0

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 7 when i try to edit record than i get error please can anybody tell me why this happened?

<?php
$db = mysql_connect('localhost','root','') or die('unable to connect');
mysql_select_db('demo',$db) or die(mysql_error($db));
?>
<html>
<head>
<title>Commit</title>
</head>
<body>
<?php
switch($_GET['action']){
case 'add';
switch($_GET['type']){
case 'student';
$query = 'insert into student 
(student_name,streamid,book1,book2)
values
("'. $_POST['student_name'] . ' ",
 ' . $_POST['stream'] . ' ,
 ' . $_POST['book1'] . ' ,
 ' . $_POST['book2'] . ' )'; 
  break;
}
break;
case 'edit';
switch ($_GET['type']){
case 'student';
$query = 'UPDATE student SET 
student_name = " ' . $_POST['student_name'] . ' " ,
streamid =  ' .  $_POST['stream'] . ' ,
book1 =  ' . $_POST['book1'] . ' ,
book2 =  ' . $_POST['book2'] . '
WHERE
st_id =' . $_POST['st_id'];
break;
}
break;
 }
if(isset($query)){
$result = mysql_query($query,$db) or die(mysql_error($db));
}
 echo 'done';
?>
</body>
</html>
Samir Paruthi
  • 121
  • 1
  • 3
  • 12
  • [`var_export()`](http://www.php.net/manual/en/function.var-export.php) the query and if you do not see the error, add the query to your question. – Oswald Jun 08 '13 at 08:46
  • BEWARE SQL INJECTION, before it hits you around the ears with a wet haddock – Mark Baker Jun 08 '13 at 08:47
  • Your unsanitized `$_POST` parameters may be interfering with the SQL query. – Blender Jun 08 '13 at 08:48
  • Looks like your form isn't posting `st_id` – Mark Baker Jun 08 '13 at 08:48
  • Do this: echo $query; then look closely at the output. Paste it into your db and see where the error is. – Cups Jun 08 '13 at 08:48
  • Teach somebody to debug their problems and they'll be able to fix any problem they ever encounter; Fix a problem for somebody, and they'll be back to ask for you to fix every problem they ever encounter – Mark Baker Jun 08 '13 at 08:58

2 Answers2

0

The problem is that you assumed the page request you received was using both GET and POST methods, which is impossible by the definition of the HTTP protocol. You used in your code something like "switch($_GET[...])" and immediately after that, you tried to get the values from the $_POST array, which will obviously be empty, since the request was using GET method.

The workaround would be to replace all your "$_POST" occurences with "$_GET", but the real problem is that your assumptions were wrong. Either work with $_POST or with $_GET. If you want to make your page to be able to handle both POST and GET methods equally, you could replace all occurrences of $_POST and $_GET with $_REQUEST.

Also, you have a lot of SQL injections in your code, which makes your code VERY insecure and ill-written. Always check and sanitize the values, provided by the user, from $_GET, $_POST, $_REQUEST, etc. Not to mention you have errors in your php code, like "case 'add';" which should be "case 'add':" (note the column character instead of a semi-column)?

Mladen B.
  • 2,784
  • 2
  • 23
  • 34
  • 1
    Just a note here, but it's absolutely not impossible to receive GET and POST data consider sending this form `
    ` You would receive both `$_GET['getparam']` AND `$_POST['postparam']`     – Dale Jun 08 '13 at 08:57
  • I believe that would be a "feature" of the php itself. The proper behavior would be to populate $_POST array, since the method used to submit the page was POST. $_GET array should be empty, and the 'getparam' should still be accessible using $_SERVER['QUERY_STRING']. – Mladen B. Jun 08 '13 at 09:05
  • but if i use insertion of data by using get case and taking value by Post it's work dear – Samir Paruthi Jun 08 '13 at 09:12
  • well, ok, in that case, just use var_dump($query) and see what does the actual $query look like.. i believe you'll see that some parts of the query are missing, probably due to this GET/POST mixture – Mladen B. Jun 08 '13 at 09:23
  • can u send me a simple code of php in edit records in database? on my mail id? – Samir Paruthi Jun 08 '13 at 09:28
  • you can read this tutorial: http://www.freewebmasterhelp.com/tutorials/phpmysql just a note, never use values, provided by the user, to write them directly in the database, because you risk to suffer from sql injection.. always use some form of sanitization of user provided values, like this: $ud_id=mysql_escape_string($_POST['ud_id']); – Mladen B. Jun 08 '13 at 09:30
0
Try like 
$query = 'UPDATE student SET 
                        student_name = " ' . $_POST['student_name'] . ' " ,
                        streamid =  ' . $_POST['stream'] . ' ,
                        book1 =  ' . $_POST['book1'] . ' ,
                        book2 =  ' . $_POST['book2'] . '
                        WHERE
                        st_id =' . $_POST['st_id'].'';
user2380429
  • 61
  • 3
  • remove "" from student_name = " ' . $_POST['student_name'] . ' " , than check – user2380429 Jun 08 '13 at 09:11
  • This query execute in database put your data in query field and check query execute or not UPDATE student SET student_name = ' demo' , streamid = '12345' , book1 = 'the nagas' , book2 = 'the meluha ' WHERE st_id ='2' – user2380429 Jun 08 '13 at 09:24
  • it's clear now the problem was in it is not getting the student id now it's clear – Samir Paruthi Jun 08 '13 at 09:51