[SOLVED] query help

cordoprod · July 19, 2008

Hi...

This query is reeaally annoying.. i just cant figure it out..

Query:

$edit_sql = "UPDATE travek_video SET link='".$_POST['link']."' title='".$_POST['title']."' description='".$_POST['desc']."' folder='".$_POST['folder']."' WHERE id='".$_GET['video']."' AND uploader='".$_SESSION['username']."'";

DB structure:

id - link - title - description - folder - uploader - views

Error message:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'title='Nunchaku tutorial......' description='Nunchaku tutorials for n00bs.' fold' at line 1

john-formby · July 19, 2008

$edit_sql = "UPDATE travek_video SET link='".$_POST['link']."', title='".$_POST['title']."', description='".$_POST['desc']."', folder='".$_POST['folder']."', WHERE id='".$_GET['video']."' AND uploader='".$_SESSION['username']."'";
$result = mysql_query($edit_sql);

kenrbnsn · July 19, 2008

It's a very bad practice to use unvalidated data in mysql statements. At least apply mysql_real_escape_string().

<?php
$flds = array('link' => 'link', 'title' => 'title', 'description' => 'desc', 'folder' => 'folder');
$qtmp = array();
foreach ($flds as $dfld => $pfld)
   $qtmp[] = $dfld . " = '" . mysql_real_escape_string(stripslashes($_POST[$pfld])) . "'";
$q = "update travek_video set " . implode(', ',$qtmp) . " where id = '" . mysql_real_escape_string($_GET['video']) . "' and uploader = '" . mysql_real_escape_string($_SESSION['username']) . "'";
$rs = mysql_query($q) or die("Problem with the query: $q on line " . __LINE__ . '<br>' . mysql_error());
?>

It looks like a lot of typing, but you'll thank yourself later when some hacker tries to compromise your site and can't.

Ken

Sign In

[SOLVED] query help

Recommended Posts

cordoprod

Link to comment

Share on other sites

john-formby

Link to comment

Share on other sites

kenrbnsn

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information