elkidogz Posted January 6, 2007 Share Posted January 6, 2007 all i want this silly page todo is take info from a form, then do an update to the SQL record that it matches provided from the formso, form is this.[code=html] <form id="Customerinfo" action="CustomerFormUpdate.php" method="post"> <table border="0" cellpadding="0" cellspacing="0" align="center"> <tr> <td> <h3>Customer Account creation Information:</h3> </td> </table> <table border="0" cellpadding="0" cellspacing="0" align="center"> </tr> <tr> <td> User ID: </td> <td> <input type="text" name="CustLOGON" value="" size="45"/> </td> </tr> <tr> <td> User Pass: </td> <td> <input type="password" name="CustPASS" value="" size="45"/> </td> </tr> <tr> <td> Company Name: </td> <td> <input type="text" name="CustCOMPANY" value="" size="45"/> </td> </tr> <tr> <td> Company Contact First Name: </td> <td> <input type="text" name="CustFN" value="" size="45"/> </td> </tr> <tr> <td> <input type="Submit" value="Submit"/> <input type="Reset" value="Reset"/> </td> </tr> </table> </form>[/code]and the php is this[code=php]<?php$con = mysql_connect("localhost", "username", "pass");if (!$con) { die('Could not connect to the database Contact Site admin ' . mysql_error()); }mysql_select_db("mysqldb", $con);// TAKE RECORDS AND UPDATE BASED ON $_POST[CustLOGON] or user longon ID $sql='UPDATE `mysqldb` SET `CustCompany`="$_POST[CustCOMPANY]", `CustFn`="$_POST[CustFN]"WHERE `CustLogon`= "$_POST[CustLOGON]"';if (!mysql_query($sql,$con)) { die('Error Not able to update Values to table Check your syntax: ' . mysql_error()); }// DISPLAY UPDATED RECORDS$result = mysql_query("SELECT * FROM mysqldb"); echo "showing all records: <br/>";while($row = mysql_fetch_array($result)) { echo $row['CustLogon'] . " " . $row['CustCompany'] . " " . $row['CustFn']; echo "<br />"; }mysql_close($con)?>[/code]Now, when i run this i don't receive any errors and it displays the database records as if they were not touched. so i know it's in the where statement but why isn't it picking up the value? ??? ??? ??? what am i doing wrong here? Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted January 6, 2007 Share Posted January 6, 2007 change[code=php:0]$sql='UPDATE `mysqldb` SET `CustCompany`="$_POST[CustCOMPANY]", `CustFn`="$_POST[CustFN]"WHERE `CustLogon`= "$_POST[CustLOGON]"';[/code]to[code=php:0]$sql="UPDATE `mysqldb` SET `CustCompany`='{$_POST[CustCOMPANY]}', `CustFn`='{$_POST[CustFN]}'WHERE `CustLogon`= '{$_POST[CustLOGON]}'";[/code]php only parses things between double quotes looking for variables.You also would really want to filter those items before they are inputted into the database as well, what you're doing now is vulnerable to sql injection. See http://www.php.net/mysql_real_escape_string Quote Link to comment Share on other sites More sharing options...
elkidogz Posted January 7, 2007 Author Share Posted January 7, 2007 OH the " ' thing... thanksBTW do i need to include any classes for that sql injection? Quote Link to comment Share on other sites More sharing options...
Jessica Posted January 7, 2007 Share Posted January 7, 2007 Did you check the actual database to see if the changes were made?With arrays, you need to do $_POST['CustCOMPANY'], surrounding the key in single quotes. Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted January 7, 2007 Share Posted January 7, 2007 Time for some debugging tricks :Pafter[code=php:0]$sql="UPDATE `mysqldb` SET `CustCompany`='{$_POST[CustCOMPANY]}', `CustFn`='{$_POST[CustFN]}'WHERE `CustLogon`= '{$_POST[CustLOGON]}'";[/code]put[code=php:0]echo $sql;die();[/code]and ensure the query is correct@jesirose:you dont HAVE to encase them in quotes, but you're right, it's great practice. Quote Link to comment Share on other sites More sharing options...
elkidogz Posted January 7, 2007 Author Share Posted January 7, 2007 yeah what it was is that i didn't have the {} around and the " ' order was messed up. I apologize for my lack of php skillz Quote Link to comment Share on other sites More sharing options...
elkidogz Posted January 7, 2007 Author Share Posted January 7, 2007 [quote author=jesirose link=topic=121311.msg498513#msg498513 date=1168128811]Did you check the actual database to see if the changes were made?With arrays, you need to do $_POST['CustCOMPANY'], surrounding the key in single quotes.[/quote]yeah i do have it dumping the data base array look down in my initial code :) Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted January 7, 2007 Share Posted January 7, 2007 good to hear you got it working!and you can check out that magic quotes function on the page I linked to you, I use a modified version myself to avoid sql injection, gl! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.