Solved

Error in sql syntax

Posted on 2007-03-26
18
177 Views
Last Modified: 2007-03-26
What seems to be wrong with this sql statement?

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

$strSQL_Delete = mysql_query("DELETE FROM tblReviews WHERE strCompanyname = '" . $_POST['strCompanyname'] . "' and reviewID =" . $_POST['reviewID']) or die(mysql_error());
0
Comment
Question by:pingeyeg
  • 8
  • 5
  • 5
18 Comments
 
LVL 24

Expert Comment

by:glcummins
ID: 18793922
When you encounter errors like this, it helps to see the entire SQL statement as it is submitted, rather than with the variables in place. Try this modification to your code:

$query = "DELETE FROM tblReviews WHERE strCompanyname = '" . $_POST['strCompanyname'] . "' AND reviewID =" . $_POST['reviewID'];
$strSQL_Delete = mysql_query($query) or die ("The following query failed: $query. <br /> The MySQL error was: " . mysql_error());

This seperates the query string from the mysql_query statement so that we can see exactly what is being submitted. There is a possibility that one of the $_POST variables you are submitting has an errant quote in it.
0
 
LVL 27

Expert Comment

by:yodercm
ID: 18793941
"
DELETE FROM tblReviews WHERE strCompanyname =
'
"
 . $_POST['strCompanyname'] .
"
'
and
reviewID =
"
 . $_POST['reviewID']

I've separated out where you have single and double quotes mixed together.  As you can see, the structure doesn't make sense.  What you probably mean to do is

"DELETE FROM tblReviews WHERE strCompanyname = " . $_POST['strCompanyname'] . " and reviewID =" . $_POST['reviewID']

It would be much easier for you if you would use the syntax

$sqlquery = "DELETE FROM tblReviews WHERE strCompanyname = " . $_POST['strCompanyname'] . " and reviewID =" . $_POST['reviewID'];

$strSQL_Delete = mysql_query($sqlquery) or die(mysql_error());


0
 
LVL 27

Expert Comment

by:yodercm
ID: 18793967
Oops, you do need the single quotes also:

$sqlquery = "DELETE FROM tblReviews WHERE strCompanyname = '" . $_POST['strCompanyname']' " . " and reviewID =" . $_POST['reviewID'];
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 1

Author Comment

by:pingeyeg
ID: 18793983
Either way I code it, I still get the same error message.
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 18793991
I know that.  I kept them in.  Thanks though.
0
 
LVL 24

Expert Comment

by:glcummins
ID: 18793999
@yodercm:

 strCompanyname = ' " . $_POST['strCompanyname']' "

This will result in mis-matched singe quotes. You have the first single quote inside the double-quoted string, but the second occurs outside of it. pingeyeg had it correct the first time, as far as I can tell.
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 18794004
This is what I have right now, but like I said I get the same error message:

$strSQL_Delete = "DELETE FROM tblReviews WHERE strCompanyname = '" . $_POST['strCompanyname'] . "' and reviewID =" . $_POST['reviewID'];
$SQL = mysql_query($strSQL_Delete) or die(mysql_error());
0
 
LVL 24

Expert Comment

by:glcummins
ID: 18794019
Change:

$SQL = mysql_query($strSQL_Delete) or die(mysql_error());

to:

$strSQL_Delete = mysql_query($query) or die ("The following query failed: $query. <br /> The MySQL error was: " . mysql_error());

so that we can see the entire SQL query as it is submitted to the server. We don't currently know what is contained in '$_POST['strCompanyname']' and '$_POST['reviewID']', so we cannot accurately troubleshoot the statement.
0
 
LVL 24

Expert Comment

by:glcummins
ID: 18794036
Or rather:

$SQL = mysql_query($strSQL_Delete) or die ("The following query failed: $strSQL_Delete. <br /> The MySQL error was: " . mysql_error());

(Sorry, I had the variable names wrong the first time).
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 18794055
Not sure why I am not getting the values from the variables, but this is my result:

The following query failed: DELETE FROM tblReviews WHERE strCompanyname = '' and reviewID =.
The MySQL error was: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
0
 
LVL 24

Expert Comment

by:glcummins
ID: 18794095
Do you want us to take a look at that part of the code, or will you troubleshoot that?

Make sure that the form that posts the data is using 'method="POST"', and that the field names are correct.
0
 
LVL 27

Accepted Solution

by:
yodercm earned 500 total points
ID: 18794193
Ok, the best solution is to clean up the messy query!

First of all, you should NEVER use a $_POST directly in a query.  It leaves you WIDE OPEN to SQL Injection hacking.  So do this:

$inputcompanyname = htmlentities($_POST['strCompanyname'],ENT_QUOTES);
$inputreviewID = htmlentities($_POST['reviewID'],ENT_QUOTES);

$strSQL_Delete = "DELETE FROM tblReviews WHERE strCompanyname = '$inputcompanyname' and reviewID = '$inputreviewID' ";

$SQL = mysql_query($strSQL_Delete) or die(mysql_error());
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 18794261
Ok, I'm no longer getting an error, but the requested review isn't being deleted either.
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 18794314
Ok, right now I got the company to show, but the reviewID is showing as reviewID instead of a number when displaying the sql statement.

DELETE FROM tblReviews WHERE strCompanyname = 'Plumbing When You Need It' and reviewID = 'reviewID'
0
 
LVL 27

Expert Comment

by:yodercm
ID: 18794321
$inputcompanyname = htmlentities($_POST['strCompanyname'],ENT_QUOTES);
$inputreviewID = htmlentities($_POST['reviewID'],ENT_QUOTES);

echo "input company name = $inputcompanyname <br>";
echo "input review ID = $inputreviewID <br>";

See if the values are correct.
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 18794348
Nope:

input company name = Plumbing When You Need It
input review ID = reviewID
0
 
LVL 27

Expert Comment

by:yodercm
ID: 18794384
So, you are getting the string "reviewID" instead of the correct ID number.  Fix that in your form input.
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 18794389
Nevermind, I got it.  Thanks!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question