coopster - 1:44 pm on Jun 14, 2011 (gmt 0)

You should never trust and never use raw user-supplied data in your query like that. Always edit the data to be certain you will accept what you expect and then prepare that data before using it. After doing so you may consider writing your query statements out in a fashion that make it much easier to spot syntax issues. Something along these lines ...

// get and edit our information; set a default if not found 
$firstname = isset($_POST['firstname']) ? trim($_POST['firstname']) : ''; 
$lastname = isset($_POST['lastname']) ? trim($_POST['lastname']) : ''; 
// prepare our data for safe sql use 
$firstname = mysql_real_escape_string($firstname); 
$lastname = mysql_real_escape_string($lastname); 
// write out a query that we can see a little more plainly ... 
$sql =  
  "UPDATE persons SET 
  fn = '{$firstname}', 
  ln = '{$lastname}' 
  WHERE ..." 
;