Solved

Error in sql syntax

Posted on 2007-03-26
18
174 Views
Last Modified: 2007-03-26
What seems to be wrong with this sql statement?

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

$strSQL_Delete = mysql_query("DELETE FROM tblReviews WHERE strCompanyname = '" . $_POST['strCompanyname'] . "' and reviewID =" . $_POST['reviewID']) or die(mysql_error());
0
Comment
Question by:pingeyeg
  • 8
  • 5
  • 5
18 Comments
 
LVL 24

Expert Comment

by:glcummins
Comment Utility
When you encounter errors like this, it helps to see the entire SQL statement as it is submitted, rather than with the variables in place. Try this modification to your code:

$query = "DELETE FROM tblReviews WHERE strCompanyname = '" . $_POST['strCompanyname'] . "' AND reviewID =" . $_POST['reviewID'];
$strSQL_Delete = mysql_query($query) or die ("The following query failed: $query. <br /> The MySQL error was: " . mysql_error());

This seperates the query string from the mysql_query statement so that we can see exactly what is being submitted. There is a possibility that one of the $_POST variables you are submitting has an errant quote in it.
0
 
LVL 27

Expert Comment

by:yodercm
Comment Utility
"
DELETE FROM tblReviews WHERE strCompanyname =
'
"
 . $_POST['strCompanyname'] .
"
'
and
reviewID =
"
 . $_POST['reviewID']

I've separated out where you have single and double quotes mixed together.  As you can see, the structure doesn't make sense.  What you probably mean to do is

"DELETE FROM tblReviews WHERE strCompanyname = " . $_POST['strCompanyname'] . " and reviewID =" . $_POST['reviewID']

It would be much easier for you if you would use the syntax

$sqlquery = "DELETE FROM tblReviews WHERE strCompanyname = " . $_POST['strCompanyname'] . " and reviewID =" . $_POST['reviewID'];

$strSQL_Delete = mysql_query($sqlquery) or die(mysql_error());


0
 
LVL 27

Expert Comment

by:yodercm
Comment Utility
Oops, you do need the single quotes also:

$sqlquery = "DELETE FROM tblReviews WHERE strCompanyname = '" . $_POST['strCompanyname']' " . " and reviewID =" . $_POST['reviewID'];
0
 
LVL 1

Author Comment

by:pingeyeg
Comment Utility
Either way I code it, I still get the same error message.
0
 
LVL 1

Author Comment

by:pingeyeg
Comment Utility
I know that.  I kept them in.  Thanks though.
0
 
LVL 24

Expert Comment

by:glcummins
Comment Utility
@yodercm:

 strCompanyname = ' " . $_POST['strCompanyname']' "

This will result in mis-matched singe quotes. You have the first single quote inside the double-quoted string, but the second occurs outside of it. pingeyeg had it correct the first time, as far as I can tell.
0
 
LVL 1

Author Comment

by:pingeyeg
Comment Utility
This is what I have right now, but like I said I get the same error message:

$strSQL_Delete = "DELETE FROM tblReviews WHERE strCompanyname = '" . $_POST['strCompanyname'] . "' and reviewID =" . $_POST['reviewID'];
$SQL = mysql_query($strSQL_Delete) or die(mysql_error());
0
 
LVL 24

Expert Comment

by:glcummins
Comment Utility
Change:

$SQL = mysql_query($strSQL_Delete) or die(mysql_error());

to:

$strSQL_Delete = mysql_query($query) or die ("The following query failed: $query. <br /> The MySQL error was: " . mysql_error());

so that we can see the entire SQL query as it is submitted to the server. We don't currently know what is contained in '$_POST['strCompanyname']' and '$_POST['reviewID']', so we cannot accurately troubleshoot the statement.
0
 
LVL 24

Expert Comment

by:glcummins
Comment Utility
Or rather:

$SQL = mysql_query($strSQL_Delete) or die ("The following query failed: $strSQL_Delete. <br /> The MySQL error was: " . mysql_error());

(Sorry, I had the variable names wrong the first time).
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 1

Author Comment

by:pingeyeg
Comment Utility
Not sure why I am not getting the values from the variables, but this is my result:

The following query failed: DELETE FROM tblReviews WHERE strCompanyname = '' and reviewID =.
The MySQL error was: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
0
 
LVL 24

Expert Comment

by:glcummins
Comment Utility
Do you want us to take a look at that part of the code, or will you troubleshoot that?

Make sure that the form that posts the data is using 'method="POST"', and that the field names are correct.
0
 
LVL 27

Accepted Solution

by:
yodercm earned 500 total points
Comment Utility
Ok, the best solution is to clean up the messy query!

First of all, you should NEVER use a $_POST directly in a query.  It leaves you WIDE OPEN to SQL Injection hacking.  So do this:

$inputcompanyname = htmlentities($_POST['strCompanyname'],ENT_QUOTES);
$inputreviewID = htmlentities($_POST['reviewID'],ENT_QUOTES);

$strSQL_Delete = "DELETE FROM tblReviews WHERE strCompanyname = '$inputcompanyname' and reviewID = '$inputreviewID' ";

$SQL = mysql_query($strSQL_Delete) or die(mysql_error());
0
 
LVL 1

Author Comment

by:pingeyeg
Comment Utility
Ok, I'm no longer getting an error, but the requested review isn't being deleted either.
0
 
LVL 1

Author Comment

by:pingeyeg
Comment Utility
Ok, right now I got the company to show, but the reviewID is showing as reviewID instead of a number when displaying the sql statement.

DELETE FROM tblReviews WHERE strCompanyname = 'Plumbing When You Need It' and reviewID = 'reviewID'
0
 
LVL 27

Expert Comment

by:yodercm
Comment Utility
$inputcompanyname = htmlentities($_POST['strCompanyname'],ENT_QUOTES);
$inputreviewID = htmlentities($_POST['reviewID'],ENT_QUOTES);

echo "input company name = $inputcompanyname <br>";
echo "input review ID = $inputreviewID <br>";

See if the values are correct.
0
 
LVL 1

Author Comment

by:pingeyeg
Comment Utility
Nope:

input company name = Plumbing When You Need It
input review ID = reviewID
0
 
LVL 27

Expert Comment

by:yodercm
Comment Utility
So, you are getting the string "reviewID" instead of the correct ID number.  Fix that in your form input.
0
 
LVL 1

Author Comment

by:pingeyeg
Comment Utility
Nevermind, I got it.  Thanks!
0

Featured Post

Easy Project Management (No User Manual Required)

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now