PHP SQL Update Query not working

Question

I have been trying to create a simple form to update details on a database, the PHP code is below:

// UPDATE THE DATABASE RECORDS //
$update = $_GET['update'];
if($update == "true"){
    $setDetails="UPDATE users SET email='{$_POST['email']}', api_key='{$_POST['api_key']}', api_secret='{$_POST['api_secret']}' WHERE username='{$_POST['username']}'";
    if(mysql_query($setDetails)){
        $updatemsg = '<div class="alert alert-success"><a href="#" class="close" data-dismiss="alert">×</a><strong>Success!</strong> Your details have been updated in our database.</div>';
    }else{
        $updatemsg = '<div class="alert alert-error"><a href="#" class="close" data-dismiss="alert">×</a><strong>Failure!</strong> Your details could not be updated in our database. Please try again later or contact us if this keeps happening.</div>';
    }
}else if($update == "false"){
    $updatemsg = '<div class="alert alert-success"><a href="#" class="close" data-dismiss="alert">×</a><strong>Success!</strong> Your changed were discarded.</div>';
}
// UPDATE THE DATABASE RECORDS //

// GET THE DATABASE RECORDS //
$getDetails="SELECT * FROM users WHERE username='$username'";
$details=mysql_query($getDetails);
$num=mysql_numrows($details);
if($num != 0){
    $new_user = false;
    $username=mysql_result($details,0,"username");
    $email=mysql_result($details,0,"email");
    $subscription_type=mysql_result($details,0,"subscription_type");
    $subscription_date=mysql_result($details,0,"subscription_date");
    $api_key=mysql_result($details,0,"api_key");
    $api_secret=mysql_result($details,0,"api_secret");
    setcookie("api_key", $api_key, time()+50000);
    setcookie("api_secret", $api_secret, time()+50000);
}else{
    $new_user = true;
}
// GET THE DATABASE RECORDS //

The variables defined when the database records are fetched are then used to populate a HTML form:

<form action="?update=true" method="POST">
<h2>Your Details</h2>
<input id="username" name="username" type="text" placeholder="" disabled="true" class="input-xlarge" value="<?=$username?>">
<input id="email" name="email" type="text" placeholder="" class="input-xlarge" value="<?=$email?>">
<input id="subscription_type" name="subscription_type" type="text" placeholder="" disabled="true" class="input-xlarge" value="<?=$subscription_type?>">
<input id="subscription_date" name="subscription_date" type="text" placeholder="" disabled="true" class="input-xlarge" value="<?=$subscription_date?>">
<input id="api_key" name="api_key" type="text" placeholder="" class="input-xlarge" value="<?=$api_key?>">
<input id="api_secret" name="api_secret" type="text" placeholder="" class="input-xlarge" value="<?=$api_secret?>">
<button type="submit" class="btn btn-success" id="saveChanges"><i class="icon-ok icon-white"></i> Save Changes</button> <a href="?update=false" class="btn btn-danger" id="discardChanges"><i class="icon-remove icon-white"></i> Discard Changes</a>
</form>

When the page is loaded first time, the form is populated with no problems, but when it is edited and submitted $updatemsg is the 2nd one (Success) but there are no changes to the data in the database. Any ideas?

Answer 1

Firstly I would declare the api secrets in a constant file instead of through a http post on a page. Try the following to get the update to work assuming the post values are present

$setDetails="UPDATE users SET email='".$_POST['email']."', api_key='".$_POST['api_key']."', api_secret='".$_POST['api_secret']."' WHERE username='".$_POST['username']."'";

Answer 2

It looks like it's failing because the quotes and brackets are incorrectly used. But what you need to do is something like:

$email = mysql_real_escape_string($_POST['email']);

....

"UPDATE users SET email='$email'.....

And so forth, and so on. If not that, in the else part call mysql_error() and it will tell you if the query is failing.