updating data in mysql problems in php

[edrew04]

i see an error when running my code here:Unknown column 'column name(your input on the textbox:pname1)' in 'field list'

 

 

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">

<div id="insidebox1">

<form name="form1" method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>">

<tr><td><p>*Physician_ID<td> <input type="text" name="p_id" id="p_id" size="15" maxlength="60" value=""/></p></tr>

<tr><td><p>First Name: <td> <input type="text" name="pname1" id="pname1" size="15" maxlength="30" value=""/></p></td></tr>

<tr><td><p>Surname: <td> <input type="text" name="psur1" id="psur1" size="15" maxlength="60" value=""/></p></tr>

<tr><td><p>Specialty: <td> <input type="text" name="psp1" id="psp1" size="15" maxlength="100" value=""/></p></td></tr>

 

<tr><td><p><input type="submit" name="btn8" id="btn8" value="Update Physician"/></p></td></tr>

</table>

 

<?php

if(isset($_POST['btn8'])){//edit

echo "<center/><a href='physicians.php'>Check the update results

</a></p>";

mysql_query("UPDATE physicians SET firstName={$_POST['pname1']}, surname={$_POST['psur1']}, Specialty={$_POST['psp1']} WHERE

 

Physician_ID={$_POST['p_id']}") or die (mysql_error());

 

}

 

?>

[Bricktop]

Hi edrew04,

 

You need to concatenate your input data, change your MySQL query to read:

 

mysql_query("UPDATE physicians SET firstName='".$_POST['pname1']."', surname='".$_POST['psur1']."', Specialty='".$_POST['psp1']."' WHERE Physician_ID='".$_POST['p_id']."'") or die (mysql_error());

 

Additionally, you are not sanitising or validating your data, the POSTed data is being entered directly into a MySQL query which is a very bad thing for numerous security reasons.  At the very least use the mysql_real_escape_string() on your POSTed data before entering it into your query.

 

Have a look at Daniel's excellent security tutorial for more information on this.

 

Hope this helps.