Jump to content

Archived

This topic is now archived and is closed to further replies.

bluez34me

Question about using "POST" and MySQL in PHP

Recommended Posts

Hey all,

I'm certain that one of the PHP masters here on PHP freaks will quickly find and point out my mistake... I have a site where some of the links are stored in MySQL and am trying to update a table that contains the link "names" (display text) and "links" (URLs). The code snippet below is called from my link update page. I know that the variables are being correctly passed, because the "print" statement prints out the updated values. However, the table isn't being updated.

I can make this work if I put actual values in place of the variables (i.e. [color=green]SET 'name'=\'Some link\', 'link=\'url.com\' WHERE 'key'=2 LIMIT 1[/color]), and I'm not getting any errors.

Much fruitless googling and searches of forums (like this one) has not produced any insight. Any assistance in troubleshooting this would be grately appreciated.
[color=green]

//Set the values from the POST

$key = $_POST['ud_key'];
$name = $_POST['ud_name'];
$link = $_POST['ud_link'];

//Check that the values were passed and variables set correctly by printing them

print "Key: $key \n Name: $name \n Link: $link \n";

// Create the query string using the variables

$query='UPDATE `links` SET `name`=$name, `link`=$link WHERE `key`=$key LIMIT 1;';

// Connect to the DB and run query

@mysql_select_db($database) or die( "Unable to select database");
mysql_query($query);

[/color]

Share this post


Link to post
Share on other sites
[code]
UPDATE `links` SET `name` = '$name', `link`= '$link'
WHERE `key` =$key LIMIT 1 ;
[/code]

also, try connecting to the database before you do queries.

Share this post


Link to post
Share on other sites
The problem is you're using single quotes. Variabled do not get parsed by PHP if they are in single quotes. You'll want to use double quotes instead. So you use this for the quiery variable:
[code=php:0]$query="UPDATE `links` SET `name`=$name, `link`=$link WHERE `key`=$key LIMIT 1";[/code]


Also note I suggest you read up on prevent sql injection attacks. As currently your query is prone to SQL Injection attacks which can cause havoc over your database/others databases too!! Never use raw user input always validate/verify user input!

Share this post


Link to post
Share on other sites
A few things. Varibles are only proceseed when contained with double quioted strings. String values need to be surrounded by quotes within an sql statement.

[code=php:0]
$query = "'UPDATE `links` SET `name`= '$name', `link`= '$link' WHERE `key`= '$key';"';
[/code]

You might also want to look into using the die() function to help with debugging. eg;

[code=php:0]
mysql_query($query) or die(mysql_error());
[/code]

PS: I hope your validating your $_POST variables before letting them near your database!

Share this post


Link to post
Share on other sites
It was the double quotes (which I foolishly overlooked) The help is greatly appreciated.

I will also take your advice and read up on SQL injection. I do have a function that's supposed to validate/escape the variables before submitting, but it never hurts to be double sure.

Thanks again--you all rock! :-)

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.