Display value from database in a form value fields

Question

I've been trying to display data from database as value in a form field. But the system keep saying there's an error at "while($row = mysql_fetch_array($result))" .. So im a bit confuse here . How can i fix this error . Below is my codes.

<?php
if (isset($_GET['serialno'])){

    echo '<form action="update.php" method="post">';
    echo '<br>';
    echo '<input type="hidden" name="serialno" value="'. $_GET['serialno'] .'">';

    $con = mysql_connect("localhost","root","");
    if (!$con){
        die('Could not connect: ' . mysql_error());
    }

    mysql_select_db("sys", $con);

    $id=$_GET['serialno'];
    $result = mysql_query("SELECT * FROM main WHERE serialno = $id");

    while($row = mysql_fetch_array($result)){
        echo'Date: '.'<input type="text" name="date" value="'. $row['date'] .'">'; 
        echo '<br>';
        echo'Work Description: '.'<input type="text" name="desc" value="'. $row['desc'].'">';
        echo '<br>';
        echo'Company Name: '.'<input type="text" name="comp" value="'. $row['comp'] .'">'; 
        echo '<br>';

        echo '<input name="save" type="submit" value="Save" />';
    }

    echo '</form>';
}
?>

Can anyone help me .. Really appreciate it .

Answer 1

You forgot the single quotes around $id in you query, if you add them it will work.

$result = mysql_query("SELECT * FROM main WHERE serialno = '$id'");

It's smart to add or die(mysql_error()) behind mysql_query(), so you can see where the error is.

Also, if someone typed in ' OR 1='1 as serialno, your script will select all the rows in the database and then display them all. You can prevent this by changing $id= $_GET['serialno']; to $id=mysql_real_escape_string($_GET['serialno']);