Updating records from html form

[joshgarrod]

Hi, I am having problems updating records from a form. The data is displaying in the form, however, upon submitting the form, it appears to have updated but it actually hasn't. Please help:

 

<?php

$ref = (!empty($_GET['ref']))?trim($_GET['ref']):"";
$table = (!empty($_GET['table']))?trim($_GET['table']):"";

if (isset($_POST['submit'])){
$ref=$_POST["ref"];
$title=$_POST["title"];
$descr=$_POST["descr"];
$partno=$_POST["stocknu"];
$price=$_POST["price"];
$category=$_POST["category"];

# setup SQL statement
$query = sprintf("UPDATE `$table` SET `title` = '%s',`descr` = '%s',`stocknu` = '%s',`price` = '%s' WHERE `$table`.`ref` ='%s' LIMIT 1",	mysql_real_escape_string($title),mysql_real_escape_string($descr),mysql_real_escape_string($partno),mysql_real_escape_string($price),mysql_real_escape_string($avail),mysql_real_escape_string($category),mysql_real_escape_string($ref));

#execute SQL statement
$result = mysql_db_query($db,$query,$cid) or die($query."<br>".mysql_error());

# check for error
if (!$result){
	echo("ERROR: " . mysql_error() . "\n$SQL\n");
}
echo "<P>Part updated</P><br />";
}
   
?>
?>

[PFMaBiSmAd]

it appears to have updated

What exactly do you get as output that tells you this?

 

Is that all the code on the page? Because, without a connection to your database, the code cannot work. Where is $cid being set?

 

Have any mysql_ functions successfully worked on your server in the past or is this the first time you have attempted to run any code using mysql_ functions?

 

There are also a couple of issues with the code -

 

1) You should not supply the table name from external data as that will allow a hacker to UPDATE any table he wants. It is also not possible to prevent sql injection where $table is being used in the query by using mysql_real_escape_string() so you must validate that $table only contains specific values that are allowed.

 

2) mysql_db_query() was depreciated long ago, throws a depreciated error in php5.3, and has been completely removed in php6. You should use mysql_select_db and mysql_query

[joshgarrod]

Hi, thanks for your prompt reply. What i mean by "appears" is that there are no error messages and it prints "part updated". I have loads of MySQL functions working with my server.

 

This code is in a password protected area for administrative purposes so hackers will not be able to access. Could you explain in my simpleton language what you mean by this please lol

It is also not possible to prevent sql injection where $table is being used in the query by using mysql_real_escape_string() so you must validate that $table only contains specific values that are allowed.

Is it absolutely necessary to change all of my mysql_db_query() to mysql_select_db and mysql_query as I have many other scripts working with this.

 

 

Thanks for your time