Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    13
    Rep Power
    0

    Error in sql syntax check manual


    <?php
    //connect to mysql
    $db=mysql_connect("localhost","root","") or die("Unable to connect.Pls check your connection parameters");
    mysql_select_db('moviesite',$db) or die("Unable to connect.Pls check your connection parameters");
    $query= "SELECT movie_id,movie_name,movie_type,movie_year,movie_leadactor,movie_director,movie_running_time,movie_co st,movie_takings FROM movie WHERE movie_id=".$_GET['movie_id'];


    $result=mysql_query($query,$db) or die(mysql_error($db));

    $row=mysql_fetch_assoc($result);


    function get_director($director_id)
    {
    global $db;
    $query="SELECT people_fullname FROM people WHERE people_id=".$director_id;
    $result=mysql_query($query,$db) or die(mysql_error($db));
    $row=mysql_fetch_assoc($result);
    extract($row);
    return $people_fullname;

    }



    $movie_name=$row['movie_name'];
    $movie_director=get_director($row['movie_director']);























    ?>
    <html>
    <head>
    <title>Details and Reviews for: $movie_name</title>
    </head>
    <body>
    <div style="text-align:center; ">
    <h2>$movie_name</h2>
    <h3><em>Details</em></h3>
    <table border="1" cellpadding="2" cellspacing="2" style=" width:70%; margin-left:auto; margin-right:auto; ">
    <tr>
    <td><strong>Title</strong></td>
    <td>$movie_name</td>
    <td><strong>Release Year</strong></td>
    <td>$movie_year</td>
    </tr>
    <tr>
    <td><strong>Movie Director</strong></td>
    <td>$movie_director</td>
    <td><strong>Cost</strong></td>
    <td>$movie_cost</td>
    </tr>
    <tr>
    <td><strong>Lead Actor</strong></td>
    <td>$movie_leadactor</td>
    <td><strong>Taking</strong></td>
    <td>$movie_takings</td>
    </tr>
    <tr>
    <td><strong>Running Time</strong></td>
    <td>$movie_running_time</td>
    <td><strong>Health</strong></td>
    <td>$movie_health</td>
    </tr>
    </table>
    </div>
    </body>
    </html>




    the error is You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'title' at line 1...............this file is linked to another file via $_get method in above file and href in below file













    <a href="movie_details.php?movie_id=$movie_id title" title="click here to know more about $movie_name"><?php echo $movie_name ; ?></a>
  2. #2
  3. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2012
    Posts
    119
    Rep Power
    32
    You are missing closing " on your queries
    PHP Code:
    $query"SELECT movie_id,movie_name,movie_type,movie_year,movie_leadactor,movie_director,movie_running_time,movie_co st,movie_takings FROM movie WHERE movie_id=' " .$_GET['movie_id'], " ' "
    PHP Code:
    $query="SELECT people_fullname FROM people WHERE people_id=' " $director_id " ' "
    But also double check that you are getting the id by using

    PHP Code:
    if (isset($_GET['movie_id'])) {
    .
    .
    // Rest of your code here
    .
    .

  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Hi,

    your query code is wrong and extremely dangerous, because you allow anybody to manipulate the query through the URL parameter (this also applies to simplypixie's reply).

    For example, I could most probably fetch your admin password or any data I want by simply putting "... UNION SELECT ..." into the movie_id parameter, which will then change your query. See SQL injection for more details.

    So never put raw data into a query. You should actually dump the obsolete mysql_ functions completely and switch to a modern extension which allows prepared statements.

    A prepared statement is a kind of query template that allows you to safely pass values to a query. With PDO, it works like this:
    PHP Code:
    <?php

    // connect to database
    $db = new PDO('mysql:host=localhost;dbname=your_db''your_user''your_password');

    // create prepared statement
    $statement $db->prepare('
        SELECT
            `movie_id`
            , `movie_name`
            , `movie_type`
        FROM
            `movie`
        WHERE
            `movie_id` = :movie_id
    '
    );
    // pass value to the query and execute it
    $statement->execute(array(                    
        
    ':movie_id' => $_GET['movie_id']
    ));    
    // get next row of result set    
    $row $statement->fetch();
    If, for some reason, you must stick to the mysql_ functions, then you have to escape every value "by hand" by wrapping it in quotes and applying mysql_real_escape_string() to it.

    The same problem also applies to your HTML, so you really should up on security before you put that page online. Otherwise it won't take long until somebody trashes it, steal your data and whatnot.

    By the way, is that strange URL
    Code:
    href="movie_details.php?movie_id=$movie_id title"
    really meant to be like that? What's the " title" doing there?
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    13
    Rep Power
    0

    problem not solved


    by that way its giving various errors........
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    13
    Rep Power
    0

    problem not solved


    by this way its giving various errors........
  10. #6
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Have you replaced "your_db" etc.?

    Please take some time to get the code running. I doubt you've actually checked everything in just 4 minutes. If you can't get it working in, say, 30 minutes, come back and give us the concrete error message.
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    13
    Rep Power
    0

    sir pls solve my this query


    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'title' at line 1










    this error is coming again and again
  14. #8
  15. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    For god's sake, would you stop complaining for a minute and try to actually fix the error with the advice you get?

    If you're waiting for us to do the work, that won't happen. We can help you, but you have to do the programming. So please, give yourself 30 minutes to fix the broken URL and implement the database code.
  16. #9
  17. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2012
    Posts
    119
    Rep Power
    32
    Jacques1 - I completely agree with your post about security issues etc, but I could not entirely work out what the OP was trying to do so just pointed out the obvious errors in the queries that I could see.
  18. #10
  19. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Originally Posted by simplypixie
    Jacques1 - I completely agree with your post about security issues etc, but I could not entirely work out what the OP was trying to do so just pointed out the obvious errors in the queries that I could see.
    Sure, but I doubt that will fix the problem. I think the URL parameter with the appended " title" is simply broken (a typo, probably).
  20. #11
  21. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    13
    Rep Power
    0
    now the error is different



    Unknown column '$movie_id' in 'where clause'
  22. #12
  23. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2012
    Posts
    119
    Rep Power
    32
    Originally Posted by chinkoo
    now the error is different
    Unknown column '$movie_id' in 'where clause'
    What is your code now?????
  24. #13
  25. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    13
    Rep Power
    0

    code now


    <?php
    //connect to mysql
    $db=mysql_connect("localhost","root","") or die("Unable to connect.Pls check your connection parameters");
    mysql_select_db('moviesite',$db) or die("Unable to connect.Pls check your connection parameters");
    $query= "SELECT 'movie_id','movie_name','movie_type','movie_year','movie_leadactor','movie_director','movie_running_ time','movie_cost','movie_takings' FROM movie WHERE movie_id=".$_GET['movie_id'] ;


    $result=mysql_query($query,$db) or die(mysql_error($db));

    $row=mysql_fetch_assoc($result);


    function get_director($director_id)
    {
    global $db;
    $query="SELECT people_fullname FROM people WHERE people_id=".$director_id;
    $result=mysql_query($query,$db) or die(mysql_error($db));
    $row=mysql_fetch_assoc($result);
    extract($row);
    return $people_fullname;

    }



    $movie_name=$row['movie_name'];
    $movie_director=get_director($row['movie_director']);























    ?>
    <html>
    <head>
    <title>Details and Reviews for: $movie_name</title>
    </head>
    <body>
    <div style="text-align:center; ">
    <h2>$movie_name</h2>
    <h3><em>Details</em></h3>
    <table border="1" cellpadding="2" cellspacing="2" style=" width:70%; margin-left:auto; margin-right:auto; ">
    <tr>
    <td><strong>Title</strong></td>
    <td>$movie_name</td>
    <td><strong>Release Year</strong></td>
    <td>$movie_year</td>
    </tr>
    <tr>
    <td><strong>Movie Director</strong></td>
    <td>$movie_director</td>
    <td><strong>Cost</strong></td>
    <td>$movie_cost</td>
    </tr>
    <tr>
    <td><strong>Lead Actor</strong></td>
    <td>$movie_leadactor</td>
    <td><strong>Taking</strong></td>
    <td>$movie_takings</td>
    </tr>
    <tr>
    <td><strong>Running Time</strong></td>
    <td>$movie_running_time</td>
    <td><strong>Health</strong></td>
    <td>$movie_health</td>
    </tr>
    </table>
    </div>
    </body>
    </html>





    and another one is




    <?php
    ob_start();





