SQL UPDATE statment does nothing, but returns no error.

Question

<?php
require ("db/db.php"); 
$c_id = ($_POST['c_id']);
$c_title = ($_POST['c_title']);
$c_content = ($_POST['c_content']);

// echo place

$sql = mysql_query("UPDATE content 
SET c_id = $c_id, c_title = $c_title, c_content = $c_content 
WHERE c_id = $c_id");

header("location: index.php");
?>

This is my code. when the header goes to the index, nothig has changed in the fields that are presented here. i tried to echo the variables at the "echo place" and they all returned correct, so i know that they are POSTed to the page. i guess the error are in the SQL UPDATE statement, but PHP does not return any error to me, it just goes directly to the index.php. when i try to run the SQL in phpmyadmin, whith value 1 instead of the variable, it changes all the fields to 1, so there it works.

Answer 1

1. You should use mysql_real_escape_string()

2. why your are updating the id of a table? you also need to change your query

3. use quotes in your php variable

Try like this:

require ("db/db.php"); 
$c_id = mysql_real_escape_string($_POST['c_id']);
$c_title = mysql_real_escape_string($_POST['c_title']);
$c_content = mysql_real_escape_string($_POST['c_content']);

// echo place

$sql = mysql_query("UPDATE content 
SET  c_title = '$c_title', c_content = '$c_content' 
WHERE c_id = $c_id limit 1") or die(mysql_error());

header("location: index.php");

You should switch to mysqli or PDO since mysql_* are outdated and will be removed.

Answer 2

Just to be sure, try this code (As I don't know the variables content, I put all of those with "'"

$sql = <<<SQL
   UPDATE content 
       SET c_id='{$c_id}', c_title='{$c_title'}, c_content='{$c_content}' 
       WHERE c_id='{$c_id}'
SQL;

$query = mysql_query($sql);
var_dump($query);

And if the $query returns true, put the header('Location: index.php"); again