is that what you're calling $form is being used as a column name. Since you are populating it from a post parameter named UID, I'm assuming this is not correct. What you likely want is something more along the lines of:

"UPDATE hqfjt_chronoforms_data_addupdatelead SET `date` = '".$date."' WHERE cf_id = '".$user."' and `uid` = " . $form;

I'm sure that's not exact, but it just doesn't make any sense to use a UID as a column name.

Answer 2

try this: mysql_real_escape_string

<?php
$user = mysql_real_escape_string($_POST[cf_id]);
$form = mysql_real_escape_string($_POST[uid]);
$date = mysql_real_escape_string(date("d-m-Y")); 
$query = mysql_query("UPDATE hqfjt_chronoforms_data_addupdatelead SET '".$form."' = '".$date."' WHERE cf_id = '".$user."' ")
or die(mysql_error());
?>

Answer 3

If `$form` is a column, don't use quotes (') but rather accents (`). (so make it `$form`)

Answer 4

$10 says you have an apostrophe in your string and didn't bother escaping it, leaving yourself open to SQL injection attacks.