I'm trying to submit a page onto itself by using php echo $_SERVER['PHP_SELF']; but keep receiving the following error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1....
There are different forms on the page and I am having the same problem with all of them.
What could be the source of the problem?
<?php
require_once('Connections/speedycms.php');
$client_id = mysql_real_escape_string($_GET['id']);
if (!isset($_SESSION)) {
session_start();
}
$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";
// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
// For security, start by assuming the visitor is NOT authorized.
$isValid = False;
// When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
// Therefore, we know that a user is NOT logged in if that Ses开发者_运维问答sion variable is blank.
if (!empty($UserName)) {
// Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
// Parse the strings into arrays.
$arrUsers = Explode(",", $strUsers);
$arrGroups = Explode(",", $strGroups);
if (in_array($UserName, $arrUsers)) {
$isValid = true;
}
// Or, you may restrict access to only certain users based on their username.
if (in_array($UserGroup, $arrGroups)) {
$isValid = true;
}
if (($strUsers == "") && true) {
$isValid = true;
}
}
return $isValid;
}
$MM_restrictGoTo = "login.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {
$MM_qsChar = "?";
$MM_referrer = $_SERVER['PHP_SELF'];
if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0)
$MM_referrer .= "?" . $QUERY_STRING;
$MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
header("Location: ". $MM_restrictGoTo);
exit;
}
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
}
mysql_select_db($database_speedycms, $speedycms);
$query_caseStatus = "SELECT progress FROM tbl_accident WHERE id=$client_id";
$caseStatus = mysql_query($query_caseStatus, $speedycms) or die(mysql_error());
$row_caseStatus = mysql_fetch_assoc($caseStatus);
$totalRows_caseStatus = mysql_num_rows($caseStatus);
mysql_select_db($database_speedycms, $speedycms);
$query_retrieveSolicitor = "SELECT * FROM tbl_solicitors";
$retrieveSolicitor = mysql_query($query_retrieveSolicitor, $speedycms) or die(mysql_error());
$row_retrieveSolicitor = mysql_fetch_assoc($retrieveSolicitor);
$totalRows_retrieveSolicitor = mysql_num_rows($retrieveSolicitor);
mysql_select_db($database_speedycms, $speedycms);
$query_currentSolicitor = "SELECT currentSolicitor FROM tbl_accident WHERE id=$client_id";
$currentSolicitor = mysql_query($query_currentSolicitor, $speedycms) or die(mysql_error());
$row_currentSolicitor = mysql_fetch_assoc($currentSolicitor);
$totalRows_currentSolicitor = mysql_num_rows($currentSolicitor);
?>
If you are using the client_id
taken from the outside, you should enclose it into the single quotes, even if it's escaped and supposed to be an integer:
SELECT progress FROM tbl_accident WHERE id='$client_id'
For instance, if the script passes the empty client_id
, this query turns into:
SELECT progress FROM tbl_accident WHERE id=
, which is an invalid SQL
and results in the same error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
, which you can easily reproduce with any query tool.
Your problem isn't the PHP_SELF
. You're getting the error you get because one of teh SQL statments you're creating isn't valid SQL, so the MySQL server rejects it.
Look for each of your lines
mysql_query($query_someQuery, $speedycms)
Before each of these lines, add a statment something like
echo $query_someQuery, "<br />","\n";
mysql_query($query_someQuery, $speedycms)
where $query_someQuery
is the actual variable you used. Then run your script/load your page and examine the SQL. It will have a syntax error in it (be sure to view source if a browser to see what's actually being returned).
Once you determine the syntax error, trace your code and figure out why it's generating incorrect SQL.
Are you sure that the problem is when u are using "php echo $_SERVER['PHP_SELF']" ? The error thrown is an SQL Syntax error, and nothing to do with calling php echo $_SERVER['PHP_SELF'].
The fact the error says "at line 1" is pretty useless as it means on line one of the SQL Syntax, not a particular page, so doesnt really point you at where the query is called.
Try echoing $client_id after this part:
$client_id = mysql_real_escape_string($_GET['id']);
You're using it in your queries later, and it might be generating the SQL error if its blank or invalid.
精彩评论