Hey

I am in the process of making a new script for my company and i have got to the bit where clients can edit there details and when i click the edit button i get this error:


You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE username = 'test'' at line 13

is this the script or the server?

If its the script i will post it and it would be grate if you could edit this to work for me :agree:

Thanks
Danny :agree:

That looks like the script, specifically the portion where it is making a MySQL call. The syntax on your mysql call is improper in one way or another for the version of MySQL that your host is using.

Feel free to post the script around line 13 :D

like 13 is <center>

so heres the script:


<?php require('check.php');?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>PhP My-Admin</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="css/style.css" rel="stylesheet" type="text/css">
<body bgcolor="#CCCCCC">
<body>
<center>
<table width="600" border="1">
<tr>
<td bgcolor="#FFFFFF">
<?php include('connect.php');?><p><font size="2">
<!-- Start Main Content -->
<center>
<u>Edit Your Details</u><p>
<?php
$edusername = $_POST[edusername];
$edpasswrd = $_POST[edpasswrd];
$edemail = $_POST[edemail];
$edcompany = $_POST[edcompany];
$edwebsite = $_POST[edwebsite];
$edfname = $_POST[edfname];
$edlname = $_POST[edlname];
$edaddress = $_POST[edaddress];
$edtown = $_POST[edtown];
$edcounty = $_POST[edcounty];
$edpost = $_POST[edpost];
$edphone = $_POST[edphone];
if ($_POST['submit']) {
$result = mysql_query("UPDATE users SET
passwrd = '$edpasswrd',
email = '$edemail',
company = '$edcompany',
website = '$edwebsite',
fname = '$edfname',
lname = '$edlname',
address = '$edaddress',
city = '$edtown',
county = '$edcounty',
postcode = '$edpost',
phone = '$edphone',
WHERE username = '$edusername'") or die(mysql_error());
echo "<center><b>Your details have been successfully updated.<br>
*You Must Logout For Changes To Take Effect*</b></center><p>";
}
?>
<?php
session_start();
$query = mysql_query("SELECT username,passwrd,rank,email,company,website,fname,lname,address,city,county,postcode,phone FROM users WHERE username = '$_SESSION[username]'") or die(mysql_error());
$row = mysql_fetch_array($query);
$_SESSION["eusername"] = $row['username'];
$_SESSION["epasswrd"] = $row['passwrd'];
$_SESSION["eemail"] = $row['email'];
$_SESSION["ecompany"] = $row['company'];
$_SESSION["ewebsite"] = $row['website'];
$_SESSION["efname"] = $row['fname'];
$_SESSION["elname"] = $row['lname'];
$_SESSION["eaddress"] = $row['address'];
$_SESSION["etown"] = $row['city'];
$_SESSION["ecounty"] = $row['county'];
$_SESSION["epost"] = $row['postcode'];
$_SESSION["ephone"] = $row['phone'];
$_SESSION["econtry"] = $row['contry'];
?>
<?php
echo "
<form method='POST' action='editdetails.php'>
<input type='hidden' name='edusername' value='$_SESSION[eusername]'>
Password:<br>
<input type='text' name='edpasswrd' value='$_SESSION[epasswrd]'><p>
Email:<br>
<input type='text' name='edemail' value='$_SESSION[eemail]'><p>
Compamy:<br>
<input type='text' name='edcompany' value='$_SESSION[ecompany]'><p>
Website:<br>
<input type='text' name='edwebsite' value='$_SESSION[ewebsite]'><p>
First Name:<br>
<input type='text' name='edfname' value='$_SESSION[efname]'><p>
Last Name:<br>
<input type='text' name='edlname' value='$_SESSION[elname]'><p>
Address:<br>
<input type='text' name='edaddress' value='$_SESSION[eaddress]'><p>
City/Town:<br>
<input type='text' name='edtown' value='$_SESSION[etown]'><p>
County:<br>
<input type='text' name='edcounty' value='$_SESSION[ecounty]'><p>
Post/Zip Code:<br>
<input type='text' name='edpost' value='$_SESSION[epost]'><p>
Phone Number:<br>
<input type='text' name='edphone' value='$_SESSION[ephone]'><p>
<input type='submit' name='submit' value='Edit'>
</form>
";?>

