Incorrect syntax near ''. (That means NOTHING)

Apixen

<form method=post>
<input type=text name=query>
<input type=submit name=send value="Send" length="100">
</form>
<?php
require './includes/config.inc.php';
$getquery = $_REQUEST['query'];
$query = mssql_query($getquery);
$result = mssql_num_rows($query);
$words = explode(' ',$getquery);
$first_word = $words[0];
echo $first_word;
echo $result;
  ?>

...K, The purpose of this script is to execute a query via web-server in the mssql service. When I execute
UPDATE [ACCOUNT_DBF].dbo.[ACCOUNT_TBL_DETAIL] set m_chLoginAuthority='Z' where account='slash'
it'll say
Warning: mssql_query() [function.mssql-query]: message: Incorrect syntax near ''. (severity 15) in ************************************************ on line 8
therefore, causing 2 more errors saying query failed, and such.

Any help?

-Apixen

Crowly

Dont use $REQUEST, you have no idea where the data is coming from, since it can come from either $GET, $POST or $COOKIE, in this case use $_POST.

Nothing wrong with this script, when ignoring security. Echo out $getquery, ex echo nl2br($getquery); , to see how it looks, cause the problem is with the sql.

sneakyimp

You should never ever take user input and cram it into a query without checking it. Someone might enter "DROP DATABASE your_db"

And the error does tell you something. Your SQL syntax is wrong.

If this is a server facing the world, you might want to send these errors to a log file rather than echoing them to the screen. Also, you should check for errors. INstead of this:

$query = mssql_query($getquery);

Do this:

$query = mssql_query($getquery);
if (!$query) {
  // write some code here to send error msg and query to a log file
  die("There was a problem with the query");
}