...

View Full Version : Need a quick fix!



2Pacalypse
01-27-2010, 11:30 PM
$newnotes = $_POST['notes'];
$result = mysql_query("UPDATE grpgusers SET `snotes` = '".$newnotes."' WHERE `id`='".$_GET['id']."' ");
echo Message("Editted successfully");
include 'footer.php';
die();

It simply refuses to write the newnotes variable to the database...
The url has ?id=## at the end, there is a form before it collecting the needed data.

Grrrr

Help please before I flip...

MattF
01-28-2010, 12:12 AM
print('<p>ID: '.intval($_GET['id']).'</p>');
$newnotes = mysql_real_escape_string($_POST['notes']);
$result = mysql_query("UPDATE grpgusers SET `snotes` = '".$newnotes."' WHERE `id`='".intval($_GET['id'])."' ") or exit(mysql_error());
echo Message("Edited successfully");
include 'footer.php';
die();

Try that and see what gets printed.

bdl
01-28-2010, 02:09 AM
Aside from what MattF posted, it's always A Good Idea to store the SQL statement in a variable so you can reference the value and make sure you understand what is being sent to the database (of course this is a troubleshooting measure - your users should never be exposed to the database internals). Of course the best idea is to use a parameterized query, but there is nothing wrong with intval() and mysql_real_escape_string(). Be sure to look these functions up in the PHP manual so you understand what they do.

INT type values do not require 'quotes'.

Don't use "double quotes" on a string unless you intend to evaluate variable values within, otherwise you're wasting server CPU cycles (in this script, not a problem, but in a script with 1000 lines of code, big problem). In fact, make use of them and forget about escaping the SQL string to concatenate variable values. Makes more sense in this case and makes it easier to review and edit your SQL. Easier still is HEREDOC:


$sql= <<< END
SELECT
somefield
, otherfield
FROM sometable
WHERE somevalue = {$variable}
END;



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum