Syntax error in query

1

I'm running the following php code:

require_once "config.php";
$pagina = $_POST['pagina'];
$conteudo = $_POST['edit'];
//mysql_query("DELETE FROM $pagina WHERE 1") or die("alguma coisa deu errado".mysql_error());
//mysql_query("INSERT INTO $pagina ('conteudo') VALUES ('$conteudo')");
mysql_query("UPDATE '$pagina' SET 'conteudo'='$conteudo' WHERE 1") or die("erro: ".mysql_error());

He says syntax is wrong but I do not see why, error print:
link
Or:

  

error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' home 'SET' content '=' asx 'WHERE 1' at line 1

    
asked by anonymous 04.03.2014 / 22:59

2 answers

11

The error is in the use of single quotation marks around table and column names. The correct query would be:

"UPDATE $pagina SET conteudo='$conteudo' WHERE 1"

However, never, ever, ever never use a POST variable in the query as you did, or your database will be EXTREMELY vulnerable to hacking.

As I already commented on another recent question from you, it is also strongly recommended to stop using the mysql_* functions, which have been discontinued. Use the mysqli , or the PDO . More details on How to prevent SQL injection in my PHP code .

    
04.03.2014 / 23:02
1

Your code would be close to this example below with PDO:

try {
  $conn = new PDO('dns', 'user', 'pass', array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
  $stm = $conn->prepare('UPDATE nomeTabela SET conteudo = :conte');
  $stm->bindValue(':conte', $_POST['edit'], PDO::PARAM_STR);
  $stm->execute();
} catch (Exception $e) {
  die($e->getMessage());
}

With this code you avoid several SQL Injection problems as already pointed out by bfavaretto.

    
04.09.2014 / 15:09