Update Statement Error

[Boxerman]

Hi guys,

 

sorry if this is the wrong section but its a mixture of sql and php.. however i believe it may be sql... sorry if i am wrong.

I'm having an issue with a script...

 

the SQL in this is the following:

 

<?php
if(isset($_GET['flag']))
{
$con = mysql_connect("localhost","*******","****************");
if (!$con)
 {
 die('Could not connect: ' . mysql_error());
 }
mysql_select_db("movies", $con);
$sql="UPDATE movies WHERE id = '$_GET['id']' set flag
VALUES
('1')";
if (!mysql_query($sql,$con))
 {
 die('Error: ' . mysql_error());
 }
echo "<font color='green'>Thanks for reporting!</font><br><br>";
mysql_close($con);
}
?>

 

What the aim of it is... to update a coloum in movies database called flag and just put 1 in there.

 

Again sorry if i am wrong!

 

Thanks,

B

[Pikachu2000]

Your SQL syntax is off. See the examples here: http://dev.mysql.com/doc/refman/5.0/en/update.html

[Boxerman]

Ok thanks so it is SQL.

 

Would this be correct?

UPDATE movies SET flag=1
WHERE id='$_GET['id']'

?

[Pikachu2000]

Assuming $_GET['id'] is an integer, you should validate it and cast it as int, and leave it unquoted in the query string. The code below doesn't address the validation part . . .

 

$id = (int) $_GET['id'];
$sql = "UPDATE movies SET flag = 1 WHERE id = $id";

[Boxerman]

Thank you for your help.