MYSQL / PHP Syntax Wrong - Using POST value

Question

I get the following error about my syntax

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'replace='NOCOLOGY1' WHERE search='COMPANYNAME'' at line 1

$comp = "UPDATE msp_rereplacer SET replace='".addslashes($_POST[companyname])."' WHERE search='COMPANYNAME' ";

Can anyone pinpoint what I am missing?

addslashes() is not sufficient to prevent SQL Injection. Use a prepared/parameterised query. — MrCode
– MrCode, Commented Dec 10, 2012 at 12:15
It is a one time use script, so security issues will not matter as I delete after one use! — Jbevan
– Jbevan, Commented Dec 10, 2012 at 12:17

Mayank K. Swami · Accepted Answer · 2012-12-10 12:26:58Z

2

replace is Reserved Words try backticksreplacebackticks

and

 .addslashes($_POST[companyname]).

should be

.addslashes($_POST['companyname']).

$comp = "UPDATE msp_rereplacer SET `replace`='".addslashes($_POST['companyname'])."' WHERE search='COMPANYNAME' ";

rather

$comp = "UPDATE msp_rereplacer SET `replace`='".mysql_real_escape_string($_POST['companyname'])."' WHERE search='COMPANYNAME' ";

Note

Use of this extension(mysql_*) is discouraged. Instead, the MySQLi or PDO

Good Read

addslashes() Versus mysql_real_escape_string()

edited Dec 10, 2012 at 12:26

answered Dec 10, 2012 at 12:09

Mayank K. Swami

57.3k23 gold badges130 silver badges148 bronze badges

Sign up to request clarification or add additional context in comments.

7 Comments

Jbevan Over a year ago

Tried switching this, did not help

Mayank K. Swami Over a year ago

@JustinBevan try above query

Rohit Choudhary Over a year ago

WHy dont use mysql_real_escape_string()

Jbevan Over a year ago

It is working now using backticks, but this isn't for an actual program, merely a one time use script. Thanks though!

Mayank K. Swami Over a year ago

@RohitKumarChoudhary yup .... addslashes is more worse ,,, rather i want to use prepared statements

|

Mark Baker · Accepted Answer · 2012-12-10 12:09:48Z

0

replace is a MySQL reserved word.... quote it in backticks (`)

answered Dec 10, 2012 at 12:09

Mark Baker

213k34 gold badges354 silver badges390 bronze badges

2 Comments

Jbevan Over a year ago

Tried $comp = "UPDATE msp_rereplacer SET 'replace'='".addslashes($_POST['companyname'])."' WHERE search='COMPANYNAME' "; with no luck

Mark Baker Over a year ago

backticks (`), not single quotes (')

Collectives™ on Stack Overflow

MYSQL / PHP Syntax Wrong - Using POST value

2 Answers 2

7 Comments

2 Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

7 Comments

2 Comments

Your Answer

Sign up or log in

Post as a guest

Related