0

I've followed all the mySQL tutorials correctly but it still won't update the values in my table, can someone please help me?, these are my values below:

$editid = $_GET['id'];
$newtitle = $_POST['title'];
$newsneak = $_POST['sneak'];
$newbody = $_POST['body'];

$connect = mysql_connect("localhost","username","password") or die("Couldn't Connect. ");
mysql_select_db("dr") or die ("Couldn't Find DB.");

$query = mysql_query("SELECT * FROM news WHERE id=$editid");

$numrows = mysql_num_rows($query);

if($numrows=!0)
{
$querytitle = mysql_query("UPDATE news SET title=$newtitle WHERE id=$editid");
$querysneak = mysql_query("UPDATE news SET summary=$newsneak WHERE id=$editid");
$querybody  = mysql_query("UPDATE news SET body=$newbody WHERE id=$editid");
header("Location: ../index.php");
}
Improve this question
1
  • you should also merge the three update query into one. Commented Mar 11, 2011 at 0:57

3 Answers 3

Reset to default
3

On your select (add myql_error to check error):

   $result = mysql_query("SELECT * FROM news WHERE id='$editid'");
   if (!$result) {
       die('Invalid query: ' . mysql_error());
   }

On your update:

$querytitle = mysql_query("UPDATE news SET title='$newtitle' WHERE id='$editid'");
$querysneak = mysql_query("UPDATE news SET summary=$newsneak WHERE id='$editid'");
$querybody  = mysql_query("UPDATE news SET body='$newbody' WHERE id='$editid'");

use single quote around input data also use mysql_real_escape_string(); avoid sql injection.

PHP mysql_real_escape_string

As per @Tchalvak suggestion to include mention of binding, these are more updated tools against SQL Injections plus better optimization, but keep in mind PDO and MySQLi are supported if you have PHP 5+:

PHP PDO

and

PHP MySQLi

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

as far as i know, i don't think php's mysql supports binding param (is this what you were referring to?). it would be either mysqli or PDO. which requires poster to have php5+. poster uses mysql. Please correct me for further wrong. thanks
I was indeed referring to using PDO binding, which at least merits mention, mysql_real_escape_string is indeed better than nothing, but not a lot better.
1

Can I add as well once you finish debugging to please remove any mysql_error() output? This is awesome info for attackers since it reveals database details. Either log it or don't show errors...adds a little extra security.

Improve this answer

Comments

1

You want to use the mysql_error function to see what error your query returns.

As integration pointed out by Jeremy Conley, pay attention to don't let the mysql_error function output get published in your production HTML.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.