NEED help with updating script - PHP Server Side Scripting forum at WebmasterWorld - WebmasterWorld

Forum Moderators: coopster

Message Too Old, No Replies

NEED help with updating script

kedora19

11:04 pm on Oct 19, 2009 (gmt 0)

10+ Year Member

I have this code for updating the info through a form and sending it to the database...
here's my code for the updating the database


<?php
include("db.php"); //first open connection to your database
 
$id = mysql_real_escape_string($_GET['id']); //catch the id number from url, store it and escape slashes from possible attack.
$takeuser = mysql_query("SELECT * FROM client WHERE id='$id' LIMIT 1"); //Right now script check id number from url against the database
if (mysql_num_rows($takeuser) < 1) { //checks if we have that id number in our database
echo "<div id='wrapper2'><center>User doesn't exist!</center></div>"; //inform the user that we found 0 result
} else { //or if we found some
while ($row=mysql_fetch_array($takeuser)) { //Taking the result set


if($_POST['doSave'] == 'Save') 
{
$query=("UPDATE client SET
`Full_Name` = '$_POST[fullname]',
`Email` = '$_POST[email]',
`Phone` = '$_POST[phone]',
`Genre` = '$_POST[genre]',
 WHERE id='$row[id]'
") or die(mysql_error());
mysql_query($query) or die (mysql_error()); 
header("Location: edit.php?msg=Update wa Successfully Complete");
 }
 mysql_close($con);
?>

And here's my code for the form


<form action="edit.php?id=<? echo $row['id']; ?>" method="post">
<tr>
 <td><input type="text" name="fullname" value="<? echo $row['Full_Name']; ?>" /></td>
 <td><input type="text" name="email" value="<? echo $row['Email']; ?>" /></td>
 <td><input type="text" name="phone" value="<? echo $row['Phone']; ?>" /></td>
<td class="submit"><center><input name="doSave" id="doSave" type="submit" value="Save" /></center></td></tr>
 </form>

When i submit the form it goes to the same page but then follows the update code...but then i get this message


You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id='1'' at line 6

ANY help with be appreciated :D

Tommybs

6:37 am on Oct 20, 2009 (gmt 0)

10+ Year Member

Well it doesn't look like you are properly filtering your other input parameters. Try adding mysql_real_escape_string around the $_POST variables and see if that helps.

also try WHERE id=".$row['id']." and see if that works.

TheMadScientist

7:10 am on Oct 20, 2009 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I personally don't see the error if it's on line 6, but it might be one I haven't experienced since we do things a bit differently:

mysql_query("SELECT * FROM client WHERE id='$id' LIMIT 1");

I would personally use:
mysql_query("SELECT * FROM client WHERE id=".$id."");

You might also try:
mysql_query("SELECT * FROM client WHERE id='$id'");

It seems odd you would be confusing GET with POST and it actually doesn't seem possible, because it's not present in your error, since the error says: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id='1''" and for the WHERE id='1' to be possible, it indicates to me you are correct in using GET, otherwise it would be: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id='''".

IOW to have the id='1' present in the error $id must be defined as 1, otherwise it would be empty... The 1 is not an accident, and like I said, I don't see the error, but usually use a slightly different syntax, so it must be something I'm missing, and my guess is it's something simple.

rocknbil

6:45 pm on Oct 20, 2009 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

First, just to clarify, this is a mysql error, not PHP:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id='1'' at line 6

The reason I raise this point is that 1) you can SEE the get variable is getting passed in the error (see the 1?) and 2) it's the right line count.

The statement should work, as should the two posted by TheMadScientist:

mysql_query("SELECT * FROM client WHERE id='$id' LIMIT 1");
mysql_query("SELECT * FROM client WHERE id=".$id." limit 1");

(if it's a unique ID, the limit clause is not needed)

However, working in PHP sometimes confuses an understanding of the effects of quoting. The above three statements should be identical, and should give the same results. In your select, the first one, the double quotes are still interpolated (as you can see by the error.) the outer double quotes contain the select statement, so the single quotes are just another character and should be fine.

However, You do not need to quote selects on a numeric field. It shouldn't be a problem having quotes there, and I've never had a problem with it, but you only need to quote text fields. So one more option to try would be without the quotes:

$select = "SELECT * FROM client WHERE id=$id LIMIT 1";

mysql_query($select);

Moving the select into a variable is just a preference, but agree, that line should not be erroring - try adding mysql_mysql_errno() [us2.php.net] for more information.

TheMadScientist

9:15 pm on Oct 20, 2009 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

@ kedora19

My apologies...
We all seem to have forgotten:

Welcome to WebmasterWorld!

eeek

12:17 am on Oct 21, 2009 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

How about printing out the offending sql?

kedora19

3:24 pm on Oct 24, 2009 (gmt 0)

10+ Year Member

Whoa...thanks for all the reply's, sorry I haven't Responded. I haven't been on the computer for a while, I figured out the problem though. I forgot to put one little ' in