Jump to content


Photo

Question about using "POST" and MySQL in PHP


  • Please log in to reply
4 replies to this topic

#1 bluez34me

bluez34me
  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 24 October 2006 - 05:50 PM

Hey all,

I'm certain that one of the PHP masters here on PHP freaks will quickly find and point out my mistake... I have a site where some of the links are stored in MySQL and am trying to update a table that contains the link "names" (display text) and "links" (URLs). The code snippet below is called from my link update page. I know that the variables are being correctly passed, because the "print" statement prints out the updated values. However, the table isn't being updated.

I can make this work if I put actual values in place of the variables (i.e. SET 'name'=\'Some link\', 'link=\'url.com\' WHERE 'key'=2 LIMIT 1), and I'm not getting any errors.

Much fruitless googling and searches of forums (like this one) has not produced any insight. Any assistance in troubleshooting this would be grately appreciated.


//Set the values from the POST

$key = $_POST['ud_key'];
$name = $_POST['ud_name'];
$link = $_POST['ud_link'];

//Check that the values were passed and variables set correctly by printing them

print "Key: $key \n Name: $name \n Link: $link \n";

// Create the query string using the variables

$query='UPDATE `links` SET `name`=$name, `link`=$link WHERE `key`=$key LIMIT 1;';

// Connect to the DB and run query

@mysql_select_db($database) or die( "Unable to select database");
mysql_query($query);



#2 marcus

marcus
  • Members
  • PipPipPip
  • Advanced Member
  • 1,842 posts
  • LocationRochester, NY

Posted 24 October 2006 - 05:55 PM

UPDATE `links` SET `name` = '$name', `link`= '$link'
 WHERE `key` =$key LIMIT 1 ;

also, try connecting to the database before you do queries.

#3 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 24 October 2006 - 05:57 PM

The problem is you're using single quotes. Variabled do not get parsed by PHP if they are in single quotes. You'll want to use double quotes instead. So you use this for the quiery variable:
$query="UPDATE `links` SET `name`=$name, `link`=$link WHERE `key`=$key LIMIT 1";


Also note I suggest you read up on prevent sql injection attacks. As currently your query is prone to SQL Injection attacks which can cause havoc over your database/others databases too!! Never use raw user input always validate/verify user input!

#4 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 24 October 2006 - 05:58 PM

A few things. Varibles are only proceseed when contained with double quioted strings. String values need to be surrounded by quotes within an sql statement.

$query = "'UPDATE `links` SET `name`= '$name', `link`= '$link' WHERE `key`= '$key';"';

You might also want to look into using the die() function to help with debugging. eg;

mysql_query($query) or die(mysql_error());

PS: I hope your validating your $_POST variables before letting them near your database!

#5 bluez34me

bluez34me
  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 24 October 2006 - 06:10 PM

It was the double quotes (which I foolishly overlooked) The help is greatly appreciated.

I will also take your advice and read up on SQL injection. I do have a function that's supposed to validate/escape the variables before submitting, but it never hurts to be double sure.

Thanks again--you all rock! :-)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users