Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New Coder
    Join Date
    Jul 2008
    Posts
    96
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Need a quick fix!

    PHP Code:
    $newnotes $_POST['notes'];
    $result mysql_query("UPDATE grpgusers SET `snotes` = '".$newnotes."' WHERE `id`='".$_GET['id']."' ");
    echo 
    Message("Editted successfully");
    include 
    'footer.php';
    die(); 
    It simply refuses to write the newnotes variable to the database...
    The url has ?id=## at the end, there is a form before it collecting the needed data.

    Grrrr

    Help please before I flip...

  • #2
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    PHP Code:
    print('<p>ID: '.intval($_GET['id']).'</p>');
    $newnotes mysql_real_escape_string($_POST['notes']);
    $result mysql_query("UPDATE grpgusers SET `snotes` = '".$newnotes."' WHERE `id`='".intval($_GET['id'])."' ") or exit(mysql_error());
    echo 
    Message("Edited successfully");
    include 
    'footer.php';
    die(); 
    Try that and see what gets printed.

  • #3
    bdl
    bdl is offline
    Regular Coder
    Join Date
    Apr 2007
    Location
    Camarillo, CA US
    Posts
    590
    Thanks
    4
    Thanked 83 Times in 82 Posts
    Aside from what MattF posted, it's always A Good Idea to store the SQL statement in a variable so you can reference the value and make sure you understand what is being sent to the database (of course this is a troubleshooting measure - your users should never be exposed to the database internals). Of course the best idea is to use a parameterized query, but there is nothing wrong with intval() and mysql_real_escape_string(). Be sure to look these functions up in the PHP manual so you understand what they do.

    INT type values do not require 'quotes'.

    Don't use "double quotes" on a string unless you intend to evaluate variable values within, otherwise you're wasting server CPU cycles (in this script, not a problem, but in a script with 1000 lines of code, big problem). In fact, make use of them and forget about escaping the SQL string to concatenate variable values. Makes more sense in this case and makes it easier to review and edit your SQL. Easier still is HEREDOC:
    PHP Code:
    $sql= <<< END
    SELECT
      somefield
     , otherfield
    FROM sometable
    WHERE somevalue = 
    {$variable}
    END; 


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •