1

i have some problem

i done my project, but there is problem in it like

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'blink = 'asd' WHERE bid='1'' at line 6 in editing file for edit my book content

    <?php
include("../includes/config.php");
$cuser = mysql_query("SELECT * FROM books");
$id = intval($_GET['id']);
$bname = strip_tags($_POST['bname']);
$bpic = strip_tags($_POST['bpic']);
$bdesc = strip_tags($_POST['bdesc']);
$bauthor = strip_tags($_POST['bauthor']);
$blink = strip_tags($_POST['blink']);
if(isset($_GET['edit'])){
    $cuuser = mysql_fetch_object($cuser);
    echo "<form action='editbook.php?edit=yes&id=".$cuuser->bid."' method='POST'>
    <table>
    <tr>
    <td>bname : </td>
    <td><input name='bname' type='text' value='".$cuuser->bname."' /></td>
    </tr>
    <tr>
    <td>bpic : </td>
    <td><input name='bpic' type='text' value='".$cuuser->bpic."' /></td>
    </tr>
    <tr>
    <td>bdesc : </td>
    <td><input name='bdesc' type='text' value='".$cuuser->bdesc."' /></td>
    </tr>
    <tr>
    <td>blink : </td>
    <td><input name='blink' type='text' value='".$cuuser->blink."' /></td>
    </tr>
    <tr>
    <td>bauthor : </td>
    <td><input name='bauthor' type='text' value='".$cuuser->bauthor."' /></td>
    </tr>
    <td><input name='do' type='submit' value='GO' /></td>
    </table>
    </form>";
}
        if($_REQUEST['edit'] == 'yes'){
            $uuser = mysql_query("UPDATE books SET 
            bname = '$bname',
            bpic = '$bpic',
            bdesc = '$bdesc',
            bauthor = '$bauthor'
            blink = '$blink'
            WHERE bid='$id' ") or die(mysql_error()) ;
            if(isset($uuser)){
                echo "done";
            }
        }

?>

when i delete (blink = '$blink') from query its will save and edit but i need it in my project note: i change blink for a lot of times and try another names (same problem)

and if there is another way to edit mysql content via php i will be so happy :) anything let my project worked correctly

Thanks :)

Improve this question
4
  • bauthor = '$bauthor',, note the comma. Commented Jan 7, 2017 at 13:49
  • 1
    this isn't a live site I hope Commented Jan 7, 2017 at 14:02
  • Its a TYPO, close accordingly Commented Jan 7, 2017 at 14:49
  • @Mr.Kmar Btw, what Ray C wrote in his answer is not entirely true/correct. Consult the comments I left under the answer. Don't kid yourself and don't play with security when it comes to the Internet; you will not be happy if/when you do make a live site, believe me. Commented Jan 8, 2017 at 0:38

1 Answer 1

Reset to default
2

First, you omitted comma in your update statement after bauthor and blink line.

Second, I see you did not do any processing for input data. It s very vulnerable for SQL injection. Also if someone types quote mark ' inside of input data, your save query will fail, too. So you should make a fix for this purpose, too. Simply apply mysql_real_escape_string function for each input will save you for saving failure of comma contained string data.

So try following code for fast fix:

if($_REQUEST['edit'] == 'yes'){
            $uuser = mysql_query("UPDATE books SET 
            bname = '" . mysql_real_escape_string($bname) . "',
            bpic = '" . mysql_real_escape_string($bpic) . "',
            bdesc = '" . mysql_real_escape_string($bdesc) . "',
            bauthor = '" . mysql_real_escape_string($bauthor) . "',
            blink = '" . mysql_real_escape_string($blink) . "' 
            WHERE bid='$id' ") or die(mysql_error()) ;
            if(isset($uuser)){
                echo "done";
            }
        }

For better security option, you can try PDO with prepared statement.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

+1 Thanks bro about telling me about it, as i say i'm not in securing mode now, i'm just programming and take a lot of times searching for bug in script :) Thanks a lot
I wouldn't use mysql_real_escape_string() yet alone mysql_* functions. They're old and deprecated and mysql_real_escape_string() can still be open to an SQL injection. "Simply apply mysql_real_escape_string function for each input will save you." - No it won't. See the following Q&A on Stack stackoverflow.com/questions/5741187/…
"For better security option, you can try PDO." - Without a prepared statement, PDO alone is still prone to injection.
@Fred-ii- Thank you for your feedback. I updated the content to avoid misunderstanding as it says something different than I meant.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.