开发者

update mysql db through form in php

开发者 https://www.devze.com 2022-12-26 16:40 出处:网络
I am getting this error, You have an error in your SQL syntax; check the manual that corresponds to your MySQL开发者_C百科 server version for the right syntax to use near \' address=\'xxxxx\', city=\

I am getting this error,

You have an error in your SQL syntax; check the manual that corresponds to your MySQL开发者_C百科 server version for the right syntax to use near ' address='xxxxx', city='sssssssss', pincode='333333333', state='Assam', count' at line 1

Thanks in advance.

http://dpaste.com/hold/181959/


your WHERE clause is wrong, you don't write WHERE a=1, b=2, c=3 you want WHERE a=1 AND b=2 AND c=3

additionally your logic is flawed, because your WHERE clause would usually be something more like WHERE id = x (at the moment you're updating a row in a table, where the row data is already the same as that which you're updating it to - if that makes any sense? :) )

furthermore, learn to escape your sql strings properly or you leave yourself vulnerable to sql injection


As well as the problem explained by oedo, you've also got severe SQL injection problems. You need to use mysql_real_escape_string to encode strings for insertion into an SQL statement, not htmlspecialchars. Or use parameterised queries.

htmlspecialchars() is for HTML-encoding text just before you output it into an HTML page. You should not HTML-encode strings for storage in the database.


Firstly, don't you have some kind of unique identifier for your users? Maybe a customer-id of some kind? You could use that to identify the customer in the WHERE clause to make your SQL more clear.

Secondly, do you expect that your user to write all the company EXACTLY like it is in the database? Because that is what you expect from them with your current design.


You need to identify the record by using an ID, not the field values. If you look to a lot of websites, usually they send the ID to identify a record. Like edit.php?id=1284, or view.php?id=1284, etc.

In short you will have a form that you fill up with the values that are in the database for that record ID. If you edit it, you write a edit query like:

$UpdateQuery = "UPDATE customer SET name = '" . $name . "', address = '" . $address . "' ....... WHERE id = " . intval($_GET['id']);

The reason I add intval is because that will only allow numeric values to pass through. As mentoined by bobince, watch out for SQL injections and let mysql_real_escape_string pass through all of your string values you enter in the query too.

0

精彩评论

暂无评论...
验证码 换一张
取 消