    //connect to mysql
    $db=mysql_connect('localhost','root','') or die('Unable to connect.Pls check your connection parameters.');
    //make sure using the right database
    mysql_select_db('moviesite',$db) or die(mysql_error($db));
    //retrieve information

    //take in the id of a director and return his/her full name
    function get_director($director_id)
    {
    global $db;
    $query='SELECT people_fullname FROM people WHERE people_id='.$director_id or die(mysql_error($db));
    $result=mysql_query($query,$db) or die(mysql_error($db));
    $row=mysql_fetch_assoc($result) or die(mysql_error($db));
    extract($row);
    return $people_fullname;
    }




    //take in the id of a lead actor and return his/her full name
    function get_leadactor($leadactor)
    {
    global $db;
    $query='SELECT people_fullname FROM people WHERE people_id='.$leadactor;
    $result=mysql_query($query,$db);
    $row=mysql_fetch_assoc($result);
    extract($row);
    return $people_fullname;
    }


    //take in the id of a movie type and give a meaningful name
    function get_movietype($movietype_id)
    {
    global $db;
    $query="SELECT movietype_label FROM movietype WHERE movietype_id=".$movietype_id;
    $result=mysql_query($query,$db) or die(mysql_error($db));
    $row=mysql_fetch_assoc($result);
    extract($row);
    return $movietype_label;
    }


    $query="SELECT movie_name,movie_year,movie_director,movie_leadactor,movie_type FROM movie ORDER BY movie_name ASC,movie_year DESC";
    $result=mysql_query($query,$db) or die(mysql_error($db));
    ?>
    <div style="text-align:center;">
    <table border=1 cellpadding=2 cellspacing="2" style="width:70%; margin-left:auto; margin-right:auto; ">
    <tr>
    <td>Movie Title</td>
    <td>Year of Release</td>
    <td>Movie Director</td>
    <td>Movie Lead Actor</td>
    <td>Movie Type</td>
    </tr>

    <?php
    while($row=mysql_fetch_assoc($result))
    {
    extract($row);
    $director=get_director($movie_director);
    $leadactor=get_leadactor($movie_leadactor);
    $query='SELECT movie_name FROM movie' ;
    $query='SELECT movie_year FROM movie' ;
    $movietype=get_movietype($movie_type); ?>
    <tr>
    <td><a href="movie_details.php?movie_id=$movie_id"><?php echo $movie_name ; ?></a></td>
    <td><?php echo $movie_year ; ?></td>
    <td><?php echo $director ;?></td>
    <td><?php echo $leadactor; ?></td>
    <td><?php echo $movietype ; ?></td>
    </tr>
    <?php } ?>



    </table>
    </div>
  26. #14
  27. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2012
    Posts
    119
    Rep Power
    32
    Well it doesn't look like you have changed anything at all based on the advice given, for example I pointed out that your query formation was incorrect and provided examples of how it should be but you still have the same queries as before

    PHP Code:
    WHERE movie_id=".$_GET['movie_id'] ; 
    I told you to change this to

    PHP Code:
    WHERE movie_id=' " . $_GET['movie_id'] . " ' "; 
    And you haven't (in both queries I commented on before)

    Also don't forget to follow earlier advice about escaping the data before inserting into your queries to prevent injection by using mysql_real_escape_string()
  28. #15
  29. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    13
    Rep Power
    0
    dont you think that the parser will be confused by this kind of placement of codes like double codes and single codes
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo