WampServer
Apache, PHP, MySQL
on Windows
error in your SQL syntax; check the manual that corresponds to your
Posted by:
micbaah
(---.4u.com.gh)
Date: February 12, 2007 11:06AM
I am having some problems here. I did this with dreamweaver and i get the following when i load it in my browser:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Index = 1 ORDER BY Lastname ASC' at line 1"
I cant make out where the error is. Any help is appreciated.
This is the code:
<?php require_once('Connections/learning.php'); ?><?php
mysql_select_db($database_learning, $learning);
$recordID = $_GET['recordID'];
$query_DetailRS1 = "SELECT * FROM persons WHERE Index = $recordID ORDER BY Lastname ASC";
$DetailRS1 = mysql_query($query_DetailRS1, $learning) or die(mysql_error());
$row_DetailRS1 = mysql_fetch_assoc($DetailRS1);
$totalRows_DetailRS1 = mysql_num_rows($DetailRS1);
?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "[www.w3.org];
<html xmlns="[www.w3.org];
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>
<body>
<table border="1" align="center">
<tr>
<td>Lastname</td>
<td><?php echo $row_DetailRS1['Lastname']; ?> </td>
</tr>
<tr>
<td>Firstname</td>
<td><?php echo $row_DetailRS1['Firstname']; ?> </td>
</tr>
<tr>
<td>Age</td>
<td><?php echo $row_DetailRS1['Age']; ?> </td>
</tr>
</table>
</body>
</html><?php
mysql_free_result($DetailRS1);
?>
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Index = 1 ORDER BY Lastname ASC' at line 1"
I cant make out where the error is. Any help is appreciated.
This is the code:
<?php require_once('Connections/learning.php'); ?><?php
mysql_select_db($database_learning, $learning);
$recordID = $_GET['recordID'];
$query_DetailRS1 = "SELECT * FROM persons WHERE Index = $recordID ORDER BY Lastname ASC";
$DetailRS1 = mysql_query($query_DetailRS1, $learning) or die(mysql_error());
$row_DetailRS1 = mysql_fetch_assoc($DetailRS1);
$totalRows_DetailRS1 = mysql_num_rows($DetailRS1);
?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "[www.w3.org];
<html xmlns="[www.w3.org];
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>
<body>
<table border="1" align="center">
<tr>
<td>Lastname</td>
<td><?php echo $row_DetailRS1['Lastname']; ?> </td>
</tr>
<tr>
<td>Firstname</td>
<td><?php echo $row_DetailRS1['Firstname']; ?> </td>
</tr>
<tr>
<td>Age</td>
<td><?php echo $row_DetailRS1['Age']; ?> </td>
</tr>
</table>
</body>
</html><?php
mysql_free_result($DetailRS1);
?>
Re: error in your SQL syntax; check the manual that corresponds to your
Posted by:
CyberSpatium
(71.237.217.---)
Date: February 12, 2007 04:26PM
change:
$query_DetailRS1 = "SELECT * FROM persons WHERE Index = $recordID ORDER BY Lastname ASC";
to:
$query_DetailRS1 = "SELECT * FROM persons WHERE Index = $_GET['recordID'] ORDER BY Lastname ASC";
NOTE:
it is a huge security risk to not filter user input before using it in your mysql queries. for example:
SELECT * FROM persons WHERE Index = $_GET['recordID'] ORDER BY Lastname ASC
since you do not do any kind of checking of what a user may submit for recordID, this means that a malicious user could input anything in the field. this could allow then total access to all your data in your database. this could be very serious if your site is a shopping cart and you store customers personal info in your database. to learn more about this huge security issue, search google for sql injection attacks.
CyberSpatium
WAMP English Forum Admin
--------------------------------------
like my free support? help support me by checking out my new Newbie Webmaster Development Forum dedicated to the newbie webmaster here:
www.WebDevNewbie.com
$query_DetailRS1 = "SELECT * FROM persons WHERE Index = $recordID ORDER BY Lastname ASC";
to:
$query_DetailRS1 = "SELECT * FROM persons WHERE Index = $_GET['recordID'] ORDER BY Lastname ASC";
NOTE:
it is a huge security risk to not filter user input before using it in your mysql queries. for example:
SELECT * FROM persons WHERE Index = $_GET['recordID'] ORDER BY Lastname ASC
since you do not do any kind of checking of what a user may submit for recordID, this means that a malicious user could input anything in the field. this could allow then total access to all your data in your database. this could be very serious if your site is a shopping cart and you store customers personal info in your database. to learn more about this huge security issue, search google for sql injection attacks.
CyberSpatium
WAMP English Forum Admin
--------------------------------------
like my free support? help support me by checking out my new Newbie Webmaster Development Forum dedicated to the newbie webmaster here:
www.WebDevNewbie.com
Re: error in your SQL syntax; check the manual that corresponds to your
Posted by:
micbaah
(---.4u.com.gh)
Date: February 12, 2007 06:11PM
thanks a lot. appreciate it.
Sorry, only registered users may post in this forum.
