0

this script is simply not working... can anyone tell me what I'm doing wrong?

$id = $_POST['id'];
$name = $_POST['name'];
$date = $_POST['date'];
$shortdesc = $_POST['shortdesc'];
$link = $_POST['link'];
$target = $_POST['target'];
$sort = $_POST['sort'];
$html = $_POST['html'];

    include('appvars.php');

    $query = "UPDATE insight SET name='".$name."' AND SET date='". $date . "' AND SET html='" . $html . "' AND SET shortdesc='" . $shortdesc . "' AND SET link='" . $link . "' AND SET target='" . $target . "' AND SET sort='" . $sort . "' WHERE id='" . $id . "'";

    mysqli_query($dbc, $query);
Improve this question
3
  • 1
    put echo($query); after the SQL query to see what is being passed Commented Jun 6, 2012 at 5:56
  • @tunmisefasipe, most fundamental and the must thing to do :) +1 Commented Jun 6, 2012 at 5:58
  • 1
    call mysqli_error after the query to check if it returns any errors. This is a good practice in general Commented Jun 6, 2012 at 6:05

5 Answers 5

Reset to default
5

You aren't escaping your values so you are vulnerable to SQL injection and also construction of invalid statements. For example, if any of your input strings contain an apostrophe then it could cause your code to fail.

Have a look at prepared statements that will make it much easier to construct your queries with parameters.

In your query you will also need to use commas instead of AND SET.

$query = "UPDATE insight SET name='foo', date='2012-12-10' WHERE id=42";

The syntax for UPDATE is described in the MySQL documentation:

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

not worried about that right now. not a public form, only for my own use.
@user1427274 Escaping values isn't about security; it's about correct interpretation. Security just happens to be a byproduct.
will i still be able to insert html if I escape values?
@user1427274: Yes of course. It's unlikely to work if you don't.
PDO and Prepared Statements in case you're wondering what they are. You could also use an ORM
0

Use it like this,

$query = "UPDATE insight SET name='".$name."' ,date='". $date . "' ,html='" . $html . "' ,shortdesc='" . $shortdesc . "' ,link='" . $link . "' ,target='" . $target . "' ,sort='" . $sort . "' WHERE id='" . $id . "'";
Improve this answer

2 Comments

used this, it set 'name' to 0, rather than the given "testing" and the rest of the values were unaffected.
It may due to the data type of column you set. You should set that to text or varchar to accept non numeric values.
0

Its working ... check now 

 $id = $_POST['id'];
    $name = $_POST['name'];
    $date = $_POST['date'];
    $shortdesc = $_POST['shortdesc'];
    $link = $_POST['link'];
    $target = $_POST['target'];
    $sort = $_POST['sort'];
    $html = $_POST['html'];

        include('appvars.php');

       $query = "UPDATE insight SET name='".$name."' ,date='". $date . "' ,html='" . $html . "' ,shortdesc='" . $shortdesc . "' ,link='" . $link . "' ,target='" . $target . "' ,sort='" . $sort . "' WHERE id='" . $id . "'";



        mysqli_query($dbc, $query);
Improve this answer

Comments

0

I aint a pro at mysql, but a try.

I guess id is an integer. So, dont quote it.

Try this,

$query = "UPDATE insight SET name='".$name."' , date='". $date . "' , html='" . $html . "' , shortdesc='" . $shortdesc . "' , link='" . $link . "' , target='" . $target . "' , sort='" . $sort . "' WHERE id=". $id ;
Improve this answer

Comments

0

I think the SQL syntax is not correct, you can use it like this: UPDATE tablename SET rowname = value , ....

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.