error to replace db custom profile field on custom page

[Pipke]

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE
`smf_themes` = 1,
`id_member` = 1,
`variable` = 'cust_test'' at line 4

Code Select Expand


$change123 = 'want this text into the field';
$smcFunc['db_query']('', "
   UPDATE `{db_prefix}themes`
      SET
         `value` = $change123,       
     WHERE
    `smf_themes` = 1,
     `id_member` = 1,
     `variable` = 'cust_test'");


who can help me out on this, i'm not a db goeroe 

[Arantor]

Question: why are you attempting to do this manually?

Bonus points: not only is the syntax error it is complaining about quite rightly a syntax error, there are several others, and then even if you fix it, SMF will refuse to run the query anyway because it will proceed to trigger the anti-hacking routine for insecure queries.

[Pipke]

Question: why are you attempting to do this manually?

We have a form, wich all logged in users can do, and if they fill it in then the user makes auto a topic/post in a certain board. what i want is that the link of the post that the user just made in the form is added to a custom profile field, wich i created (only admins can edit/view that profile field), then i want to add  the link from the cust_test field (string) on the profile field(display.template). Thats why i need it. So i dont have to add manually everytime a form is done to change it in the users profile field, if they would do it by themself it gets a mess.

ps. i dont need any bonus points lol.

[Arantor]

Well... I have to say there is pretty much nothing correct about that code. It's not even the correct function that should be used in this case. But before I gave you the correct code, I wanted to be sure it wasn't for some stupid reason that could be better served by doing it properly (like not mashing up custom fields code)

Code Select Expand


$smcFunc['db_insert']('replace',
  '{db_prefix}themes',
  array('id_member' => 'int', 'id_theme' => 'int', 'variable' => 'string', 'value' => 'string'),
  array($member, 1, 'cust_test', $change123),
  array('id_theme', 'id_member', 'variable')
);

$member is the member whose variable you are updating, $change123 its new content. You are responsible for sanitising this value yourself against XSS and other malicious content. This will simply prevent SQL injection on this score.

[Pipke]

Thx, ill try it out.

ps.already did got it working with some other code but its bad, real bad cos the query get loaded on each post on the display.template

Code Select Expand


require_once("/home/****/domains/****/public_html/smf/SSI.php");
$wichboard = 3;
   //Check if user already submitted this form before!
      $list_of = ssi_boardNews($board = $wichboard, $limit = null, $start = null, $length = null, $output_method = 'array');
      $checkname = ''; // to be safe for errors 'Undefined' ;)
 
         foreach ($list_of as $checkname)
         {
         if ($message['member']['name'] === $checkname['poster']['name'])
         {
   echo '<li class="blurb"><a href="', $checkname['href'],'">Link to post...</a></li>';
   }
  }
//end start


[Arantor]

real bad cos the query get loaded on each post on the display.template

There should never be queries in the display template. Nor should SSI ever be called from inside SMF.

[Pipke]

i know, just testing first.