I have a PHP based custom CMS. When trying to edit and then save any page, I am getting this error:
You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax
to use near 'second hand PDF list' in the file named Events,
viewable from the 'view file' bu' at line 5
I've checked almost everything but can't figure it out.
Below is the code of the page on which I am getting this error.
session_start();
include "../config.php";
include("fckeditor.php");
//$_SESSION['admin_user'] = $admin_username;
$admin_user=$_SESSION['admin_user'];
if (empty($admin_user))
{
header("Location: index.php?action=not_sign");
}
if (isset($_POST["mode"]))
{
if ($_POST["mode"] == "edit_cmspage")
{
$page_id = $_POST['page_id'];
$page_title = $_POST['page_title'];
$keywords = $_POST['keywords'];
$page_desc = $_POST['page_desc'];
$details = $_POST['details'];
$sql = "SELECT * FROM page_info where page_id='$page_id'";
$res = dbquery($sql) or die(mysql_error());
$no = mysql_num_rows($res);
if ($no > 0 )
{
$add = "UPDATE `page_info` set
`page_title` = '$page_title' ,
`page_keywords` = '$keywords',
`page_desc` = '$page_desc' ,
`page_content` = '$details'
where page_id='$page_id'";
$add_res = dbquery($add) or die(mysql_error());
header("Location: cms_page.php?pg=$pg&action=update");
}
else
{
$add = "INSERT INTO `page_info` ( `page_id` , `page_title`, `page_keywords`, `page_desc`, `page_content` ) VALUES ('$page_id', '$page_title', '$keywords', '$page_desc', '$details')";
$add_res = dbquery($add) or die(mysql_error());
header("Location: cms_page.php?pg=$pg&action=update");
}
}
}
if (isset($_GET['pg']))
{
if ($_GET['pg'] == 'home')
{
$pageid = 1;
$cms_page = 'Home Page';
}
if ($_GET['pg'] == 'railways')
{
$pageid = 2;
$cms_page = 'Railways Page';
}
if ($_GET['pg'] == 'history')
{
$pageid = 3;
$cms_page = 'History Page';
}
if ($_GET['pg'] == 'childrens')
{
$pageid = 4;
$cms_page = 'Childrens Page';
}
if ($_GET['pg'] == 'contactus')
{
$pageid = 5;
$cms_page = 'Contact Us Page';
}
if ($_GET['pg'] == 'others')
{
$pageid = 6;
$cms_page = 'Others Page';
}
if ($_GET['pg'] == 'seconds')
{
$pageid = 7;
$cms_page = 'Seconds Page';
}
if ($_GET['pg'] == 'arts')
{
$pageid = 8;
$cms_page = 'Arts Page';
}
if ($_GET['pg'] == 'crafts')
{
$pageid = 9;
$cms_page = 'Crafts Page';
}
if ($_GET['pg'] == 'terms')
{
$pageid = 10;
$cms_page = 'Terms Page';
}
if ($_GET['pg'] == 'local')
{
$pageid = 11;
$cms_page = 'Local History Page';
}
if ($_GET['pg'] == 'miscellaneous')
{
$pageid = 12;
$cms_page = 'Miscellaneous Page';
}
if ($_GET['pg'] == 'list')
{
$pageid = 16;
$cms_page = 'Second Hand PDF Book list';
}
$sql = "SELECT * FROM page_info where page_id='$pageid'";
$res = dbquery($sql);
$data = dbfetch($res);
$page_title = $data['page_title'];
$keywords = $data['page_keywords'];
$page_desc = $data['page_desc'];
$details = $data['page_content'];
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Edit</title>
<link href="../css/main.css" rel="stylesheet" type="text/css">
<script language="JavaScript">
function Trim(s)
{
// Remove leading spaces and carriage returns
while ((s.substring(0,1) == ' ') || (s.substring(0,1) == '
') || (s.substring(0,1) == ''))
{ s = s.substring(1,s.length); }
// Remove trailing spaces and carriage returns
while ((s.substring(s.length-1,s.length) == ' ') || (s.substring(s.length-1,s.length) == '
') || (s.substring(s.length-1,s.length) == ''))
