{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 趁早两清 的问题《You have an error in your SQL syntax; check the ma》','https://www.manongdao.com/q-581045.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am getting an Error in MySQL:
You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax to use near '''')' at line 2'.
HTML Code:
<form action="read_message.php" method="post">
<table class="form_table">
<tr>
<td style="font-weight:bold;">Subject:</td>
<td><input style=" width:300px" name="form_subject"/></td>
<td></td>
</tr>
<tr>
<td style="font-weight:bold;">Message:</td>
<td id="myWordCount"> (300 words left)</td>
<td></td>
</tr>
<tr>
<td><input type="hidden" name="sender_id" value="<?php echo $sender_id?>"></td>
<td><textarea cols="50" rows="4" name="form_message"></textarea></td>
<td valign="bottom"><input type="submit" name="submit_message" value="send"></td>
</tr>
</table>
</form>
Code to insert into a mysql table:
<?php
include_once"connect_to_mysql.php";
//submit new message
if($_POST['submit_message']){
if($_POST['form_subject']==""){
$submit_subject="(no subject)";
}else{
$submit_subject=$_POST['form_subject'];
}
$submit_message=$_POST['form_message'];
$sender_id = $_POST['sender_id'];
if($shortMessagesLeft<1){
$form_error_message='You have left with '.$shortMessagesLeft.' Short Message. Please purchase it from the <a href="membership.php?id='.$id.'">shop</a>.';
}
else if($submit_message==""){
$form_error_message = 'Please fill in the message before sending.';
}
else{
$message_left = $shortMessagesLeft-1;
$update_short_message = mysql_query("UPDATE message_count SET short_message = '$message_left' WHERE user_id = '$id'");
$sql = mysql_query("INSERT INTO private_messages (to_id, from_id, time_sent, subject, message)
VALUES('$sender_id', '$id', now(),'$submit_subject','$submit_message')") or die (mysql_error());
}
}
?>
What does the error mean and what am I doing wrong?
That's called SQL INJECTION. The
'tries to open/close a string in your mysql query. You should always escape any string that gets into your queries.for example,
instead of this:
do this:
(or equivalent, of course)
However, it's better to automate this, using PDO, named parameters, prepared statements or many other ways. Research about this and SQL Injection (here you have some techniques).
Hope it helps. Cheers
I had this problem before, and the reason is very simple: Check your variables, if there were strings, so put it in quotes '$your_string_variable_here' ,, if it were numerical keep it without any quotes. for example, if I had these data: $name ( It will be string ) $phone_number ( It will be numerical ) So, it will be like that:
$query = "INSERT INTO
users(name,phone) VALUES ('$name', $phone)"; Just like that and it will be fixed ^_^Please make sure you have downloaded the sqldump fully, this problem is very common when we try to import half/incomplete downloaded sqldump. Please check size of your sqldump file.
I was getting the same error when I used this code to update the record:
After removing
or die, it started working properly.There is a single quote in
$submitsubjector$submit_messageWhy is this a problem?
The single quote char terminates the string in MySQL and everything past that is treated as a sql command. You REALLY don't want to write your sql like that. At best, your application will break intermittently (as you're observing) and at worst, you have just introduced a huge security vulnerability.
Imagine if someone submitted
'); DROP TABLE private_messages;in submit message.Your SQL Command would be:
Instead you need to properly sanitize your values.
AT A MINIMUM you must run each value through
mysql_real_escape_string()but you should really be using prepared statements.If you were using
mysql_real_escape_string()your code would look like this:Here is a great article on prepared statements and PDO.