update mysql using simple form

[elkidogz]

all i want this silly page todo is take info from a form, then do an update to the SQL record that it matches provided from the form

so, form is this.

[code=html] <form id="Customerinfo" action="CustomerFormUpdate.php" method="post">
<table border="0" cellpadding="0" cellspacing="0" align="center">
<tr>
<td>
<h3>Customer Account creation Information:</h3>
</td>
</table>
<table border="0" cellpadding="0" cellspacing="0" align="center">
</tr>
<tr>
<td>
User ID:
</td>
<td>
<input type="text" name="CustLOGON" value="" size="45"/>
</td>
</tr>
<tr>
<td>
User Pass:
</td>
<td>
<input type="password" name="CustPASS" value="" size="45"/>
</td>
</tr>
<tr>
<td>
Company Name:
</td>
<td>
<input type="text" name="CustCOMPANY" value="" size="45"/>
</td>
</tr>
<tr>
<td>
Company Contact First Name:
</td>
<td>
<input type="text" name="CustFN" value="" size="45"/>
</td>
</tr>
<tr>
<td>
<input type="Submit" value="Submit"/>
<input type="Reset" value="Reset"/>
</td>
</tr>
</table> 
</form>[/code]

and the php is this

[code=php]
<?php
$con = mysql_connect("localhost", "username", "pass");
if (!$con)
  {
  die('Could not connect to the database Contact Site admin ' . mysql_error());
  }
mysql_select_db("mysqldb", $con);

// TAKE RECORDS AND UPDATE BASED ON $_POST[CustLOGON] or user longon ID

$sql='UPDATE `mysqldb` SET `CustCompany`="$_POST[CustCOMPANY]", `CustFn`="$_POST[CustFN]"
WHERE `CustLogon`= "$_POST[CustLOGON]"';


if (!mysql_query($sql,$con))
  {
  die('Error Not able to update Values to table Check your syntax: ' . mysql_error());
  }

// DISPLAY UPDATED RECORDS

$result = mysql_query("SELECT * FROM mysqldb");
echo "showing all records: <br/>";
while($row = mysql_fetch_array($result))
  {
  echo $row['CustLogon'] . " " . $row['CustCompany'] . " " . $row['CustFn'];
  echo "<br />";
  }


mysql_close($con)
?>
[/code]

Now, when i run this i don't receive any errors and it displays the database records as if they were not touched. so i know it's in the where statement but why isn't it picking up the value? ??? ??? ??? what am i doing wrong here?

[genericnumber1]

change

[code=php:0]
$sql='UPDATE `mysqldb` SET `CustCompany`="$_POST[CustCOMPANY]", `CustFn`="$_POST[CustFN]"
WHERE `CustLogon`= "$_POST[CustLOGON]"';
[/code]

to

[code=php:0]
$sql="UPDATE `mysqldb` SET `CustCompany`='{$_POST[CustCOMPANY]}', `CustFn`='{$_POST[CustFN]}'
WHERE `CustLogon`= '{$_POST[CustLOGON]}'";
[/code]

php only parses things between double quotes looking for variables.

You also would really want to filter those items before they are inputted into the database as well, what you're doing now is vulnerable to sql injection. See http://www.php.net/mysql_real_escape_string

[elkidogz]

OH the " ' thing... thanks

BTW do i need to include any classes for that sql injection?

[Jessica]

Did you check the actual database to see if the changes were made?
With arrays, you need to do $_POST['CustCOMPANY'], surrounding the key in single quotes.

[genericnumber1]

Time for some debugging tricks :P

after

[code=php:0]
$sql="UPDATE `mysqldb` SET `CustCompany`='{$_POST[CustCOMPANY]}', `CustFn`='{$_POST[CustFN]}'
WHERE `CustLogon`= '{$_POST[CustLOGON]}'";
[/code]

put

[code=php:0]
echo $sql;
die();
[/code]

and ensure the query is correct

@jesirose:
you dont HAVE to encase them in quotes, but you're right, it's great practice.

[elkidogz]

yeah what it was is that i didn't have the {} around and the " ' order was messed up.

I apologize for my lack of php skillz

[elkidogz]

[quote author=jesirose link=topic=121311.msg498513#msg498513 date=1168128811]
Did you check the actual database to see if the changes were made?
With arrays, you need to do $_POST['CustCOMPANY'], surrounding the key in single quotes.
[/quote]

yeah i do have it dumping the data base array look down in my initial code :)

[genericnumber1]

good to hear you got it working!

and you can check out that magic quotes function on the page I linked to you, I use a modified version myself to avoid sql injection, gl!