0

I am trying to update 'company_name', 'company_add', 'price' as primary key 'id' but it shows me a 'something went wrong' message along with an 'undefined id' error. please help me!

<?php
include('data_conn.php');

if(isset($_POST['sub']))
{
    $comname=$_POST['cname'];
    $comadd=$_POST['cadd'];
    $pri=$_POST['price'];

    $query ="UPDATE login SET company_name=$comname,company_add=$comadd,price=$pri WHERE id=$id";
    $result = mysql_query($query);
    echo $result;
    if(!$result)
    {
        echo '<script language="javascript">';
        echo 'alert("something went Wrong...:("); location.href="edit.php"';
        echo '</script>';
    }else{
        echo '<script language="javascript">';
        echo 'alert("successfully updated!!!"); location.href="edit.php"';
        echo '</script>';
    }
}
?>
Ultimater
  • 4,647
  • 2
  • 29
  • 43
Rkboss
  • 19
  • 6

2 Answers2

2

Instead of using direct substitution values, you could use below methods to avoid sql injection.

You basically have two options to achieve this:

  1. Using PDO (for any supported database driver):

    $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');

$stmt->execute(array('name' => $name));

foreach ($stmt as $row) {
    // do something with $row
}

  2. Using MySQLi (for MySQL):

    $stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name);

$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // do something with $row
}

Please refer How can I prevent SQL injection in PHP?

Community
  • 1
  • 1
Tamil
  • 1,193
  • 9
  • 24
0

You have to put the character values in single quotes:

$query ="UPDATE login SET company_name='$comname',company_add='$comadd',price=$pri WHERE id=$id";

Stop using deprecated mysql_* API. Use mysqli_* or PDO with prepared Statements. Atleast use the error function, to get the error message.

Jens
  • 67,715
  • 15
  • 98
  • 113