CODEWITHSUNDEEP
phpmysql
Ganesh
Ganesh

Reputation: 75

Mysql query is not accepting in if clause?

Here is my code of php which is not working properly....

It is not taking the query which is in if condition and every time it's executing else part.... 

  <?php
  include('admin/class.php');

** Here is my DB connection**

  $hostname="localhost";
  $username="root";
   $password="";

 $dbhandle = mysql_connect($hostname, $username, $password)
 or die("Unable to connect to MySQL");
  echo "Connected to MySQL<br>"; 
  $se = mysql_select_db("timesheet1234",$dbhandle)
  or die("Could not select timesheet1234");
 echo "connected to db";

 if(isset($_POST['save']))
   {  
   echo "post if";

 $sel=@$_POST['selpro'];
  $mon=@$_POST['mon'];
  $tue=@$_POST['tue'];
  $wed=@$_POST['wed'];
  $thu=@$_POST['thu'];
  $fri=@$_POST['fri'];
  $sat=@$_POST['sat'];
   $sun=@$_POST['sun'];

Here is my code where the problem starts and it's not working properly

  if(isset($_SESSION['user']))
  {
   echo "session user";
        $sql="UPDATE empdaytimesheet SET `project  code`='$sel',`mon`='$mon',`tue`='$tue',`wed`='$wed',`thu`='$thu',`fri`='$fri',`sat`='$sat',`sun`='$sun' where `username`='".$_SESSION['user']."'";

 $res=mysql_query($sql,$dbhandle);
 if($res){
 echo "<script type='text/javascript'>";
 echo "alert('TimeSheet Saved..!')";
 echo "</script>";
 echo "<script type='text/javascript'>";
 echo "window.location='my_timesheet.php'";
 echo "</script>";
 }
  else
 {
 echo "<script type='text/javascript'>";
  echo "alert('Some Error Occured ! Retry..!')";
 echo "</script>";
 echo "<script type='text/javascript'>";
echo "window.location='my_timesheet.php'";
echo "</script>";
}
}
}
?>

Upvotes: 1

Views: 127

Answers (2)

Joachim Isaksson
Joachim Isaksson

Reputation: 181077

UPDATE table empdaytimesheet SET...

is not valid SQL. What you mean to do is probably;

UPDATE empdaytimesheet SET...

Also, column names with spaces need to be quoted with - in MySQL's case - backticks, that is;

UPDATE empdaytimesheet SET `project code`=...

What you need to be aware of though is that you're open to SQL injection. If anyone posts a value for sel that contains a single quote, they can rewrite your SQL. For example, using Fiddler to post a value of sel as ',username=' would make your sql update the username column of the table too;

UPDATE empdaytimesheet SET `project code`='',username='',mon=...

In general just putting unchecked post variables into an SQL string is a bad thing. That's one big reason the mysql_* APIs are obsoleted by PDO and mysqli, they have methods for dealing with this.

Upvotes: 2

peterm
peterm

Reputation: 92845

Change

$sql="UPDATE table empdaytimesheet SET project  code='$sel',...

to

$sql="UPDATE empdaytimesheet SET `project  code`='$sel', ...
             ^ no table here     ^             ^ backticks

Upvotes: 2

Related Questions