Why won't this update my table? :-S

[adamjones]

I'm getting this error;

Error:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'check=no' at line 1

For this code;

<?php
$server   = "server";
$username = "user";
$password = "pass";
$db_name  = "db";
$connect = mysql_connect($server, $username, $password) or die(mysql_error());
mysql_select_db($db_name, $connect) or die(mysql_error());

$id = $_GET['toggle'];
if (empty($id)) {
    echo '<meta http-equiv="refresh" content="0; url=maintenance.php">';
}

$sql = mysql_query("UPDATE maintenance SET check=$id") OR die("Error:".mysql_error());
$result=mysql_query($sql);

header('location:maintenance.php');

?>

Any ideas?

[trq]

"no" is a string, strings need to be surrounded by quotes in sql.

 

You also need to sanitise your input or you are leaving your code vulnerable to attack.

[adamjones]

"no" is a string, strings need to be surrounded by quotes in sql.

 

You also need to sanitise your input or you are leaving your code vulnerable to attack.

 

Ok, so I've changed it from being a 'yes/no' to '0/1'. I've sanitised the input and now it's not giving an error, but it's not updating the database? :-(

<?php
*connection stuff*

function clean($str) {
		$str = @trim($str);
		if(get_magic_quotes_gpc()) {
			$str = stripslashes($str);
		}
		return mysql_real_escape_string($str);
	}
	
$id = clean($_GET['toggle']);

if (empty($id)) {
    echo '<meta http-equiv="refresh" content="0; url=maintenance.php">';
}

$sql = mysql_query("UPDATE maintenance SET check='$id'") OR die("Error:".mysql_error());
$result=mysql_query($sql);

header('location:maintenance.php');

?>

[trq]

Why are you executing mysql_query once, then passing the results of that query back to mysql_query and executing that?

 

Have you got error reporting enabled? That second call to mysql_query should error because mysql_query expects a string.