I was having a look around but I did not seem to find the right answer to this problem I am having. Whenever I run this UPDATE MySQL script, it calls the error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Email='contact@example.com', Phone='123456780', Address='16 Remote Street',' at line 1
Here is the code I am using to get this error.
<?php
include ('cfg_prop.php');
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$secondemail = $_POST['secondary'];
$phone = $_POST['phone'];
$address = $_POST['address'];
$country = $_POST['country'];
$postcode = $_POST['postcode'];
$company = $_POST['company'];
$city = $_POST['city'];
$sql = "UPDATE users SET Firstname='$firstname', Lastname='$lastname', Email='$email', Secondary Email='$secondemail', Phone='$phone', Address='$address', Country='$country', Postcode='$postcode', Company='$company', City='$city' WHERE Username='$userss'";
mysql_query($sql) or die(mysql_error());
?>
If anyone could help me, I would be really happy and grateful as I just can't seem to get over this. Thanks in advance for the help.
First of all - you have to escape data from $_POST superglobal because of easy SQL Injection attack.
$email = mysql_real_escape_string($_POST['email']);
Next thing you canno use Secondary Email because there is whitespace that causes an error.
You have to change colmun's name to Secondary_Email.
Or just use
`Secondary Email`
instead (but do not do this - columns should not have whitespaces in their names).
Secondary Email
Column has a space in it's name; you should use backtick symbol :
`
So:
$sql = "UPDATE users SET Firstname='$firstname', Lastname='$lastname', Email='$email', `Secondary Email`='$secondemail', Phone='$phone', Address='$address', Country='$country', Postcode='$postcode', Company='$company', City='$city' WHERE Username='$userss'";
Try this:
UPDATE users SET
Firstname='$firstname',
Lastname='$lastname',
Email='$email',
`Secondary Email`='$secondemail',
Phone='$phone',
Address='$address',
Country='$country',
Postcode='$postcode',
Company='$company',
City='$city'
WHERE Username='$userss'
Secondary Email must be enclosed in backticks because contains a whitespace.
Remember to sanitize user input to avoid SQL Injection.
Escape the field Secondary Email
$sql = "UPDATE users SET Firstname='$firstname', Lastname='$lastname', Email='$email', `Secondary Email`='$secondemail', Phone='$phone', Address='$address', Country='$country', Postcode='$postcode', Company='$company', City='$city' WHERE Username='$userss'";
try this:
$sql = "UPDATE `users` SET `Firstname`='$firstname', `Lastname`='$lastname', `Email`='$email', `Secondary Email`='$secondemail', `Phone`='$phone', `Address`='$address', `Country`='$country', `Postcode`='$postcode', `Company`='$company', `City`='$city' WHERE `Username`='$userss'";
but this method of writing a query is highly recommended by SQL injection!