iJoseph Posted August 3, 2010 Share Posted August 3, 2010 Hey, I have this code, and it's ment to change the name / content of a page that is being put onto a page. Both of the include files are fine as it works for other actions, but this one just returns the error. <?php include "../includes/mysql_connect.php"; include "../includes/info_files.php"; if(isset($_POST['submitted'])) { mysql_query("UPDATE `pages` SET name='$_POST[name]' AND SET content='$_POST[content]' AND SET catt='$_POST[catt]' AND SET page='$_POST ' WHERE id='$_POST[id]'") or die('Edit failed'); echo "Page made.<br /><br />"; }else{ $result = mysql_query("SELECT * FROM pages WHERE id='$_GET '"); while($row = mysql_fetch_array($result)) { echo '<form action="" method="post">'; echo '<input type="hidden" name="id" value="' . $row['id'] . '" /><br />'; echo '<strong>Edit: ' . $row['name'] . '</strong><br />'; echo 'Name: <input type="text" name="name" value="' . $row['name'] . '" /><br />'; echo 'Category: <input type="text" name="catt" value="' . $row['catt'] . '" /><br />'; echo 'Page: <input type="text" name="page" value="' . $row['page'] . '" /><br />'; echo '<textarea rows="25" cols="60" name="content">' . $row['content'] . '</textarea><br />'; echo '<input type="submit" name="submitted" value="Edit" />'; echo '</form>'; } } ?> Any help would be great. Quote Link to comment Share on other sites More sharing options...
freelance84 Posted August 3, 2010 Share Posted August 3, 2010 http://www.w3schools.com/php/php_mysql_update.asp Quote Link to comment Share on other sites More sharing options...
DWilliams Posted August 3, 2010 Share Posted August 3, 2010 Your update syntax is wrong. "AND" is used to chain together conditional statements in the WHERE clause. Proper format would be something like: UPDATE mytable SET field1='hello', field2='world', field3=42 WHERE id=20 AND age >= 50 EDIT: Also worth mentioning is that your code is left wide open to SQL injection attacks. Never insert user data directly into a query (the POST variables in your example). What if instead of their name they put in "'; DROP TABLE users" or something destructive like that? Your code would happily follow along and destroy the database. Do something like this instead: $name = mysql_real_escape_string($_POST['name']); Then use $name in your query instead of $_POST['name'] Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.