Simple SQL Syntax Error

verbazon

I have an sql syntax error for some database code i'm trying to query for a login system. I'm assuming it has something to do with the way i'm using quotations (double/single) in my query statement which I'm not getting right. If someone could reply back with the correct use of quotations in my sql statement i would appreciate it.

Here is the part of the code:

if(isset($_POST['submit']))
{
	//get user input
	$firstname = secure($_POST["firstname"]);
	$lastname = secure($_POST["lastname"]);
	$email = secure($_POST["email"]);

//check if fields are empty
if(empty($firstname) || empty($lastname) || empty($email))
{
	die('You must fill all form fields in.');
}

$sql = 'UPDATE register SET 
			firstname="' .$firstname. '",
			lastname="' .$lastname. '", 
			email="' .$email. '", 
			WHERE id="' . $_SESSION['id'] . '"';

Thanks for any help in advance

Piranha

I just assume that the secure method handles database security, such as SQL injection.

Normally you use single quotes in the database query, I don't know for sure if it works with double quotes. But I don't think that is the problem. I see however that you have a comma before WHERE in the query, and that would ruin the query.

A few other points about this piece of code:
1. You can't be sure that the value from the submit button are sent when submitted. Instead use a hidden insert value and check against that.
2. You never secure the id in this code. And you use the id (that I assume is a int) within quotes, you should not do that with numeric values.

zcollvee

$firstname = mysql_real_escape_string($_POST['firstname']);

you could make it like that but i cant see anything else wrong with this.