Second set of eyes on this Parse error: please!

Osyrys14

I'm not new at programming, but I've looked at this code for so long my eyes are burning! LOL Any ideas why I'm getting this error....

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/woodove/public_html/updatedb.php on line 74

on this line...

$sql= (UPDATE 'woodove_grill2010'.'wheretobuy` SET 'name'='$_POST[name]', 'address'='$_POST[address]', 

'city'='$_POST[city]', 'province'='$_POST[province]', 'zip'='$_POST[zip]','phone'='$_POST[phone]', 

'fax=$_POST[fax]','email'='$_POST[email]', 'website'='$_POST[website]', 'temp'='$_POST[website]' WHERE 

'ID' = '$_POST[ID]');

Thanks in advance!!

Osyrys:eek:

bradgrafelman

Your problem is that you've got a SQL query string in the middle of some PHP code.

A SQL query string is just that - a [man]string[/man]. No different than the string "Hello World" actually. As such, your SQL query string must be delimited (e.g. by quotes).

EDIT: Also note that user-supplied data should never be placed directly into a SQL query string else your code will be vulnerable to SQL injection attacks and/or just plain SQL errors. Instead, you must first sanitize it with a function such as [man]mysql_real_escape_string/man.

laserlight

Unfortunately, both your PHP and SQL syntax is wrong, especially pertaining to delimiting strings (and not delimiting, or correctly delimiting, database, table and column names). If you are using the PDO extension, I would expect something like this:

$statement = $connection->prepare('UPDATE woodove_grill2010.wheretobuy
    SET name=:name, address=:address, city=:city, province=:province, zip=:zip,
    phone=:phone,  fax=:fax, email=:email, website=:website, temp=:temp WHERE ID=:ID');
$placeholders = array('name', 'address', 'city', 'province', 'zip', 'phone', 'fax', 'email', 'website', 'ID');
foreach ($placeholders as $placeholder) {
    if (isset($_POST[$placeholder])) {
        $statement->bindValue(':' . $placeholder, $_POST[$placeholder], PDO::PARAM_STR);
    } else {
        // Handle the input error.
    }
}

Osyrys14

It is an update form, only an administrator of the site can access it. The same query as an insert into statement in the same location of the script (saved as a different file, the only differences are ones an update (this one) and one is the insert statement.) seems to work fine, its just this one to update that is not functioning... I've taken it down to simply

$sql= (UPDATE wheretobuy SET name=$_POST[name] WHERE ID = $post[name]);

With and without the ' enclosing things, and several combinations, still no luck.

bradgrafelman

Again, strings must be delimited - you're missing the delimiters in your code above.

In addition, note that $_POST[name] is not the same as $post[name].

laserlight

Osyrys14 wrote:
It is an update form, only an administrator of the site can access it.

[
That does not matter. If you do not properly escape your input (or use prepared statements, as in my example), even legitimate input could cause problems.

knowj

As laserlight said with escaping the data.

IMO at minimum you should be using prepared statements with mysqli (http://php.net/manual/en/mysqli.prepare.php) or prepared PDO statements (via laserlight) if you are developing for cross system compatibility.

I have never been a fan of individually escaping each piece of data all it takes is one mistake or another developer to add in another variable and miss out the escape and you can end up in a whole world of harm and potentially legal issues.

In an ideal world stored procedures are the best way to execute SQL queries but they aren't always feasible on small scale development.

cretaceous

$sql= "UPDATE woodove_grill2010.wheretobuy SET name='$_POST[name]', address='$_POST[address]', city='$_POST[city]', province='$_POST[province]', zip='$_POST[zip]',phone='$_POST[phone]',
fax='$_POST[fax]',email='$_POST[email]', website='$_POST[website]', temp='$_POST[website]' WHERE ID= '$_POST[ID]'";

that might do it .. if you don't use an abstraction class (as suggested by others)
- however as stated you really should use mysql_real_escape_string().

you also had a pair of missing single quotes in your fax=$_POST[fax]
- but you don't need quotes around column names anyway
- basically it is a bit of a mess !

knowj

Personally I don't think anyone should be using mysql functions any more. mysqli has been around for long enough to be the new standard. If anything the mysql functions should be adapted to use mysqli or mysqli completely ported to use the mysql namespace.

PDO is great, but it's an abstraction layer so slightly slower than mysqli. But if you are developing for portability it's the way forward.

For entry level work with PHP, mysqli allows an nice easy transition from procedural to object oriented (you can use both). And on the face of it, it's no different to mysql until you dig deeper and want more from it.

Try using mysqli_prepare (http://php.net/manual/en/mysqli.prepare.php) either procedural or object oriented and if you get stuck post your progress/questions here.

Osyrys14

Ok, I'm a bit confused by these replies. As I mentioned, I'm not a newbie, but brain friend right now... What's in the simple statement that needs to be delimited?? If I've taken it down to just try and update ONE field so I can get it functional, there's nothing to separate... Also, excaping comments I totally understand, but there's not a comment to be escaped in the query string. Unless I'm totally missing it...

Lastly, I'd be happy to use mysli, but that's learning a new thing for me right now, and this is just a simple update database entries with a form page, wasn't even supposed to take this long. LOL Thanks everyone for your replies, honest I'm just fried on this and missing something SUPER simple, I know it will be...

HalfaBee

To simplify some of the previous replies.

You have the SQL encapsulated in () and it should be "" and you have the column names ecapsulated in ' where it should be ` ( back tick )

so the first line should look like this

$sql= "UPDATE woodove_grill2010.wheretobuy SET `name`='{$_POST['name']}', `address`='{$_POST['address']}', ...