0

I have a number of textareas, each with a unique assigned name (name="adcode$ID", for example). When I try to pass those names to the code below, it doesn't work because of the dynamic part.

if (isset($_POST['editadapp'])) {  // Edit AD
$newadcode = mysql_real_escape_string($_POST['.adcode$ID.']);
$doedit = "UPDATE ads SET adcode = '".$newadcode."') WHERE ads_ID=$ID" or die(mysql_error());
$updatead = mysql_query($doedit) or die(mysql_error());
    header("Location: " . $_SERVER['PHP_SELF']);

How can I resolve this?

Michael Petrotta
  • 59,888
  • 27
  • 145
  • 179
Caiapfas
  • 146
  • 1
  • 2
  • 10

3 Answers3

1

You seem to be attempting string concatenation. Here's how to do that correctly:

$newadcode = mysql_real_escape_string($_POST['adcode' . $ID]);

The following line should simply create a string containing your SQL query; you don't execute it until the next line, there is no function call so the or die is out of place. You also mix concatenation with interpolation (variable names within a double quoted string) which is fine but probably not helping you understand your syntax issues, so let's be consistent:

$doedit = "UPDATE ads SET adcode = '" . $newadcode . "' WHERE ads_ID = " . $ID;
Dan Grossman
  • 51,866
  • 10
  • 112
  • 101
  • Also the invalidity of the 3rd line... First, there's an extra parenthesis in the query. Next, he's adding an `or die` where there's no call in the first place. – jeremy Oct 06 '12 at 02:50
  • Presumably somewhere earlier in his code. If you want to ask him that, you'd probably want to put it in a comment on his question, not this answer. – Dan Grossman Oct 06 '12 at 02:54
  • $_POST['ID'] should come after if (isset($_POST['editadapp'])) { isn't it? – FirmView Oct 06 '12 at 03:00
1

There is so much wrong with this that it's frightening.

Firstly,

$doedit = "UPDATE ads SET adcode = '".$newadcode."') WHERE ads_ID=$ID" or die(mysql_error());

That code snippet is wrong on many levels.

  1. The sql syntax is wrong
  2. The sql is formatted with strings from user input (see parameterization of queries here
  3. or die() should not be used here, you're creating a string

Ideally you should have code like:

$dbh =  new PDO('connectionstring to connect to your database');
$sql = 'update ads set adcode = ? where ads_id = ?';
$sth = $dbh->prepare($sql);
$sth->execute(array($_POST['adcode' . $ID], $ID));

Other topics:

Are Paramerterized queries necessary in pdo?

prepared queries with pdo

Preventing sql injection in php

Community
  • 1
  • 1
Johnathon Malizia
  • 136
  • 1
  • 4
  • thanks!! answers like this help me learn and I bet everyone that is trying to learn! thanks once again..still very new to php. so far one week. so i think I'm doing okish...lol least i hope i am – Caiapfas Oct 06 '12 at 05:07
  • i wish i had seen this reply 5 seconds sooner would have save another question...dangit! – Caiapfas Oct 06 '12 at 05:08
  • 1
    It's no problem, the bigger issue is the abundance of BAD examples on the internet. Feel free to ask any other questions :D – Johnathon Malizia Oct 06 '12 at 05:27
  • thanks. hopefully i'll learn FASTER!! and not need anymore help with simple stuff =} – Caiapfas Oct 06 '12 at 06:01
0

you should use array like adcode[<?php echo $ID;?>] at your page where the text area is and a hidden field name=adID[$ID]. At the page where the query executes $adID = $_POST['adID']; $newadcode = mysql_real_escape_string($_POST['adcode']); $N = count($adID); for($i=0;$N<$i;$i++){ $doedit = mysql_query("UPDATE ads SET adcode = '$newadcode[$i]' WHERE ads_ID=$adID[$i];") or die(mysql_error());

Michaelakis Min
  • 11
  • 2