CODEWITHSUNDEEP
phpsql
Aiden Ryan
Aiden Ryan

Reputation: 845

sql UPDATE error?

I've followed all the mySQL tutorials correctly but it still won't update the values in my table, can someone please help me?, these are my values below:

$editid = $_GET['id'];
$newtitle = $_POST['title'];
$newsneak = $_POST['sneak'];
$newbody = $_POST['body'];

$connect = mysql_connect("localhost","username","password") or die("Couldn't Connect. ");
mysql_select_db("dr") or die ("Couldn't Find DB.");

$query = mysql_query("SELECT * FROM news WHERE id=$editid");

$numrows = mysql_num_rows($query);

if($numrows=!0)
{
$querytitle = mysql_query("UPDATE news SET title=$newtitle WHERE id=$editid");
$querysneak = mysql_query("UPDATE news SET summary=$newsneak WHERE id=$editid");
$querybody  = mysql_query("UPDATE news SET body=$newbody WHERE id=$editid");
header("Location: ../index.php");
}

Upvotes: 0

Views: 278

Answers (3)

KJYe.Name
KJYe.Name

Reputation: 17169

On your select (add myql_error to check error):

   $result = mysql_query("SELECT * FROM news WHERE id='$editid'");
   if (!$result) {
       die('Invalid query: ' . mysql_error());
   }

On your update:

$querytitle = mysql_query("UPDATE news SET title='$newtitle' WHERE id='$editid'");
$querysneak = mysql_query("UPDATE news SET summary=$newsneak WHERE id='$editid'");
$querybody  = mysql_query("UPDATE news SET body='$newbody' WHERE id='$editid'");

use single quote around input data also use mysql_real_escape_string(); avoid sql injection.

PHP mysql_real_escape_string

As per @Tchalvak suggestion to include mention of binding, these are more updated tools against SQL Injections plus better optimization, but keep in mind PDO and MySQLi are supported if you have PHP 5+:

PHP PDO

and

PHP MySQLi

Upvotes: 3

Luca Fagioli
Luca Fagioli

Reputation: 13359

You want to use the mysql_error function to see what error your query returns.

As integration pointed out by Jeremy Conley, pay attention to don't let the mysql_error function output get published in your production HTML.

Upvotes: 1

Jeremy Conley
Jeremy Conley

Reputation: 934

Can I add as well once you finish debugging to please remove any mysql_error() output? This is awesome info for attackers since it reveals database details. Either log it or don't show errors...adds a little extra security.

Upvotes: 1

Related Questions