<!-- End Main Content -->
</font><p>
</td>
</tr>
</table>
</center>
</body>
</html>

*** far As PHP is concerned line 13 is the 13th line of PHP code (not the HTML in between).

With a quick glance the problem most likely is here:


phone = '$edphone',
WHERE username = '$edusername'") or die(mysql_error());

If you notice the comma after $edphone shouldn't be there. It would be much like me writing this to you:

I need an apple, a pear, an orange, and a grapefruit, from the store. <- Notice how the last comma makes you read it as if there should be another item on the list? MySQL is thinking the same thing.

A nice hackable form.

... how do i make it unhackable.. becasue you need to get through the check.php file to access this bit...

btw thanks for your help ill have a go :agree:

You have to validate your input. Are the POST strings what they suppose to be?

Yes becasue it findes whats in the database and put it intp the text fields then then you have edited it and press 'edit' it overwrights the current data in the database so yes it needs to POST to get the new info :eek:

I didn't mean that. I meant that someone can type whatever they want in there,
$edusername = $_POST[edusername]; is not enough.

I can type some code there and have it entered in the database or inject the SQL easily.

but that just get it from the hidden file so they cant edit there username anyway
:confused:

ohhhhhhhhhh i just got what you mean!

i need to take out the , !!!!!!!!!!!!
am i right :confused:

Yes, that last comma is causing your problem.

But you need to validate your user input in that form. If you are expecting a user to enter only alpha-numeric characters, then you need to check to make sure they've ONLY entered alpha-numeric characters before you process the data....Otherwise you're just asking to be hacked

thats what the check.php is... so only the user logged in can edit them..

Content of check.php

<?php
session_start();
if(!$_SESSION['username']){
echo "<center><b>You are not authorized to view this page.<br><a href='index.php'>Login</a></b></center>";
exit;
}
?>
<?php
session_start();
if($_SESSION['rank'] == 'Suspended'){
echo "<center><b>Your account is currently suspended, please contact the admin immediately.<br><a href='javascript:history.back(1)'>Back</a></b></center>";
exit;
}
?>

You're not getting it. Without checking the user input, the user could enter something like

' or 1=1-- into the input box. This is a very basic sql injection technique and your form is vulnerable unless you fix it.

With your code, if I was to enter username'; DELETE FROM users WHERE username!='username into the username field, then your query:

$result = mysql_query("UPDATE users SET
passwrd = '$edpasswrd',
email = '$edemail',
company = '$edcompany',
website = '$edwebsite',
fname = '$edfname',
lname = '$edlname',
address = '$edaddress',
city = '$edtown',
county = '$edcounty',
postcode = '$edpost',
phone = '$edphone',
WHERE username = '$edusername'") or die(mysql_error());would become:

$result = mysql_query("UPDATE users SET
passwrd = '$edpasswrd',
email = '$edemail',
company = '$edcompany',
website = '$edwebsite',
fname = '$edfname',
lname = '$edlname',
address = '$edaddress',
city = '$edtown',
county = '$edcounty',
postcode = '$edpost',
phone = '$edphone',
WHERE username = 'username'; DELETE FROM users WHERE username!='username'") or die(mysql_error());Is that what you really want?

(The above is purely an example, that will probably not work, however illustrates the point)

Take a look into http://www.php.net/mysql_real_escape_string

Back

The minimum:

$edusername = strip_tags(trim($_POST[edusername]));


+
you don't authorize access just by checking the session variable, in reverse you use the session variable to check.
Query the db - WHERE username = $_SESSION['username'] AND ....
and if there is an entry in the database you let him in. Again minimal example.

ohhhhhh ok sorry guys im very tiered and an abit dense today lol

Thanks for all your help
Danny