SQL error in database?

simbu

Hello everyone,

I am doing a sample project.In that when i am edititng the records i am getting this error . Can anyony resolve me?

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'australia,companyname='asdf' WHERE id='4'' at line 1

thanks in advance,
simbu.

Weedpacket

It looks like there is an error in your SQL syntax near [font=monospace]australia,companyname='asdf' WHERE id='4'[/font]. Probably because of the missing quote.

simbu

Weedpacket;11016289 wrote:
It looks like there is an error in your SQL syntax near [font=monospace]australia,companyname='asdf' WHERE id='4'[/font]. Probably because of the missing quote.

Here is my code...

<?php

function renderForm($id,$fname,$name,$currentdesignation,$currentemployer,$email,$telephone,$comments,$education,$experience,$currentlocation,$companyname)
{
?>

<html>
<head>
<title>Edit record</title>
</head>
<body>
<?php

<form method="post" action="" >
<input type="hidden" name="id" value="<?php echo $id; ?>"/>
<div>
<p><strong>id:</strong><?php echo $id; ?></p>
<strong>Full name </strong><input type="text" name="fname" value="<?php echo $fname; ?>"/><br/>
<strong>Name </strong><input type="text" name="name" value="<?php echo $name; ?>"/><br/>
<strong>currentdesignation: </strong><input type="text" name="currentdesignation" value="<?php echo $currentdesignation; ?>"/><br/>
<strong>currentemployer: </strong><input type="text" name="currentemployer" value="<?php echo $currentemployer; ?>"/><br/>
<strong>E-mail: </strong><input type="text" name="email" value="<?php echo $email; ?>"/><br/>
<strong>telephone: </strong><input type="text" name="telephone" value="<?php echo $telephone; ?>"/><br/>
<strong>comments: </strong><input type="text" name="comments" value="<?php echo $comments; ?>"/><br/>
<strong>Education: </strong><input type="text" name="education" value="<?php echo $education; ?>"/><br/>
<strong>Experience: </strong><input type="text" name="experience" value="<?php echo $experience; ?>"/><br/>
<strong>Current location: </strong><input type="text" name="currentlocation" value="<?php echo $currentlocation; ?>"/><br/>
<strong>Company name: </strong><input type="text" name="companyname" value="<?php echo $companyname; ?>"/><br/>
<p> required</p>
<input type="submit" name="submit" value="submit" >
</div>
</form>
</body>
</html>
<?php
}

//connect to the database
include("db.php");

//check if the form has been submitted.If it has,process the form and save it into teh database
if(isset($POST['submit']))
{
//confirm that the 'id' value is a valid integer before getting the form data
if(is_numeric($POST['id']))
{
//get form data,making sure it is valid
$id=$POST['id'];
$fname=mysql_real_escape_string(htmlspecialchars($POST['fname']));
$name=mysql_real_escape_string(htmlspecialchars($POST['name']));
$currentdesignation=mysql_real_escape_string(htmlspecialchars($POST['currentdesignation']));
$currentemployer=mysql_real_escape_string(htmlspecialchars($POST['currentemployer']));
$telephone=mysql_real_escape_string(htmlspecialchars($POST['telephone']));
$email=mysql_real_escape_string(htmlspecialchars($POST['email']));
$comments=mysql_real_escape_string(htmlspecialchars($POST['comments']));
$education=mysql_real_escape_string(htmlspecialchars($POST['education']));
$experience=mysql_real_escape_string(htmlspecialchars($POST['experience']));
$currentlocation=mysql_real_escape_string(htmlspecialchars($POST['currentlocation']));
$companyname=mysql_real_escape_string(htmlspecialchars($POST['companyname']));

//check that fields are filled in
if($fname==""||$name==""||$currentdesignation==""||$currentemployer==""||$email==""||$telephone==""||$comments==""||$education==""||$experience==""||$currentlocation==""||$companyname=="")
{
//generate error message
$error='ERROR😛lease fill in all required fields!';

//error display form
renderForm($id,$fname,$name,$currentdesignation,$currentemployer,$email,$telephone,$comments,$education,$experience,$currentlocation,$companyname);
}
else
{
//save the data to the database
$result=mysql_query("UPDATE han.form SET fname='$fname',name='$name',currentdesignation='$currentdesignation',currentemployer='$currentemployer',email='$email',telephone='$telephone',comments='$comments',education='$education',experience='$experience,currentlocation='$currentlocation,companyname='$companyname' WHERE id='$id'") or die(mysql_error());

//once saved,redirect back to the view page
header("Location:view.php");
}
}
else
{
//if the 'id' isnt valid,display an error
echo 'Error!';
}
}
else

{

if(isset($GET['id']) && is_numeric($GET['id']) && $_GET['id']>0)
{

$id=$_GET['id'];
$result=mysql_query("SELECT * FROM han.form WHERE id='$id'") or die(mysql_error());
$row=mysql_fetch_array($result);

//check that the 'id' matches up with a row in the database
if($row)
{

//get data from db
$fname=$row['fname'];
$name=$row['name'];
$currentdesignation=$row['currentdesignation'];
$currentemployer=$row['currentemployer'];
$email=$row['email'];
$telephone=$row['telephone'];
$comments=$row['comments'];
$education=$row['education'];
$experience=$row['experience'];
$currentlocation=$row['currentlocation'];
$companyname=$row['companyname'];

//show form
renderForm($id,$fname,$name,$currentdesignation,$currentemployer,$email,$telephone,$comments,$education,$experience,$currentlocation,$companyname);
}
else
//if no match,display result
{
echo 'No result!';
}
}
else
// if the 'id' in the URL isnt valid,or if there is no 'id' value,display an error
{
echo 'Error!';
}
}
?>

check it out and let em know please.

thanks,
simbu.

Derokorian

'$education',experience='$experience,currentlocation='$currentlocation,companyname='$companyname'

You're missing a closing quote after $experience AND after $currentlocation.

bradgrafelman

You're also using the [man]mysql[/man] extension which is severely outdated and has been deprecated in favor of [man]MySQLi[/man], [man]PDO[/man], etc.

In addition, you're using unsanitized user-supplied data directly in your SQL query.

simbu

Thanks a lot...