post mysql query

[gmaster_PT]

hi all 

<?php
if (substr($_POST['tag'], 0, 15) == 'chave|commando|'){
include 'db_con.php';
session_start();
$sql = substr($_POST['tag'], 15, 2000);						
$result = mysql_query($sql);
mysql_close($con);
echo $results;
} else { 
"<script>window.location = 'http://www.google.com'</script>";
}
?>

the tag recive "Update config_hal SET pgtobtn = 5 " if i send the tag like that this works fine ...

if i try to send like that  "Update config_hal SET pgtobtn = N " this dont work...

i know that i should write something like this "Update config_hal SET pgtobtn = 'N' " but also dont work 

can anybody tellme whats wrong with my code????

[jcbones]

Your database column is set to an integer type.  So it will not store strings, or alpha characters.

[gmaster_PT]

no my database its set to varchar

if i put manualy it keeps only when i try to update via php dont do nothing...

[Barand]

try

$result = mysql_query($sql) or die(mysql_error());

[gmaster_PT]

ok now i get an syntax error because php put the query like this

"\'pgtobtn=\'n'

way this \ added to the query?????

thanks alll

[gmaster_PT]

ok with 

$sql = stripslashes(substr($_POST['tag'], 15, 2000));

stripslashes its what i need thankss all for the help.

[mac_gyver]

i hope you are not going to use this method, of getting the whole sql query statement via user submitted data, on an actual live web site?

 

your current code will allow anyone who finds the site it run any query they want. they will either delete your data or set any of your data to anything they want.