iJoseph Posted August 3, 2010 Share Posted August 3, 2010 Hey, I have this code, and it's ment to change the name / content of a page that is being put onto a page. Both of the include files are fine as it works for other actions, but this one just returns the error. <?php include "../includes/mysql_connect.php"; include "../includes/info_files.php"; if(isset($_POST['submitted'])) { mysql_query("UPDATE `pages` SET name='$_POST[name]' AND SET content='$_POST[content]' AND SET catt='$_POST[catt]' AND SET page='$_POST ' WHERE id='$_POST[id]'") or die('Edit failed'); echo "Page made.<br /><br />"; }else{ $result = mysql_query("SELECT * FROM pages WHERE id='$_GET '"); while($row = mysql_fetch_array($result)) { echo '<form action="" method="post">'; echo '<input type="hidden" name="id" value="' . $row['id'] . '" /><br />'; echo '<strong>Edit: ' . $row['name'] . '</strong><br />'; echo 'Name: <input type="text" name="name" value="' . $row['name'] . '" /><br />'; echo 'Category: <input type="text" name="catt" value="' . $row['catt'] . '" /><br />'; echo 'Page: <input type="text" name="page" value="' . $row['page'] . '" /><br />'; echo '<textarea rows="25" cols="60" name="content">' . $row['content'] . '</textarea><br />'; echo '<input type="submit" name="submitted" value="Edit" />'; echo '</form>'; } } ?> Any help would be great. Link to comment https://forums.phpfreaks.com/topic/209710-php-mysql-update-help/ Share on other sites More sharing options...
freelance84 Posted August 3, 2010 Share Posted August 3, 2010 http://www.w3schools.com/php/php_mysql_update.asp Link to comment https://forums.phpfreaks.com/topic/209710-php-mysql-update-help/#findComment-1094820 Share on other sites More sharing options...
DWilliams Posted August 3, 2010 Share Posted August 3, 2010 Your update syntax is wrong. "AND" is used to chain together conditional statements in the WHERE clause. Proper format would be something like: UPDATE mytable SET field1='hello', field2='world', field3=42 WHERE id=20 AND age >= 50 EDIT: Also worth mentioning is that your code is left wide open to SQL injection attacks. Never insert user data directly into a query (the POST variables in your example). What if instead of their name they put in "'; DROP TABLE users" or something destructive like that? Your code would happily follow along and destroy the database. Do something like this instead: $name = mysql_real_escape_string($_POST['name']); Then use $name in your query instead of $_POST['name'] Link to comment https://forums.phpfreaks.com/topic/209710-php-mysql-update-help/#findComment-1094826 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.