-1

hello i have a run a query using php it give error

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'update,note,stream_a) values ('https://upload.wikimedia.org/wikipedia/ar/thu' at line 2

php code :

$logo      = $_POST['logo'];
$name      = $_POST['name'];
$content   = $_POST['content'];
$country   = $_POST['country'];
$satellite = $_POST['satellite'];
$position  = $_POST['position'];
$frequency = $_POST['frequency'];
$system    = $_POST['system'];
$fec       = $_POST['fec'];
$quality   = $_POST['quality'];
$lang      = $_POST['lang'];
$url_ch    = $_POST['url_ch'];
$stream    = $_POST['stream'];
$update    = $_POST['update'];
$note      = $_POST['note'];
$stream_a  = $_POST['stream_a'];
$id        = $_POST['id'];
$gpageid = intval($_GET['id']);


#######################

if(isset($_POST['add']) and $_POST['add'] == 'newch') {
    $addnewpage = mysql_query("insert into channels
    (logo,name,content,country,satellite,position,frequency,system,fec,quality,lang,url_ch,stream,update,note,stream_a)
    values
    ('$logo','$name','$content','$country','$satellite','$position','$frequency','$system','$fec','$quality','$lang','$url_ch','$stream','$update','$note','$stream_a')
    ") or die(mysql_error());
    if(isset($addnewpage )){
        die("
            <center>Done</center>
            <meta http-equiv='refresh' content='2; url=?cpages=channels' />
        ");
    }
}
Sean Lange
  • 30,535
  • 3
  • 21
  • 37
Bin Salem
  • 26
  • 2
  • 3
    update is a reserved keyword in SQL, you need to put back ticks around it like `, 'update' but with back ticks, not '. Also, you should be writing this in mysqli since mysql is deprecated, unless your current environment isn't set up for PHP5+ you need to be learning mysqli – clearshot66 Jun 20 '17 at 15:55
  • 1
    Don't waste your time trying to learn the legacy mysql extension. It was deprecated several years ago and it's no longer part of the language since PHP/7. – Álvaro González Jun 20 '17 at 15:55
  • 1
    Output the query to the screen and see what it look like. Also, NEVER put post values into a query. What would happen if I submitted `';DELETE FROM channels;` as the name? – Quasipickle Jun 20 '17 at 15:56
  • Make a database request without processing $_POST data may result in security issues. – Pierre HUBERT Jun 20 '17 at 15:57
  • @Pickle it will be a syntax error. The correct name should be `Robert');DELETE FROM channels;` – Alex Blex Jun 20 '17 at 15:59
  • 1
    Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Jun 20 '17 at 16:07
  • **WARNING**: If you're just learning PHP, please, do not use the [`mysql_query`](http://php.net/manual/en/function.mysql-query.php) interface. It’s so awful and dangerous that it was removed in PHP 7. A replacement like [PDO is not hard to learn](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/) and a guide like [PHP The Right Way](http://www.phptherightway.com/) explains best practices. Your user data is **not** [properly escaped](http://bobby-tables.com/php.html) and there are [SQL injection bugs](http://bobby-tables.com/) and can be exploited. – tadman Jun 20 '17 at 16:44
  • @clearshot66 Do PHP 4 instances still exist in the wild? PHP 5 launched in 2004 and it's extremely rare to see < PHP 5.2 servers out there. – tadman Jun 20 '17 at 16:47
  • @tadman they do , I've seen one. For a veryyyyy old system. But they were phasing it out. – clearshot66 Jun 20 '17 at 17:05

1 Answers1

0

update is a reserved keyword in SQL, you need to put back ticks around it 

...,stream,`update`,note,...

Also, you should be writing this in mysqli since mysql is deprecated. So unless your current environment isn't set up for PHP5+ you need to be learning mysqli functions.

clearshot66
  • 2,205
  • 1
  • 6
  • 16
  • @BinSalem There's a number of other severe problems you need to address before this is fixed. This is just one of them. – tadman Jun 20 '17 at 16:44