some error with editing mysql content via php

Question

i have some problem

i done my project, but there is problem in it like

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'blink = 'asd' WHERE bid='1'' at line 6 in editing file for edit my book content

    <?php
include("../includes/config.php");
$cuser = mysql_query("SELECT * FROM books");
$id = intval($_GET['id']);
$bname = strip_tags($_POST['bname']);
$bpic = strip_tags($_POST['bpic']);
$bdesc = strip_tags($_POST['bdesc']);
$bauthor = strip_tags($_POST['bauthor']);
$blink = strip_tags($_POST['blink']);
if(isset($_GET['edit'])){
    $cuuser = mysql_fetch_object($cuser);
    echo "<form action='editbook.php?edit=yes&id=".$cuuser->bid."' method='POST'>
    <table>
    <tr>
    <td>bname : </td>
    <td><input name='bname' type='text' value='".$cuuser->bname."' /></td>
    </tr>
    <tr>
    <td>bpic : </td>
    <td><input name='bpic' type='text' value='".$cuuser->bpic."' /></td>
    </tr>
    <tr>
    <td>bdesc : </td>
    <td><input name='bdesc' type='text' value='".$cuuser->bdesc."' /></td>
    </tr>
    <tr>
    <td>blink : </td>
    <td><input name='blink' type='text' value='".$cuuser->blink."' /></td>
    </tr>
    <tr>
    <td>bauthor : </td>
    <td><input name='bauthor' type='text' value='".$cuuser->bauthor."' /></td>
    </tr>
    <td><input name='do' type='submit' value='GO' /></td>
    </table>
    </form>";
}
        if($_REQUEST['edit'] == 'yes'){
            $uuser = mysql_query("UPDATE books SET 
            bname = '$bname',
            bpic = '$bpic',
            bdesc = '$bdesc',
            bauthor = '$bauthor'
            blink = '$blink'
            WHERE bid='$id' ") or die(mysql_error()) ;
            if(isset($uuser)){
                echo "done";
            }
        }

?>

when i delete (blink = '$blink') from query its will save and edit but i need it in my project note: i change blink for a lot of times and try another names (same problem)

and if there is another way to edit mysql content via php i will be so happy :) anything let my project worked correctly

Thanks :)

Answer 1

First, you omitted comma in your update statement after bauthor and blink line.

Second, I see you did not do any processing for input data. It s very vulnerable for SQL injection. Also if someone types quote mark ' inside of input data, your save query will fail, too. So you should make a fix for this purpose, too. Simply apply mysql_real_escape_string function for each input will save you for saving failure of comma contained string data.

So try following code for fast fix:

if($_REQUEST['edit'] == 'yes'){
            $uuser = mysql_query("UPDATE books SET 
            bname = '" . mysql_real_escape_string($bname) . "',
            bpic = '" . mysql_real_escape_string($bpic) . "',
            bdesc = '" . mysql_real_escape_string($bdesc) . "',
            bauthor = '" . mysql_real_escape_string($bauthor) . "',
            blink = '" . mysql_real_escape_string($blink) . "' 
            WHERE bid='$id' ") or die(mysql_error()) ;
            if(isset($uuser)){
                echo "done";
            }
        }

For better security option, you can try PDO with prepared statement.