0

I was having a look around but I did not seem to find the right answer to this problem I am having. Whenever I run this UPDATE MySQL script, it calls the error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Email='[email protected]', Phone='123456780', Address='16 Remote Street',' at line 1

Here is the code I am using to get this error.

<?php 
include ('cfg_prop.php');
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$secondemail = $_POST['secondary'];
$phone = $_POST['phone'];
$address = $_POST['address'];
$country = $_POST['country'];
$postcode = $_POST['postcode'];
$company = $_POST['company'];
$city = $_POST['city'];

$sql = "UPDATE users SET Firstname='$firstname', Lastname='$lastname', Email='$email', Secondary Email='$secondemail', Phone='$phone', Address='$address', Country='$country', Postcode='$postcode', Company='$company', City='$city' WHERE Username='$userss'";
mysql_query($sql) or die(mysql_error());
?>

If anyone could help me, I would be really happy and grateful as I just can't seem to get over this. Thanks in advance for the help.

  • Alter Arch
Improve this question
3
  • Thank's everyone for your help. It worked. I really appreciate it guys! Commented Nov 8, 2011 at 11:59
  • When you have decided which answer is the most helpful to you, mark it as the accepted answer by clicking on the check box outline to the left of the answer. stackoverflow.com/faq#howtoask Commented Nov 8, 2011 at 12:10
  • @hsz Ok. I will do that. Commented Nov 8, 2011 at 12:20

5 Answers 5

Reset to default
6

First of all - you have to escape data from $_POST superglobal because of easy SQL Injection attack.

$email = mysql_real_escape_string($_POST['email']);

Next thing you canno use Secondary Email because there is whitespace that causes an error.

You have to change colmun's name to Secondary_Email.

Or just use 

`Secondary Email`

instead (but do not do this - columns should not have whitespaces in their names).

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank's for the security tip!
1 
Secondary Email

Column has a space in it's name; you should use backtick symbol :

`

So:

$sql = "UPDATE users SET Firstname='$firstname', Lastname='$lastname', Email='$email', `Secondary Email`='$secondemail', Phone='$phone', Address='$address', Country='$country', Postcode='$postcode', Company='$company', City='$city' WHERE Username='$userss'";
Improve this answer

1 Comment

Thank you so much. That was the fastest reply so I am voting your's up. It worked!
1

Try this:

UPDATE users SET 
    Firstname='$firstname', 
    Lastname='$lastname', 
    Email='$email', 
    `Secondary Email`='$secondemail', 
    Phone='$phone', 
    Address='$address', 
    Country='$country', 
    Postcode='$postcode', 
    Company='$company', 
    City='$city' 
WHERE Username='$userss'

Secondary Email must be enclosed in backticks because contains a whitespace.
Remember to sanitize user input to avoid SQL Injection.

Improve this answer

2 Comments

Thanks, I wanted to keep it all in one line though just so it is compact.
@DarayusNanavati: you can keep it in one line. My solutions is just more readable, but you can strip newlines away!!
0

Escape the field Secondary Email

$sql = "UPDATE users SET Firstname='$firstname', Lastname='$lastname', Email='$email', `Secondary Email`='$secondemail', Phone='$phone', Address='$address', Country='$country', Postcode='$postcode', Company='$company', City='$city' WHERE Username='$userss'";
Improve this answer

Comments

0

try this:

$sql = "UPDATE `users` SET `Firstname`='$firstname', `Lastname`='$lastname', `Email`='$email', `Secondary Email`='$secondemail', `Phone`='$phone', `Address`='$address', `Country`='$country', `Postcode`='$postcode', `Company`='$company', `City`='$city' WHERE `Username`='$userss'";

but this method of writing a query is highly recommended by SQL injection!

Improve this answer

2 Comments

Wasn't entirely sure if you were being sarcastic on the SQL injection bit but I am looking into mysql_real_escape_string now
good! Always use the function mysql_real_escape_string() when you take data via post!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.