Jump to content

Question about using "POST" and MySQL in PHP


bluez34me

Recommended Posts

Hey all,

I'm certain that one of the PHP masters here on PHP freaks will quickly find and point out my mistake... I have a site where some of the links are stored in MySQL and am trying to update a table that contains the link "names" (display text) and "links" (URLs). The code snippet below is called from my link update page. I know that the variables are being correctly passed, because the "print" statement prints out the updated values. However, the table isn't being updated.

I can make this work if I put actual values in place of the variables (i.e. [color=green]SET 'name'=\'Some link\', 'link=\'url.com\' WHERE 'key'=2 LIMIT 1[/color]), and I'm not getting any errors.

Much fruitless googling and searches of forums (like this one) has not produced any insight. Any assistance in troubleshooting this would be grately appreciated.
[color=green]

//Set the values from the POST

$key = $_POST['ud_key'];
$name = $_POST['ud_name'];
$link = $_POST['ud_link'];

//Check that the values were passed and variables set correctly by printing them

print "Key: $key \n Name: $name \n Link: $link \n";

// Create the query string using the variables

$query='UPDATE `links` SET `name`=$name, `link`=$link WHERE `key`=$key LIMIT 1;';

// Connect to the DB and run query

@mysql_select_db($database) or die( "Unable to select database");
mysql_query($query);

[/color]
Link to comment
Share on other sites

The problem is you're using single quotes. Variabled do not get parsed by PHP if they are in single quotes. You'll want to use double quotes instead. So you use this for the quiery variable:
[code=php:0]$query="UPDATE `links` SET `name`=$name, `link`=$link WHERE `key`=$key LIMIT 1";[/code]


Also note I suggest you read up on prevent sql injection attacks. As currently your query is prone to SQL Injection attacks which can cause havoc over your database/others databases too!! Never use raw user input always validate/verify user input!
Link to comment
Share on other sites

A few things. Varibles are only proceseed when contained with double quioted strings. String values need to be surrounded by quotes within an sql statement.

[code=php:0]
$query = "'UPDATE `links` SET `name`= '$name', `link`= '$link' WHERE `key`= '$key';"';
[/code]

You might also want to look into using the die() function to help with debugging. eg;

[code=php:0]
mysql_query($query) or die(mysql_error());
[/code]

PS: I hope your validating your $_POST variables before letting them near your database!
Link to comment
Share on other sites

It was the double quotes (which I foolishly overlooked) The help is greatly appreciated.

I will also take your advice and read up on SQL injection. I do have a function that's supposed to validate/escape the variables before submitting, but it never hurts to be double sure.

Thanks again--you all rock! :-)
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.