Solved

Error in sql syntax

Posted on 2007-03-26
18
176 Views
Last Modified: 2007-03-26
What seems to be wrong with this sql statement?

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

$strSQL_Delete = mysql_query("DELETE FROM tblReviews WHERE strCompanyname = '" . $_POST['strCompanyname'] . "' and reviewID =" . $_POST['reviewID']) or die(mysql_error());
0
Comment
Question by:pingeyeg
  • 8
  • 5
  • 5
18 Comments
 
LVL 24

Expert Comment

by:glcummins
ID: 18793922
When you encounter errors like this, it helps to see the entire SQL statement as it is submitted, rather than with the variables in place. Try this modification to your code:

$query = "DELETE FROM tblReviews WHERE strCompanyname = '" . $_POST['strCompanyname'] . "' AND reviewID =" . $_POST['reviewID'];
$strSQL_Delete = mysql_query($query) or die ("The following query failed: $query. <br /> The MySQL error was: " . mysql_error());

This seperates the query string from the mysql_query statement so that we can see exactly what is being submitted. There is a possibility that one of the $_POST variables you are submitting has an errant quote in it.
0
 
LVL 27

Expert Comment

by:yodercm
ID: 18793941
"
DELETE FROM tblReviews WHERE strCompanyname =
'
"
 . $_POST['strCompanyname'] .
"
'
and
reviewID =
"
 . $_POST['reviewID']

I've separated out where you have single and double quotes mixed together.  As you can see, the structure doesn't make sense.  What you probably mean to do is

"DELETE FROM tblReviews WHERE strCompanyname = " . $_POST['strCompanyname'] . " and reviewID =" . $_POST['reviewID']

It would be much easier for you if you would use the syntax

$sqlquery = "DELETE FROM tblReviews WHERE strCompanyname = " . $_POST['strCompanyname'] . " and reviewID =" . $_POST['reviewID'];

$strSQL_Delete = mysql_query($sqlquery) or die(mysql_error());


0
 
LVL 27

Expert Comment

by:yodercm
ID: 18793967
Oops, you do need the single quotes also:

$sqlquery = "DELETE FROM tblReviews WHERE strCompanyname = '" . $_POST['strCompanyname']' " . " and reviewID =" . $_POST['reviewID'];
0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 
LVL 1

Author Comment

by:pingeyeg
ID: 18793983
Either way I code it, I still get the same error message.
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 18793991
I know that.  I kept them in.  Thanks though.
0
 
LVL 24

Expert Comment

by:glcummins
ID: 18793999
@yodercm:

 strCompanyname = ' " . $_POST['strCompanyname']' "

This will result in mis-matched singe quotes. You have the first single quote inside the double-quoted string, but the second occurs outside of it. pingeyeg had it correct the first time, as far as I can tell.
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 18794004
This is what I have right now, but like I said I get the same error message:

$strSQL_Delete = "DELETE FROM tblReviews WHERE strCompanyname = '" . $_POST['strCompanyname'] . "' and reviewID =" . $_POST['reviewID'];
$SQL = mysql_query($strSQL_Delete) or die(mysql_error());
0
 
LVL 24

Expert Comment

by:glcummins
ID: 18794019
Change:

$SQL = mysql_query($strSQL_Delete) or die(mysql_error());

to:

$strSQL_Delete = mysql_query($query) or die ("The following query failed: $query. <br /> The MySQL error was: " . mysql_error());

so that we can see the entire SQL query as it is submitted to the server. We don't currently know what is contained in '$_POST['strCompanyname']' and '$_POST['reviewID']', so we cannot accurately troubleshoot the statement.
0
 
LVL 24

Expert Comment

by:glcummins
ID: 18794036
Or rather:

$SQL = mysql_query($strSQL_Delete) or die ("The following query failed: $strSQL_Delete. <br /> The MySQL error was: " . mysql_error());

(Sorry, I had the variable names wrong the first time).
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 18794055
Not sure why I am not getting the values from the variables, but this is my result:

The following query failed: DELETE FROM tblReviews WHERE strCompanyname = '' and reviewID =.
The MySQL error was: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
0
 
LVL 24

Expert Comment

by:glcummins
ID: 18794095
Do you want us to take a look at that part of the code, or will you troubleshoot that?

Make sure that the form that posts the data is using 'method="POST"', and that the field names are correct.
0
 
LVL 27

Accepted Solution

by:
yodercm earned 500 total points
ID: 18794193
Ok, the best solution is to clean up the messy query!

First of all, you should NEVER use a $_POST directly in a query.  It leaves you WIDE OPEN to SQL Injection hacking.  So do this:

$inputcompanyname = htmlentities($_POST['strCompanyname'],ENT_QUOTES);
$inputreviewID = htmlentities($_POST['reviewID'],ENT_QUOTES);

$strSQL_Delete = "DELETE FROM tblReviews WHERE strCompanyname = '$inputcompanyname' and reviewID = '$inputreviewID' ";

$SQL = mysql_query($strSQL_Delete) or die(mysql_error());
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 18794261
Ok, I'm no longer getting an error, but the requested review isn't being deleted either.
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 18794314
Ok, right now I got the company to show, but the reviewID is showing as reviewID instead of a number when displaying the sql statement.

DELETE FROM tblReviews WHERE strCompanyname = 'Plumbing When You Need It' and reviewID = 'reviewID'
0
 
LVL 27

Expert Comment

by:yodercm
ID: 18794321
$inputcompanyname = htmlentities($_POST['strCompanyname'],ENT_QUOTES);
$inputreviewID = htmlentities($_POST['reviewID'],ENT_QUOTES);

echo "input company name = $inputcompanyname <br>";
echo "input review ID = $inputreviewID <br>";

See if the values are correct.
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 18794348
Nope:

input company name = Plumbing When You Need It
input review ID = reviewID
0
 
LVL 27

Expert Comment

by:yodercm
ID: 18794384
So, you are getting the string "reviewID" instead of the correct ID number.  Fix that in your form input.
0
 
LVL 1

Author Comment

by:pingeyeg
ID: 18794389
Nevermind, I got it.  Thanks!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
These days socially coordinated efforts have turned into a critical requirement for enterprises.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to count occurrences of each item in an array.

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question