I've followed all the mySQL tutorials correctly but it still won't update the values in my table, can someone please help me?, these are my values below:
$editid = $_GET['id'];
$newtitle = $_POST['title'];
$newsneak = $_POST['sneak'];
$newbody = $_POST['body'];
$connect = mysql_connect("localhost","username","password") or die("Couldn't Connect. ");
mysql_select_db("dr") or die ("Couldn't Find DB.");
$query = mysql_query("SELECT * FROM news WHERE id=$editid");
$numrows = mysql_num_rows($query);
if($numrows=!0)
{
$querytitle = mysql_query("UPDATE news SET title=$newtitle WHERE id=$editid");
$querysneak = mysql_query("UPDATE news SET summary=$newsneak WHERE id=$editid");
$querybody = mysql_query("UPDATE news SET body=$newbody WHERE id=$editid");
header("Location:开发者_开发问答 ../index.php");
}
On your select (add myql_error to check error):
$result = mysql_query("SELECT * FROM news WHERE id='$editid'");
if (!$result) {
die('Invalid query: ' . mysql_error());
}
On your update:
$querytitle = mysql_query("UPDATE news SET title='$newtitle' WHERE id='$editid'");
$querysneak = mysql_query("UPDATE news SET summary=$newsneak WHERE id='$editid'");
$querybody = mysql_query("UPDATE news SET body='$newbody' WHERE id='$editid'");
use single quote around input data also use mysql_real_escape_string();
avoid sql injection.
PHP mysql_real_escape_string
As per @Tchalvak suggestion to include mention of binding, these are more updated tools against SQL Injections plus better optimization, but keep in mind PDO and MySQLi are supported if you have PHP 5+:
PHP PDO
and
PHP MySQLi
Can I add as well once you finish debugging to please remove any mysql_error() output? This is awesome info for attackers since it reveals database details. Either log it or don't show errors...adds a little extra security.
You want to use the mysql_error function to see what error your query returns.
As integration pointed out by Jeremy Conley, pay attention to don't let the mysql_error
function output get published in your production HTML.
精彩评论