Syntax error in query

Question

Syntax error in query

Asked 10 years, 8 months ago

Viewed 151 times

2

I am running the following php code:

require_once "config.php";
$pagina = $_POST['pagina'];
$conteudo = $_POST['edit'];
//mysql_query("DELETE FROM $pagina WHERE 1") or die("alguma coisa deu errado".mysql_error());
//mysql_query("INSERT INTO $pagina (`conteudo`) VALUES ('$conteudo')");
mysql_query("UPDATE '$pagina' SET 'conteudo'='$conteudo' WHERE 1") or die("erro: ".mysql_error());

He says the syntax is wrong but I don’t see why, error print:
http://prntscr.com/2xx499
Or:

error: You have an error in your SQL syntax; check the manual that Corresponds to your Mysql server version for the right syntax to use near '''home' SET 'conteudo'='asx' WHERE 1' at line 1

1

Now that I noticed: the query passes the table name into a variable $pagina, received by POST. This is not possible to parameterize in an appropriate way (see kaminari’s answer), indicates a strange structure, where each page is a table. If so, I recommend rethinking the structure of your bank.

– bfavaretto

2014/09/04 at 13:12

2 answers

11

The error is in using single quotes around table and column names. The correct query would be:

"UPDATE $pagina SET conteudo='$conteudo' WHERE 1"

However, never, never, never, never use a POST variable in the query like you did, or your database will be EXTREMELY vulnerable to intrusions.

As I have already commented on another recent question of yours, it is also highly recommended to stop using the functions mysql_*, that have been discontinued. Use the mysqli, or the PDO. More details on How to prevent SQL code injection into my PHP code.

Can you tell me any post or reference about variável vinda do POST na query to speak in more detail on this subject

– user60252

2018/12/21 at 19:52
I would indicate the linked question itself at the end of my answer. The point is SQL Injection. If you concatenate user-provided values directly into a query, it is subject to injection. The simplest solution is to use Prepared statements.

– bfavaretto

2018/12/22 at 01:23
Yes, I wanted an example to understand how using POST in the query becomes vulnerable.

– user60252

2018/12/22 at 01:29
Example: https://answall.com/a/63453. And it’s not just POST, every user entry has potential for SQL injection.

– bfavaretto

2018/12/22 at 02:33

Browser other questions tagged php mysql

You are not signed in. Login or sign up in order to post.

by jlHertel • **4,733** points · Answer 1 · 2014-09-04T13:09:11+00:00

Your code would be next to this example below with PDO:

try {
  $conn = new PDO('dns', 'user', 'pass', array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
  $stm = $conn->prepare('UPDATE nomeTabela SET conteudo = :conte');
  $stm->bindValue(':conte', $_POST['edit'], PDO::PARAM_STR);
  $stm->execute();
} catch (Exception $e) {
  die($e->getMessage());
}

With this code you avoid several problems of SQL Injection as already pointed out by bfavaretto.