Hi, ive been stugling with this update form for updating password in a databse
There's two paes, the form and the 'proccessor' can anyone help my as too why its not working? thanks
Form
[CODE]
<form enctype="multipart/form-data" action="edit.php" method="POST">
Id to edit: <input type="text" name="user">
New src: <input type="text" name="password">
<input type="submit" name="edit" value="edit"></form> <br>


Proccessor page:
[CODE]
<?

$location = '*';
$database = '*';
$username = '*';
$password = '*';

$conn = mysql_connect("$location","$username","$password");
if (!$conn) die ("Could not connect MySQL");
mysql_select_db($database,$conn) or die ("Could not open database");

if(isset($_POST['edit']))
{
$use=($_POST['user']);
$pass=($_POST['password']);

mysql_query("UPDATE user SET password=$pass WHERE username=$use") or die (mysql_error());


}
?>



Or alternatively does anyone have any good resources for php update - google'ing has proved very un successful for this!

Cheers Tim

Also appolgizes about the code tags!

Well, you can edit your post and fix the code tags. I suggest wrapping any PHP code in the PHP tags while you're at it.


mysql_query("UPDATE user SET password=$pass WHERE username=$use");


You're missing quotes around the variables $pass and $use. They're strings, they need to be wrapped in 'quotes'.

You also aren't protecting agains SQL injection *or* handling the case where the user name or password might include an apostrophe.

You really need to "escape" thos strings.

I'm not a PHP person, but I believe php has a function name mysql_real_escape_string, though one or more of the underlines in the name there might be wrong.

So:

if(isset($_POST['edit']))
{
$use = mysql_real_escape_string($_POST['user']);
$pass = mysql_real_escape_string($_POST['password']);
mysql_query("UPDATE user SET password='$pass' WHERE username='$use';")
or die (mysql_error());
}

Yeah, I remembered correctly:
http://us2.php.net/manual/en/function.mysql-real-escape-string.php

Yes, absolutely properly validate and escape your incoming data. Always. mysql_real_escape_string() is a good way to go, but a parameterized query, aka prepared statement, (available in the PDO or MySQLI interfaces) is better. Fortunately magic_quotes (http://www.php.net/magic_quotes) is no longer an issue, but because it has been disabled by default it forces everyone to "code smarter".

i m unable to update it . Following error appears:
You are succesfully connected
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''course_id'='NM-2 ','course_name'='Bachelor of Engineering B.E. be ', 'course_du' at line 1

i m unable to update it . Following error appears:
You are succesfully connected
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''course_id'='NM-2 ','course_name'='Bachelor of Engineering B.E. be ', 'course_du' at line 1

And what does this have to do with the O.P.'s question? If you have your own question, start a new thread.

cheers works a treat now :)

Hookes is a spammer. He keeps trying to promote some site of his own by hijacking other threads. Vinyl Junkie keeps removing his links but hasn't yet just kicked him off the system as he should.