Please can some one help me with this problem
-
I have this CMS work, at the edit_subject page, I have some problem that say ( The subject update failed. You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '} WHERE id = 1' at line 4) This is the page 30); foreach($fields_with_lengths as $fieldname => $maxlength ){ if (strlen(trim(mysql_prep($_POST[$fieldname]))) > $maxlength) { $errors[] = $fieldname; } } if (empty($errors)) { // Perform Update $id = mysql_prep($_GET['subj']); $menu_name = mysql_prep($_POST['menu_name']); $position = mysql_prep($_POST['position']); $visible = mysql_prep($_POST['visible']); $query = "UPDATE subjects SET menu_name = '{$menu_name}', position = {$position}, visible = {visible} WHERE id = {$id}"; $result = mysql_query($query, $connection); if (mysql_affected_rows() == 1) { // Success $message = "The subject was successfully updated."; } else { // Failed $message = "The subject update failed. "; $message .= "
". mysql_error(); } } else{ // Errors occurred $message = "There were " . count($errors) . " errors in the form. "; } }// end: if (isset($_POST['submit'])) ?>Edit Subject:
" . $message . "
";} ?> "; echo "Please review the following fields;
"; foreach($errors as $errors) { echo " - " . $errors . "
"; } echo ""; } ?>
Subject name:
-
I have this CMS work, at the edit_subject page, I have some problem that say ( The subject update failed. You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '} WHERE id = 1' at line 4) This is the page 30); foreach($fields_with_lengths as $fieldname => $maxlength ){ if (strlen(trim(mysql_prep($_POST[$fieldname]))) > $maxlength) { $errors[] = $fieldname; } } if (empty($errors)) { // Perform Update $id = mysql_prep($_GET['subj']); $menu_name = mysql_prep($_POST['menu_name']); $position = mysql_prep($_POST['position']); $visible = mysql_prep($_POST['visible']); $query = "UPDATE subjects SET menu_name = '{$menu_name}', position = {$position}, visible = {visible} WHERE id = {$id}"; $result = mysql_query($query, $connection); if (mysql_affected_rows() == 1) { // Success $message = "The subject was successfully updated."; } else { // Failed $message = "The subject update failed. "; $message .= "
". mysql_error(); } } else{ // Errors occurred $message = "There were " . count($errors) . " errors in the form. "; } }// end: if (isset($_POST['submit'])) ?>Edit Subject:
" . $message . "
";} ?> "; echo "Please review the following fields;
"; foreach($errors as $errors) { echo " - " . $errors . "
"; } echo ""; } ?>
Subject name:
Your post is quite poorly formatted, but it looks like you are missing a $ symbol where {visible} should be {$visible}.
-
I have this CMS work, at the edit_subject page, I have some problem that say ( The subject update failed. You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '} WHERE id = 1' at line 4) This is the page 30); foreach($fields_with_lengths as $fieldname => $maxlength ){ if (strlen(trim(mysql_prep($_POST[$fieldname]))) > $maxlength) { $errors[] = $fieldname; } } if (empty($errors)) { // Perform Update $id = mysql_prep($_GET['subj']); $menu_name = mysql_prep($_POST['menu_name']); $position = mysql_prep($_POST['position']); $visible = mysql_prep($_POST['visible']); $query = "UPDATE subjects SET menu_name = '{$menu_name}', position = {$position}, visible = {visible} WHERE id = {$id}"; $result = mysql_query($query, $connection); if (mysql_affected_rows() == 1) { // Success $message = "The subject was successfully updated."; } else { // Failed $message = "The subject update failed. "; $message .= "
". mysql_error(); } } else{ // Errors occurred $message = "There were " . count($errors) . " errors in the form. "; } }// end: if (isset($_POST['submit'])) ?>Edit Subject:
" . $message . "
";} ?> "; echo "Please review the following fields;
"; foreach($errors as $errors) { echo " - " . $errors . "
"; } echo ""; } ?>
Subject name:
Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query. PHP: SQL Injection - Manual[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
