php mysql update

Question

<?php
$host = "localhost";
$user = "root";
$pass = "pass";
$db = "table";
$connect=mysql_connect($host, $user, $pass) or die(mysql_error());
mysql_select_db($db, $connect) or die(mysql_error());
if ($_SERVER["REQUEST_METHOD"] == "POST")
{
  $username = trim($_POST["username"]);
   $res = mysql_query("SELECT id, username, email, ip FROM users WHERE username='". mysql_real_escape_string($username) . "'");

  $arr = mysql_fetch_assoc($res);
  $user_id = $arr['id'];
  $user_name = $arr['username'];
  $user_email = $arr['email'];
  $user_ip = $arr['ip'];
  $res = mysql_query("UPDATE users SET enabled=no WHERE id=$user_id") or mysql_error();
}
?>
<form method="post" action="">
<input type="text" size="40" name="username">
<tr><td colspan="2"><input type="submit" class="btn" value='send'></td></tr>
</form>

This script doesn't execute: $res = mysql_query("UPDATE users SET enabled=no WHERE id=$user_id") or mysql_error();

What's wrong ?

Answer 1

you need to debug.

at the end of this line

 $res = mysql_query("UPDATE users SET enabled=no WHERE id=$user_id") or mysql_error();

write this line

"UPDATE users SET enabled=no WHERE id=$user_id"

you will see what command will be execute. probably $user_id variable coming wrong.

if you seen wrong sql command go head and try to investigate why user_id coming wrong

Answer 2

Try wrapping the enabled=no and the id=$user_id in quotes

$res = mysql_query("UPDATE users SET enabled='no' WHERE id='$user_id'") or mysql_error();

You should also make sure you escape your variables as your code is vulnerable to SQL Injection

$username = mysql_real_escape_string(trim($_POST["username"]));

Answer 3

Use:

$res = mysql_query("UPDATE users SET enabled='no' WHERE id=$user_id") or die(mysql_error());