0

I'm trying to edit an item in a mySQL database generated list. Here is the code:

<?php
// contact to database
$connect = mysql_connect("<HOST>", "<USER>", "<PASSWORD>") or die ("Error , check your server connection.");
mysql_select_db("tvc");
?>

<html>
<head>
<title></title>
</head>

<body>

<?php 
$result = mysql_query("UPDATE closet SET
    pattern = '{$_POST['pattern']}'
    WHERE id='{$_POST['id']}'") or die ("Error in query");

// if successfully updated. 
if($result){
echo "Successful";
echo "<BR>";
echo "<a href='patterns.php'>Back to Patterns List</a>";
}

else {
echo "ERROR";
}

?>

</body>
</html>

I get an 'error in query' error message and I can't figure out what is causing it.

Any help would be much appreciated!

Cynthia
  • 5,273
  • 13
  • 42
  • 71
  • If you don't look at the error message hints, you won't find out. Also there is a distinct lack of database escaping in your code. Work on that. (Or rather use PDO and prepared statements to avoid this cumbersome approach.) – mario Nov 09 '12 at 14:31
  • Nice [SQL injection holes](http://bobby-tables.com). Enjoy having your server destroyed. – Marc B Nov 09 '12 at 14:34

1 Answers1

0

You forgot to remove , before WHERE

Change

$result = mysql_query("UPDATE closet SET
    pattern = '{$_POST['pattern']}',
    WHERE id='{$_POST['id']}'") or die ("Error in query");

To

$pattern = mysql_real_escape_string($_POST['pattern']);
$id= mysql_real_escape_string($_POST['id']);

$result = mysql_query("UPDATE closet SET
    pattern = '".$pattern."' WHERE id='".$id."'") or
die("Could not connect: " . mysql_error());

Recommendations:

1.Learn to prevent from MySQL Injections: Good Link

2.Mysql extension is not recommended for writing new code. Instead, either the mysqli or PDO_MySQL extension should be used. More reading: PHP Manual

Community
  • 1
  • 1
GBD
  • 15,847
  • 2
  • 46
  • 50
  • I just removed the , before WHERE and I still get the same error. – Cynthia Nov 09 '12 at 14:29
  • can you paste echo "UPDATE closet SET pattern = '{$_POST['pattern']}', WHERE id='{$_POST['id']}'"; – GBD Nov 09 '12 at 14:31
  • where in the file should I paste it? – Cynthia Nov 09 '12 at 14:34
  • I updated my PHP file w/ your edited code (starting from $result = and ending with mysql_error()); and I get the following error: – Cynthia Nov 09 '12 at 14:40
  • I figured it out! It had nothing to do with that php page but rather a value trying to be passed from the previous page. Thank you so much for revamping my code, though. Being able to see the error instead of a generic message helped me track it down. – Cynthia Nov 09 '12 at 14:41