update form

[yddib]

<?php

//start the session
session_start();

$id = $_SESSION['id'];

mysql_connect("", "", "") or die(mysql_error());
//connects to the  server
mysql_select_db("");
//selects the database 

echo "Connection Open<br>";

$result = mysql_query("UPDATE gradinfo SET f_name='$f_name', l_name='$l_name', gender='$gender', birthd='$birthd', birthm='$birthm', birthy='$birthy', email='$email', pass='$pass', address1='$address1', county='$county', country='$country', telephone='$telephone', relationship='$relationship', location='$location', about_me='$about' WHERE u_id='$id'") or die (mysql_error());

if (!$result) {
exit('<p>Error performing query: ' . mysql_error() . '</p>');
}

echo "Record Updated<br>";

?>

 

Hi i'm have a bit of a problem updating my form. I am grabbing varaibles from another form at the top of this form but i can't get it to update the database. I was wondering if anyone could see if there is a problem?

Thanks

[Minase]

it give any error?

did you check if the variables have the correct content?

[yddib]

This is the error:

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'm 23 years old. I'm finishing my Masters which is very difficult but it has been' at line 1

[Minase]

maybe your inputs have " ' " in them?

[revraz]

Yep, your $about has a single quote at I'm

 

Use addslashes and stripslashes.

[yddib]

That worked perfect thanks. It was the " ' " in I'm! How do I stop people putting " ' " in or how do they go in successfully? ???

[Minase]

or you can use

str_replace("'"," ",$string)

[JasonLewis]

mysql_real_escape_string() should be used on any user inserted data into MySQL. Google "MySQL Injection" for more.

[revraz]

I just told you above this post.

 

That worked perfect thanks. It was the " ' " in I'm! How do I stop people putting " ' " in or how do they go in successfully? ???