PDA

View Full Version : Don'y know why im getting this sql syntax error

Gez
05-14-2008, 09:22 PM
The error im getting is " You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE DestinationAirport ='' AND DepartureDate ='' AND DepartureAirp' at line 2" and to me it looks right but i spose it isn't. thanks in advance!

The code:

Function ShowRetFlights (){
// Set Sessions
$DestinationName=$_REQUEST['destination'];
$FlyingFrom=$_REQUEST['flyfrom'];
$RetDate=$_REQUEST['retdate'];
// Define the query
$queryret="SELECT * FROM $table_flight
WHERE DestinationAirport ='".$DestinationName."'
AND DepartureDate ='".$DepDate."'
AND DepartureAirport ='".$FlyingFrom."'";
// Do the query
$resultret = mysql_query($queryret) or die (mysql_error());

echo "<b> INBOUND flights </b> <br/><br/>
<table align='center' width='300' border='1'>
<tr>
<td align='center'><b>Destination: </b></td>
<td align='center'><b>Airline:</b></td>
<td align='center'><b>Departure Airport:</b></td>
<td align='center'><b>Departure Date:</b></td>
<td align='center'><b>Departure Time:</b></td>
<td align='center'><b>Cost:</b></td>
<td align='center'></td>
</tr>";

// Display the results
while ($row = mysql_fetch_array( $resultdep )){
echo "<tr>";
echo " <td align='center'>".$row['DestinationAirport']."</td>";
echo " <td align='center'>".$row['Airline']."</td>";
echo " <td align='center'>".$row['DepartureAirport']."</td>";
echo " <td align='center'>".$row['DepartureDate']."</td>";
echo " <td align='center'>".$row['DepartureTime']."</td>";
echo " <td align='center'>".$row['Fare']."</td>";
echo " <td align='center'><input type='radio' name='retflight'".$row['Id']."' value='retflight'></td>";
echo " </tr>";
}
echo "<input type='submit' value='Resorts'></form></table><br/><hr><br>/";
}
PappaJohn
05-14-2008, 09:29 PM
I don't see where $table_flight is being defined.

Immediately after you define the query, echo it out to see what it actually contains.


// Define the query
$queryret="SELECT * FROM $table_flight
WHERE DestinationAirport ='".$DestinationName."'
AND DepartureDate ='".$DepDate."'
AND DepartureAirport ='".$FlyingFrom."'";

echo $queryret;
bdl
05-15-2008, 06:25 AM
I agree, the variable storing your table name is not included in the function scope, i.e. it doesn't exist. You'll want to either declare it global or pass it to the function.

It's also dangerous to blindly allow REQUEST data to interact with your db without first evaluating, filtering and properly escaping it.

BTW, you should make use of the "double quotes" as long as you're using them to delimit the string.

$string= "SELECT * FROM $table WHERE column = '$inputVariable'";
PappaJohn
05-15-2008, 06:38 AM
Passing the variable to the function is a better option than declaring it global.
chaosprime
05-15-2008, 04:16 PM
$FlyingFrom = mysql_real_escape_string($_REQUEST['flyfrom']);
$RetDate = mysql_real_escape_string($_REQUEST['retdate']);


Seriously. It's not that hard. Unless you really enjoy people easily being able to make your Web site do whatever they like (http://shiflett.org/articles/sql-injection).