Posted by Rik on 10/24/06 17:00

davek wrote:
> (posted to: php.general, comp.lang.php, alt.php, alt.php.sql)
>
> I have a form where registered users on my site can edit their login
> details. For some reason, the script is inserting an extraneous quote
> mark in the mysql update query that is preventing it from running
> successfully, but I am at a complete loss to understand why.
>
> This is my code:
> $sql = "UPDATE users SET
> username = '{$usr}',
> password = '{$pwd}',
> fullname = '{$_POST['fullname']},
> email = '{$_POST['email']}'
> WHERE userid = '{$usrid}'";
>
> if (@mysql_query($sql)) {
>
> //send email to user confirming changes
>
> } else {
>
> echo "<p>Error updating details: " . mysql_error() . "</p>";
>
> }
>
> This is the error message:
> Error updating details: You have an error in your SQL syntax near
> 'xxxx@xxxx.com' WHERE userid = '15'' at line 4
>
> I have checked that the $usrid variable does not contain the quote
> mark.

As indicated earlier, you miss a quotation mark after fullname, but also:
- Try to always use backticks around fieldnames, it will save you a lot of
headache.
- In error messages like this, the error is 99% of the time on the left,
NOT the right.
- The extra quote is indeed not in your code, but the errormessage quotes a
part of your query, hence:
userid = '15'
becomes:
'userid = '15''
--
Grtz,

Rik Wasmus

[Back to original message]