PHP and MySQL form, what am I doing wrong?

Question

I have a table that has the user ID already in it, but some of the information is missing and that is where I need the user to input it themselves. With the URL of the form I have their ID in it... winnerpage.php?ID=123

I am having troubles getting the code to work. Any help would be great!

This is the code on that winnerpage.php

<form enctype="multipart/form-data" action="winnerpage.php" method="POST">
ID: <input name="ID" type="text" value="<?=$ID?>" /><br/>
First Name: <input type="text" name="FN"><br />
Last Name: <input type="text" name="LN"><br />
Email: <input type="text" name="EM"><br />
Phone: <input type="text" name="PH"><br />
<input type="submit" name="edit" value="edit"></form> <br>

<?
require_once('mysql_serv_inc.php');

$conn = mysql_connect("$mysql_server","$mysql_user","$mysql_pass"); 
if (!$conn) die ("ERROR"); 
mysql_select_db($mysql_database,$conn) or die ("ERROR"); 

if(isset($_POST['edit']))
{
$sID        =    addslashes($_POST['ID']);
$sFN        =    addslashes($_POST['FN']);
$sLN        =    addslashes($_POST['LN']);
$sEM        =    addslashes($_POST['EM']);
$sPH        =    addslashes($_POST['PH']);


mysql_query('UPDATE winner SET FN=$sFN, LN=$sLN, EM=$sEM, PH=$sPH 
             WHERE ID=$sID') or die (mysql_error());

echo 'Updated!';
}

$query = "select * from winner order by ID";
$result = mysql_query($query);
?>

<?
   while ($link=mysql_fetch_array($result))
   {
     echo 'Unique ID - Completion Time - First Name - Last Name - Email - Phone<br/>'.$link[ID].' -' .$link[FN].' - '.$link[LN].' - '.$link[EM].' - '.$link[PH].'<br>';
     }
?>

Answer 1

1) ID: <input name="ID" type="text" value="<?=$ID?>" /><br/>
Where do you get that $ID?
Are you doing something like $_GET['ID'] or are you relying on safe_mode being ON? (it's not clear from the code you provided)
(better yet, if(isset($_GET['ID'])) { $ID = (int)$_GET['ID'] }

2) Please don't to that. Don't use addslashes(). Use mysql_real_escape_string() or, even better, prepared statements. Addslashes is not utterly reliable in escaping datas for queries.

sID    =    (int)$_POST['ID'];
$sFN   =    mysql_real_escape_string($_POST['FN']);
$sLN   =    mysql_real_escape_string($_POST['LN']);
$sEM   =    mysql_real_escape_string($_POST['EM']);
$sPH   =    mysql_real_escape_string($_POST['PH']);

Also, add 'value=""' to each input field (not mandatory)

3) encapsulate values in query:

mysql_query("UPDATE winner SET FN='".$sFN."', LN='".$sLN."', EM='".$sEM."', PH='".$sPH."' WHERE ID='".$sID."'") or die (mysql_error());

Answer 2

At first glance I would say that you need:

1) Quote marks around some of the values you are inserting into the table (any strings for example)

2) Quote marks around the names of the fields when you try to echo them out at the end ($link['ID'] for example)

Answer 3

Maybe try:

mysql_query("UPDATE winner SET FN='$sFN', LN='$sLN', EM='$sEM', PH='$sPH' WHERE ID=$sID") or die (mysql_error());

Answer 4

mysql_query('UPDATE winner SET FN=$sFN, LN=$sLN, EM=$sEM, PH=$sPH WHERE ID=$sID')

the query is encapsulated by single-quotes, so the variables inside will not be parsed.