MySQL help

Hi all

I am sort of new to MySQl

I have installed a script on my website and need help with the following if ok

my wife created a account and used a few capital letters and a space in her username and logged in all ok and the page is where to write status updates and where a share button is, I am getting the following error, it only happens when capital letters and spaces are used

How would I go about fixing it please

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's' ORDER BY messages_id DESC' at line 1

Thank you in advance, I can paste any coding or give the website address if need be to look at

Thanks in advance

Ian

It sounds like a problem with the script you installed. If the script is throwing that sort of error it usually means there is a SQL injection vulnerability in it and you would be advised to not use it.

paste the query that's throwing the error

Hi r937

Thank you for the reply

I think this is the query that is relating to the error

$query = "SELECT *,UNIX_TIMESTAMP() - date_created AS TimeSpent FROM message WHERE poster='".$_SESSION['SESS_FIRST_NAME'] ."' ORDER BY messages_id DESC";
$result = mysql_query($query);

that's the php code that generates the query

put an echo just before you execute the query, so that we can see what was actually passed to mysql that created the error

Hi

Hope I have done it right

echo $query = "SELECT *,UNIX_TIMESTAMP() - date_created AS TimeSpent FROM message WHERE poster='".$_SESSION['SESS_FIRST_NAME'] ."' ORDER BY messages_id DESC";
$result = mysql_query($query);

Thank you for your help so far

Ian

that's still just php code (and i don't think it's the right call to the echo function)

what i want to see is what the echo produces, the query without the php variable stuck in it, but rather, the value of that php variable at the time of execution

Ok might need bit of help with that as not 100% sure on what you need, is it ok to email you the file to look at, sorry for being a pain

no, it's not okay, sorry

read the php manual for the correct syntax for echo

then execute the echo instead of (or just prior to) executing mysql_query

echo will produce some output -- copy/paste that output here

Should execute fine; when it does (ie: when you save the code / upload it / visit it in your browser), it will output the actual SQL query that is being run. That output is what he needs to see.

huge disclaimer: i don't do php

doesn't echo take a string argument? this seems to be passing an assignment, not a string

but if you say it works, great

i just wanna see the final query string, because, going back to post #1, the problem is the value passed as "session first name" -- i'm guessing it contains a single quote

Yep that's true; but in PHP an assignment is an expression that evaluates to whatever value was assigned, and due to order of operations the assignment happens before the echo, so echo actually does end up getting a string argument in this case. Normally you wouldn't write code like that though because it's confusing to read...


That's my feeling as well... actually the fix probably just involves changing the PHP for the query to:


Although if the problem exists here it almost certainly exists elsewhere in the code too.

I changed the coding to the following but still got the error so it must be elsewhere as well in another file or something

$query = "SELECT *, UNIX_TIMESTAMP() - date_created AS TimeSpent FROM message WHERE poster='".mysql_real_escape_string($_SESSION['SESS_FIRST_NAME']) . "' ORDER BY messages_id DESC"

It's fixed, I had the following in the coding still

echo $query; exit();

so took that out and works perfect now so if I get the error elsewhere on another page etc, I just change the coding to the following

$query = "SELECT *,UNIX_TIMESTAMP() - date_created AS TimeSpent FROM message WHERE poster='" . mysql_real_escape_string($_SESSION['SESS_FIRST_NAME']) ."' ORDER BY messages_id DESC";
$result = mysql_query($query);

Is that right?

Thank you so much

Ian

Please don't post in multiple forums, at least not without mentioning in one or other of them that that's what you've done.

And believe it or not most people here are looking for help with MySQL so next time try to provide a more informative thread title.