SQL error in database?

[simbu]

Hello everyone,

I am doing a sample project.In that when i am edititng the records i am getting this error . Can anyony resolve me?

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'australia,companyname='asdf' WHERE id='4'' at line 1




thanks in advance,
simbu.

[Weedpacket]

It looks like there is an error in your SQL syntax near australia,companyname='asdf' WHERE id='4'. Probably because of the missing quote.

[simbu]

It looks like there is an error in your SQL syntax near australia,companyname='asdf' WHERE id='4'. Probably because of the missing quote.

Here is my code...

<?php

function renderForm($id,$fname,$name,$currentdesignation,$currentemployer,$email,$telephone,$comments,$education,$experience,$currentlocation,$companyname)
{
?>

<html>
<head>
<title>Edit record</title>
</head>
<body>
<?php

?>

<form method="post" action="" >
<input type="hidden" name="id" value="<?php echo $id; ?>"/>
<div>
<p><strong>id:</strong><?php echo $id; ?></p>
<strong>Full name * </strong><input type="text" name="fname" value="<?php echo $fname; ?>"/><br/>
<strong>Name * </strong><input type="text" name="name" value="<?php echo $name; ?>"/><br/>
<strong>currentdesignation: * </strong><input type="text" name="currentdesignation" value="<?php echo $currentdesignation; ?>"/><br/>
<strong>currentemployer: * </strong><input type="text" name="currentemployer" value="<?php echo $currentemployer; ?>"/><br/>
<strong>E-mail: * </strong><input type="text" name="email" value="<?php echo $email; ?>"/><br/>
<strong>telephone: * </strong><input type="text" name="telephone" value="<?php echo $telephone; ?>"/><br/>
<strong>comments: * </strong><input type="text" name="comments" value="<?php echo $comments; ?>"/><br/>
<strong>Education: * </strong><input type="text" name="education" value="<?php echo $education; ?>"/><br/>
<strong>Experience: * </strong><input type="text" name="experience" value="<?php echo $experience; ?>"/><br/>
<strong>Current location: * </strong><input type="text" name="currentlocation" value="<?php echo $currentlocation; ?>"/><br/>
<strong>Company name: * </strong><input type="text" name="companyname" value="<?php echo $companyname; ?>"/><br/>
<p>* required</p>
<input type="submit" name="submit" value="submit" >
</div>
</form>
</body>
</html>
<?php
}

//connect to the database
include("db.php");

//check if the form has been submitted.If it has,process the form and save it into teh database
if(isset($_POST['submit']))
{
//confirm that the 'id' value is a valid integer before getting the form data
if(is_numeric($_POST['id']))
{
//get form data,making sure it is valid
$id=$_POST['id'];
$fname=mysql_real_escape_string(htmlspecialchars($_POST['fname']));
$name=mysql_real_escape_string(htmlspecialchars($_POST['name']));
$currentdesignation=mysql_real_escape_string(htmlspecialchars($_POST['currentdesignation']));
$currentemployer=mysql_real_escape_string(htmlspecialchars($_POST['currentemployer']));
$telephone=mysql_real_escape_string(htmlspecialchars($_POST['telephone']));
$email=mysql_real_escape_string(htmlspecialchars($_POST['email']));
$comments=mysql_real_escape_string(htmlspecialchars($_POST['comments']));
$education=mysql_real_escape_string(htmlspecialchars($_POST['education']));
$experience=mysql_real_escape_string(htmlspecialchars($_POST['experience']));
$currentlocation=mysql_real_escape_string(htmlspecialchars($_POST['currentlocation']));
$companyname=mysql_real_escape_string(htmlspecialchars($_POST['companyname']));


//check that fields are filled in
if($fname==""||$name==""||$currentdesignation==""||$currentemployer==""||$email==""||$telephone==""||$comments==""||$education==""||$experience==""||$currentlocation==""||$companyname=="")
{
//generate error message
$error='ERROR:Please fill in all required fields!';

//error display form
renderForm($id,$fname,$name,$currentdesignation,$currentemployer,$email,$telephone,$comments,$education,$experience,$currentlocation,$companyname);
}
else
{
//save the data to the database
$result=mysql_query("UPDATE han.form SET fname='$fname',name='$name',currentdesignation='$currentdesignation',currentemployer='$currentemployer',email='$email',telephone='$telephone',comments='$comments',education='$education',experience='$experience,currentlocation='$currentlocation,companyname='$companyname' WHERE id='$id'") or die(mysql_error());

//once saved,redirect back to the view page
header("Location:view.php");
}
}
else
{
//if the 'id' isnt valid,display an error
echo 'Error!';
}
}
else

{

if(isset($_GET['id']) && is_numeric($_GET['id']) && $_GET['id']>0)
{

$id=$_GET['id'];
$result=mysql_query("SELECT * FROM han.form WHERE id='$id'") or die(mysql_error());
$row=mysql_fetch_array($result);

//check that the 'id' matches up with a row in the database
if($row)
{

//get data from db
$fname=$row['fname'];
$name=$row['name'];
$currentdesignation=$row['currentdesignation'];
$currentemployer=$row['currentemployer'];
$email=$row['email'];
$telephone=$row['telephone'];
$comments=$row['comments'];
$education=$row['education'];
$experience=$row['experience'];
$currentlocation=$row['currentlocation'];
$companyname=$row['companyname'];

//show form
renderForm($id,$fname,$name,$currentdesignation,$currentemployer,$email,$telephone,$comments,$education,$experience,$currentlocation,$companyname);
}
else
//if no match,display result
{
echo 'No result!';
}
}
else
// if the 'id' in the URL isnt valid,or if there is no 'id' value,display an error
{
echo 'Error!';
}
}
?>

check it out and let em know please.



thanks,
simbu.

[Derokorian]

'$education',experience='$experience,currentlocation='$currentlocation,companyname='$companyname'

You're missing a closing quote after $experience AND after $currentlocation.

[bradgrafelman]

You're also using the mysql extension which is severely outdated and has been deprecated in favor of MySQLi, PDO, etc.

In addition, you're using unsanitized user-supplied data directly in your SQL query.

[simbu]

Thanks a lot...