i working on developing blogging system. part have blog done, creating scripts allow users post comments each blog. php select code getting error along lines of
check manual corresponds mysql server version right syntax use near 'desc blogid = 6' @ line 1.
the full code of sql statement is:
select commentid, blogid blog_comments order commentid limit 1 desc blogid = '.$row['postid'];` i aware current statement susceptible sql injections, , have tried using tokens ensure protected that.
the $row['postid'] previous sql statement ran display actual blog post. intended go on main page, don't need display actual comment text, rather number of comments on particular blog. can post full code if needed.
okay, updated sql statement , fixed issue. however, page not displaying commentid number, , $e not getting executed, nor errors in apache2 log.
$query = "select commentid, blogid blog_comments blogid ':postid' order commentid desc limit 1"; $query_params = array(':postid' => $row['postid']); try { $stmt = $db->prepare($query); $result = $stmt->execute($query_params); } catch(pdoexception $e) { // dont echo $e on production site die($e->getmessage()); } $rows = $stmt->fetchall(); ?> <?php foreach($rows $row): ?> <?php echo $row['commentid']; ?> <?php endforeach; ?> comments
move where case after select:
'select commentid, blogid blog_comments blogid = '.$row['postid'].' order commentid desc limit 1' to prevent sql-injections use pdo , prepared statements : (http://php.net/manual/en/pdo.prepared-statements.php).
Comments
Post a Comment