0

I've created a form to update the banner info on my website. Everything seems to update except the input that is typed into the "textarea" called "desc". The code looks right and it is driving me insane.

Thanks in advance.

<html>
<body>



<form action="aupdate.php" method="POST" enctype="multipart/form-data">

    Your or your company's name:<br>
    <input type="text" name="com" size="60"><br>


    URL:<br>
    <input type="text" name="url" size="80"><br>


    Please enter the username that you will use to update your advertisement info:<br>
    <input type="text" name="user" size="80"><br>

    Please enter the password that you will use to update your advertisement info:<br>
    <input type="text" name="pass" size="80"><br>

   <br>
   <br>


<br>
    File:<br>
    <input type="file" name="image">

          advertisement description:<br>

 <textarea name="desc" id="desc" cols="35" rows="5" ></textarea>

      <input type="submit" value="update your ad!">


    </form>

<?php

//connect to database
require("connect.php");

//get user made username
$user = $_POST['user'];

//get user made password
$pass = $_POST['pass'];

//encrypt user made password
$encpass = hash('sha256', $pass);

//file properties
$file = $_FILES['image']['tmp_name'];

//initialize company name and description
$com = $_POST['com'];
$desc = $_POST['desc'];
$url = $_POST['url'];




//check to see if coupon code and other essential info entered
if (!$user || !$pass )
{
    echo "Please enter updated info with username and password.";
}
else
{

//retrieve data from password table
$query = mysql_query ("SELECT * FROM apartment WHERE pass = '$encpass' ");

//get number of rows in table
$numrows = mysql_num_rows ($query);

//check if code is right or exists
if ($numrows !=0)
{

    // code to login
    while ($row = mysql_fetch_assoc ($query))
    {
        //retrieve code from database to match with the code that was put into field
        $dbuser = $row['user'];
        $dbpass = $row['pass'];
    }

    //check to see if they match
    if ($user == $dbuser && $encpass == $dbpass )
    {


    //check to see if a file has even been submitted
    if (!$file)
    {

        echo "please upload image";
    }
    else
    {
        //get image file attributes
    $image = addslashes(file_get_contents ($_FILES['image']['tmp_name']));
    $image_name = addslashes($_FILES['image']['name']);
    $image_size = addslashes(getimagesize($_FILES['image']['tmp_name']));

    //check if image file size is right
    if ($image_size==FALSE)
        echo "that's not an image.";
    else
    {


mysql_query ("UPDATE apartment SET desc = '$desc' WHERE user ='$user'"); 
mysql_query ("UPDATE apartment SET name = '$image_name' WHERE user ='$user'"); 
mysql_query ("UPDATE apartment SET com = '$com' WHERE user ='$user'"); 
mysql_query ("UPDATE apartment SET url = '$url' WHERE user ='$user'"); 
mysql_query ("UPDATE apartment SET image = '$image' WHERE user ='$user'"); 


            echo "advertisement successfully updated!";



    }
  }


}
else


    echo "Incorrect username or password.";
}
else 



    echo "Incorrect username or password.";

}

?>
</body>
</html>
Improve this question
3
  • die($desc) before query to check. Commented Apr 20, 2011 at 6:48
  • Or die(mysql_error()); after the desc query to check the database. Please, please at least check your variables for injection before inserting into your database, it's very dangerous otherwise Commented Apr 20, 2011 at 6:52
  • On a slightly unrelated point: you could combine your five queries into a single one by using: mysql_query ("UPDATE apartment SET desc = '$desc', name = '$image_name', com = '$com', url = '$url', image = '$image' WHERE user ='$user'");. Commented Apr 20, 2011 at 6:52

1 Answer 1

Reset to default
4

desc is mysql reserved word enclose it in backticks

and escape user input with mysql_real_escape_string

    $desc=mysql_real_escape_string($desc);
    mysql_query ("UPDATE apartment SET `desc` = '$desc' WHERE user ='$user'");

You could also improve your update queries to update in once using comma to separate fields in update query

mysql_query ("UPDATE apartment SET `desc` = '$desc',url='$url' WHERE user ='$user'");
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

why is this the case for "desc" but not the other variables that are being updated?
@user: because "desc" is mysql reserved word if you use reserved word as column name mysql throw error message. If you put that reserved word in backticks everything is fine. That is not only with "desc". If you use any reserved word from this dev.mysql.com/doc/refman/5.1/en/reserved-words.html list it will throw error
@user: you should also escape user input using mysql_real_escape_string otherwise you will be in the another problem. If you put this text That's it in your textarea you will understand what I am talking about
renaming "desc" to "des" solved my problem. Thanks for informing me about reserved words.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.