Atlis Posted December 17, 2011 Share Posted December 17, 2011 I'm having problems updating my database, I have 4 fields i want to change. I checked all the { on the page, that's not the problem, I tried to echo information from the database and it displayed my information so that's not the problem, i tried yelling at my computer, that didn't work, i tried to input data into the database with the insert function it worked but is not practical in my situation. I'm probably going to face palm when i find out whats wrong, help please btw, the $_SESSION['usr'] was set in another page and works. <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Edit Info</title> <link rel="stylesheet" type="text/css" href="demo.css" media="screen" /> </head> <body> <div id="main"> <div class="container"> <font size="5" face="sans-serif">Change Settings <?php echo "{$_SESSION['usr']}"; ?></font> <form action="" method="POST"> <table cellpadding="3" cellspacinf="4" border="0"> <tr> <td>Name</td> <td><input type="text" name="name" /></td> </tr> <tr> <td>Age</td> <td><input type="text" name="age" /></td> </tr> <tr> <td>Gender</td> <td><input type="text" name="mf" /></td> </tr> <tr> <td>Location</td> <td><input type="text" name="loc" /></td> </tr> <tr> <td><input type="submit" name="submit" value="submit" /></td> </tr> </table> </form> <?php if ($_POST['submit']){ define('INCLUDE_CHECK',true); require 'connect.php'; $usr = $_SESSION['usr']; $sql = mysql_query("UPDATE members SET name='{$_POST['name']}', age='{$_POST['age']}, mf='{$_POST['mf']}', loc='{$_POST['loc']}' WHERE usr='{$_SESSION['usr']}'"); if($sql){ echo 'Changes Saved!'; }else{ echo 'Error'; } } ?> </div> </div> </body> </html> Quote Link to comment Share on other sites More sharing options...
Network_ninja Posted December 17, 2011 Share Posted December 17, 2011 change this line: $sql = mysql_query("UPDATE members SET name='{$_POST['name']}', age='{$_POST['age']}, mf='{$_POST['mf']}', loc='{$_POST['loc']}' WHERE usr='{$_SESSION['usr']}'"); TO: $sql = mysql_query("UPDATE members SET name='$_POST[name]', age='$_POST[age]', mf='$_POST[mf]', loc='$_POST[loc]' WHERE usr='$_SESSION[usr]' "); Quote Link to comment Share on other sites More sharing options...
paparts Posted December 17, 2011 Share Posted December 17, 2011 you can add mysql_escape_string for every field or just create a function for it. lol Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted December 17, 2011 Share Posted December 17, 2011 There's no need to change the query string; the syntax is fine as it's written. Remove the query string from the query execution and assign it to a variable. Use that variable in the query execution instead. While developing, rather than simply echoing a generic error message, echo the query string along with mysql_error(). You aren't escaping or otherwise sanitizing any of the form data being used in your query string. That leaves you open to SQL injection, and at the very least, can cause query errors. Quote Link to comment Share on other sites More sharing options...
Atlis Posted December 17, 2011 Author Share Posted December 17, 2011 i figured it out, i changed some things around, and i put it in my functions file, and made it check for sql injection. $usr = $_SESSION['usr']; $name = $_POST['name']; $age = $_POST['age']; $mf = $_POST['mf']; $loc = $_POST['loc']; $sql = mysql_query("UPDATE `tz_members` SET `name` = '$name', `age` = '$age', `mf` = '$mf', `loc` = '$loc' WHERE `usr` = '$usr'"); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.