php - MySQL Error on Edit Post Submit

Question

I managed to fix the error in my earlier post wrt edit form not showing. Now edit form shows, but when i try to update (submit), i get the error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

FF is the code snippet i used:

if (isset($_POST['submit'])) {

    $query = "UPDATE $tbl SET message = mysql_real_escape_string(".$row['message'].") WHERE id = ".$row['id']." ";

    $result = mysql_query($query) or die (mysql_error());

    while ($row = mysql_fetch_array($result)) {

        echo "Your post has been edited to:", "<br>";
        echo $row['message'];
    }

    mysql_free_result($result);
    mysql_close();

}

Kindly Help. Thanks!

As Per @Fred-ii and @jeroen 's request, here is the full code:

<?php ob_start(); ?>
<?php error_reporting(E_ALL); ini_set('display_errors', 1); ?>
<html>
  <head>
    <title>BQuotes</title>
    <!-- <meta name="viewport" content="width=device-width, initial-scale=1"> -->
    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" />
    <link href="votingfiles/voting.css" rel="stylesheet" type="text/css" />
    <script src="votingfiles/voting.js" type="text/javascript"></script>
    <link rel="stylesheet" href="http://code.jquery.com/mobile/1.4.2/jquery.mobile-1.4.2.min.css" />
    <link rel="stylesheet" type="text/css" href="http://bquotes.me/mystyle-a.css">
    <script src="http://code.jquery.com/jquery-1.10.0.min.js"></script>
    <script src="http://code.jquery.com/mobile/1.4.2/jquery.mobile-1.4.2.min.js"></script>
    <style>
      .head_text {
        color: #ffffff;
      }
      a {
        text-decoration: none;
      }
    </style>

    <script type="text/javascript">
      $('#g-login').bind('click', function (event) {
        // event.preventDefault();
        // $('#form-id').attr('action', 'google-login.php').trigger('submit');
        alert("Clicked");
      });
    </script>
  </head>
  <body style="color:#d4ffaa">


    <!-- BQ Edit Post Start -->
    <div data-role="page" id="edit-post">
      <div data-role="header" style="background-color:#5FBF00">
        <h1 class="head_text">BQuotes</h1>
      </div>
      <div data-role="main" class="ui-content">




      </div>



         <?php




         session_start();

              if($_SESSION['myusername'] != null &&  isset($_SESSION['myusername'])){
              echo "<form action='logout.php' method='post' id ='form-logout' data-ajax='false'>
                    <br/><input type='submit' value='Logout'/>";
              echo "</form>";
              echo "<div style='margin-left:1px;'>Logged In As:  ".$_SESSION['myusername']."</div>";



          define ('HOSTNAME', 'xxxx');
          define ('USERNAME', 'xxxx');
          define ('PASSWORD', 'xxxx');
          define ('DATABASE_NAME', 'xxxx');

          $db = mysql_connect(HOSTNAME, USERNAME, PASSWORD) or die ('I cannot connect to MySQL.');

          mysql_select_db(DATABASE_NAME);

          $tbl='xxxx';
          $id=$_GET['pid'];


          $query="SELECT * from $tbl WHERE id = ".$_GET['pid']." ";


          $result = mysql_query($query) or die (mysql_error());

          while ($row = mysql_fetch_array($result)){
          /*$id=$row['id'];
          $username=$row['username'];
          $message=$row['message'];
          $tag=$row['tag'];*/



             echo "<form name='edit-post' action='' method='post'>";
             echo "<input type='hidden' name='id' value=".$row['id'].">";
             echo "<input type='hidden' name='username' value=".$row['username'].">";
             echo "Status: <textarea name='message'>".$row['message']."</textarea>";
             //echo "Tag: <textarea rows='1' name='tag'>".$row['tag']."</textarea>";
             echo "<input type='submit' name='submit' value='Submit'>";
             echo "</form>";


          if (isset($_POST['submit'])) {         

          echo $row['id'];
          $tbl = 'xxxx';           
          $query = "UPDATE $tbl SET message = ".mysql_real_escape_string($row['message'])." WHERE id =".$row['id']." ";

          $result = mysql_query($query) or die (mysql_error());


          while ($row = mysql_fetch_array($result)) {

          echo "Your post has been edited to:", "<br>";
          echo $row['message'];
          //echo $row['tag'];
          }

          mysql_free_result($result);
          mysql_close();

          }

              }
              }
            else if($_SESSION['myusername'] == null){
              echo "<form action='google-login.php?login=true' method='post' id ='form-id' data-ajax='false'>";    
                 echo "<span class='loginreq'>Login to Edit</span>";           
                echo "<br/><input type='submit' value='Login with Google'/>";
                echo "</form>";
            }




          /*
          <?php
          $id2=$_POST['id'];
          $username2=$_POST['username'];
          $message2=$_POST['message'];
          $tag2=$_POST['tag'];
          */



        ?>



        <a href='mybq-index.php'>Home</a>


      </div>


  </body>
</html>
<?php ob_flush(); ?>

Answer 1

mysql_real_escape_string is a php function, not a mysql function.

So the syntax would be:

$query = "UPDATE $tbl SET message = '" . mysql_real_escape_string($row['message']) . "' WHERE id = ".$row['id']." ";    

But you should really switch to PDO with prepared statements or mysqli_* with prepared statements, as the mysql_* functions are deprecated.