SQL Error

Marine50x

Why am I getting this error and where is it?

Error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 2

<?php 
session_start(); 

if (isset($_POST['title'])){

 $username = $_POST['title'];
 $firstname = $_POST['postbody'];

}


// Connect to database
include_once "scripts/connect_to_mysql.php";

if (isset($_SESSION['id'])) {

 $id = $_SESSION['id'];

} else {

  print "You are not logged in!!";
}
// Get Username
$sql= mysqli_query($myConnection, "SELECT * FROM members WHERE id = '$id'");
while($row = mysqli_fetch_array($sql))
{
	$username= $row['username'];
	}

//Check if allowed
$sqlcheck= mysqli_query($myConnection, "SELECT * FROM members WHERE id= '$id' ");
	while($row = mysqli_fetch_array($sqlcheck)){
	$acc_type= $row["account_type"];
}
 if ($acc_type == 'b'){

$sqlinsert= mysqli_query ($myConnection, "INSERT INTO blogpost ( title, dateposted, pagebody) 
VALUES('$title',now(),'$postbody'")
or die (mysqli_error($myConnection));
}else {
	  print "Your not allowed to post!!";
}

?>

NogDog

Try echoing the actual query with the error message:

$sql = "INSERT INTO blogpost ( title, dateposted, pagebody)
VALUES('$title',now(),'$postbody'";
$sqlinsert= mysqli_query ($myConnection, $sql) 
   or die (mysqli_error($myConnection) . "<br />\n$sql");

(For the production version I would change the or die() to an if condition and error_log() so that you do not output DB details to the user if there is a problem.)

My guess is that the text being entered needs to be escaped due to single quote/apostrophe characters or something similar (see [man]mysqli_real_escape_string/man), but we should show more when we see the actual query being submitted.

bradgrafelman

Your logic needs to be reworked a bit. Look at this snippet:

if (isset($_SESSION['id'])) { 

 $id = $_SESSION['id']; 

} else { 

  print "You are not logged in!!"; 
} 
// Get Username 
$sql= mysqli_query($myConnection, "SELECT * FROM members WHERE id = '$id'");

If they aren't logged in, that's fine - they'll get the "You are not logged in!!" message. But then the very next statement uses $id as if you never checked for it in the first place.

You should move those SQL queries so that they only process if the 'id' was set in the first place.

You should also find some basic tutorials on how to retrieve data from a SQL server. For example, this code:

// Get Username 
$sql= mysqli_query($myConnection, "SELECT * FROM members WHERE id = '$id'"); 
while($row = mysqli_fetch_array($sql)) 
{ 
    $username= $row['username']; 
    } 

//Check if allowed 
$sqlcheck= mysqli_query($myConnection, "SELECT * FROM members WHERE id= '$id' "); 
    while($row = mysqli_fetch_array($sqlcheck)){ 
    $acc_type= $row["account_type"]; 
}

should really be written as:

// $id is assumed to be numeric *and* sanitized!
$sql= mysqli_query($myConnection, "SELECT id, username FROM members WHERE id = $id LIMIT 1"); 

if(mysqli_num_rows($sql))
    list($acc_type, $username) = mysqli_fetch_assoc($sql);
else {
    // error: no user found with corresponding id
}