{ s = s.substring(0,s.length-1); }
return s;
}
function check(fm)
{
details = Trim(fm.details.value)
if(fm.details.value=="")
{
alert("You can't left blank Description.");
return false;
}
return true;
}
</script>
</head>
<body>
<table align="center" border="0" cellpadding="0" cellspacing="0" width="900">
<tr bgcolor="#FFFFFF">
<td align="center"><? include('header.php'); ?>
</td>
</tr>
<tr>
<td align="center" bgcolor="#FFFFFF">
<table border="0" cellpadding="0" cellspacing="0" width="100%">
<tr>
<td align="left" bgcolor="#DD6100" valign="top" width="20%"><? include('menu_bar.php'); ?>
</td>
<td align="center" valign="top" width="80%">
<table border="0" cellpadding="0" cellspacing="0" width="100%">
<tr>
<td width="5%"> </td>
<td width="90%"> </td>
<td width="5%"> </td>
</tr>
<tr>
<td> </td>
<td class="subheader">Edit Home Page</td>
<td> </td>
</tr>
<tr>
<td> </td>
<td align="center" class="contents"><strong><font color="#0000FF"></font></strong></td>
<td> </td>
</tr>
<tr>
<td> </td>
<td align="right" class="bold_back"> </td>
<td> </td>
</tr>
<tr>
<td> </td>
<td align="center" class="bold_back">
<table bgcolor="#388A01" border="0" cellpadding="1" cellspacing="0" width="100%">
<tr>
<td height="">
<table border="0" cellpadding="0" cellspacing="0" width="100%">
<tr>
<td align="center" bgcolor="#FFFFFF" valign="top">
<table border="0" cellpadding="2" cellspacing="0" width="100%">
<tbody>
<tr>
<td>
<form action="edit_cmspage.php" method="post" onsubmit="return check(this)">
<input name="mode" type="hidden" value="edit_cmspage"> <input name="page_id" type="hidden" value="<? echo $pageid; ?>"> <input name="pg" type="hidden" value="<? echo $_GET['pg']; ?>">
<table border="0" cellpadding="0" cellspacing="3" width="100%">
<tr>
<td class="contents" width="13%"><strong>Title</strong></td>
<td width="87%"><span class="admin_in"><input class="INPUT" name="page_title" size="70" type="text" value="<?php echo $page_title;?>"></span></td>
</tr>
<tr>
<td class="contents"><strong>Keywords</strong></td>
<td><span class="admin_in"><input class="INPUT" name="keywords" size="70" type="text" value="<?php echo $keywords; ?>"></span></td>
</tr>
<tr>
<td class="contents"><strong>Description</strong></td>
<td><span class="admin_in"><input class="INPUT" name="page_desc" size="70" type="text" value="<?php echo $page_desc; ?>"></span></td>
</tr>
<tr>
<td> </td>
<td height="25"><?php
$oFCKeditor = new FCKeditor('details') ;
$oFCKeditor->BasePath = "";
//$oFCKeditor->BasePath = "../../../";
$oFCKeditor->Value = $details;
$oFCKeditor->Width = '100%' ;
$oFCKeditor->Height = '450' ;
$oFCKeditor->Create() ;
?></td>
</tr>
<tr>
<td> </td>
<td height="25"> </td>
</tr>
<tr>
<td> </td>
<td>
<input name="imageField" src="images/btn_save.jpg" type="image"> <a href="cms_page.php?pg=%3C?=%20$_GET['pg'];%20?%3E"><img alt="Cancel" border="0" height="25" src="images/btn_cancel.jpg" width="80"></a>
</td>
</tr>
</table>
</form>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
<td> </td>
</tr>
<tr>
<td height="20"> </td>
<td> </td>
<td> </td>
</tr>
<tr>
<td> </td>
<td> </td>
<td> </td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
<tr bgcolor="#FFFFFF">
<td align="center"><? include('footer.php'); ?>
</td>
</tr>
</table>
</body>
</html>
Let's see the SQL with the error; I'll bet you put $cms_page in it without any quotes or escaping.