3

I'm running the following UPDATE query and having no succes:

$sql="UPDATE users SET firstname='".$_GET['fn']."',lastname='".$_GET['ln']."',email='".$_GET['emadd']."' WHERE id = ".$_GET['id'];

mysql_error(); returns no error, though I'm sure this is a syntax issue.

If you can help me clean this up with an explanation to help me learn where I went wrong it would be much appreciated!

To give a larger point of reference, here is the table creation code:

$sql="CREATE TABLE users
(
id int NOT NULL auto_increment,
PRIMARY KEY(id),
firstname varchar(20),  
lastname varchar(20),
email varchar(40)
)";

And here is the entire code from my updater.php which runs the update query on the table:

mysql_select_db(dustin,$con);
$sql="UPDATE users SET firstname='".$_GET['fn']."',lastname='".$_GET['ln']."',email='".$_GET['emadd']."' WHERE id = ".$_GET['id'];
$sherlock=mysql_query($sql,$con);

echo $sql returns the following:

UPDATE users SET firstname='Mike',lastname='Wilson',email='[email protected]' WHERE id =

Does this mean my id is not getting passed over?

To see it live in action, go to 24.77.236.155/dustin/Assignment2/users.php and click edit to play with the query. Also, 24.77.236.155/dustin/Assignment2/add.htm is available to add users to the table.

Improve this question
17
  • 3
    Print out the sql as it will make it easier to debug. Also, you should be using bind variables - this is vulnerable to SQL injection. Commented Nov 24, 2011 at 17:11
  • ."' WHERE id = ".$_GET['id']; to ."' where id='" . $GET['id] . "'"; Commented Nov 24, 2011 at 17:13
  • 1
    you say mysql_error returns no error...does mysql_query return true or false? Commented Nov 24, 2011 at 17:13
  • if id is an integer quotes are not required Commented Nov 24, 2011 at 17:14
  • 9
    I know this is off-topic and I may be down-voted for this.. but @DustinJames ---putting your $_GET variable data directly into a query is one of the most dangerous, harmful, unsecured things you can do to your site if you're not validating the contents of those values--- I hope you can do something about this.. [ reason for outburst ] -> SQL Injection! :( Commented Nov 24, 2011 at 17:19

3 Answers 3

Reset to default
3

The query seems fine, I am assuming it is not updating the table?

One way to debug this is to echo the $sql in next line to see what values you are receiving for GET variables and the actual query that is being passed to the database.

echo $sql;
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

echo $sql results are as follows: UPDATE users SET firstname='Mike',lastname='Wilson',email='[email protected]' WHERE id = Does that mean my id is not being passed?
@DustinJames can't you see it in the address tring in your browser?
Yep, just an id not passing through, created a hidden form element and it works, thanks, I would have stared at that forever thinking it was syntax. I will have to remember to echo my sql statements.
1

always run all your queries at least this way

$result = mysql_query($sql,$con) or trigger_error(mysql_error(). " ".$sql);

unlike some wild guesses from answers here, it will give you EXACT and compplete picture of the problem.

Improve this answer

1 Comment

Thanks Colonel, I will start doing this.
0

You are missing the quotes in the where bit

i.e. 

...where id='" . $GET['id] . "'";

Also you have a security issue by using $GET without checking those values.

Improve this answer

3 Comments

if id is an integer quotes are not required
@julien - I was assuming that since it is not working then id is not an integer.
@EdHeal If that were the case, mysql_error() should show a syntax error

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.