I have made a simple blog system, in procedural PHP, where the user can make new post's, see existing posts, so it's a CRUD system.
So this is my code here:
if(isset($_POST['submit'])) {
$titel = $_POST['titel'];
$kortbeskrivelse = $_POST['kortbeskrivelse'];
$skrib = $_POST['skrib'];
$post = $_POST['post'];
$update = "UPDATE posts SET ";
$update .= "title = '{$titel}', ";
$update .= "kortbe = '{$korbeskrivelse}', ";
$update .= "author = '{$skrib}', ";
$update .= "beskrivelse = '{$post}', ";
$update .= "WHERE id=$pid LIMIT 1";
$updateresult = mysqli_query($conn, $update);
if (mysqli_query($conn, $updateresult)) {
echo "New record created successfully";
} else {
echo "Error: " . $updateresult . "<br>" . mysqli_error($conn);
}
}
So to explain the query, i'm updating posts, with the variables passed from a POST form.
The $pid variable, is for ensure that it's updating the correct post (I have declared it before the sql query)
I'm not getting any PHP errors, and the connection works great. This is the SQL error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id= LIMIT 1' at line 1
So it's a little bit confusing, and i am afraid it's an error 40(Human error :D )
I know it's very insecure, it's also for demonstrating injections etc.
I hope someone can help me out!
Thank's in advance!
There is a comma in this line $update .= "beskrivelse = '{$post}', ";. Try removing it:
$update .= "beskrivelse = '{$post}' ";
$update = "UPDATE posts SET ";
$update .= "title = '$titel', ";
$update .= "kortbe = '$korbeskrivelse', ";
$update .= "author = '$skrib', ";
$update .= "beskrivelse = '$_POST[beskrivelse]' ";
$update .= "WHERE id=$pid LIMIT 1";
change your code like this don't use {} brackets in query and remove ',' from last $update and put some value in '$pid'
Try this:
$update .= "WHERE id={$pid} LIMIT 1";
The text format with $ pid does not return the "PID" value but the text '$pid'.
your MySQL server version for the right syntax to use near 'WHERE id= LIMIT 1' at line 1
Look closer and you'll notice id=. There is no rvalue for the = operation. For some reason your $pid is empty. The code snippet doesn't show where $pid comes from.
Apart from that you also have a comma after the last column.
$update = "UPDATE posts SET ";
$update .= "title = '{$titel}', ";
$update .= "kortbe = '{$korbeskrivelse}', ";
$update .= "author = '{$skrib}', ";
$update .= "beskrivelse = '{$post}' "; // removed comma
$update .= "WHERE id=$pid LIMIT 1";
Also, the way you're building the query, your application is vulnerable. Read about "SQL Injection" and fix your code to use parametrized queries instead of string concatenation.