0

After writing a whole lot of much more complicated code that works beautifully, THIS is the code that is giving me issues.

Simple form

<form action="res/scripts/editsubscriber.php" method="post">
<label for="name">Name: </label>
<input name="name" type="text" value="<?php echo $name; ?>">
...etc, etc...
</form>

Submits to this script:

  include('appvars.php');  
  if(isset($_POST['submit'])){
$id = $_POST['id'];
$name = $_POST['name'];
$email = $_POST['email'];
$month = $_POST['month'];
$day = $_POST['day'];
$year = $_POST['year'];
$date =  $_POST['date'];
$time = substr($date, 0, (stripos($date, " ")+1));
$time = str_replace($time, '', $date);
$created = $year.'-'.$month.'-'.$day.' '.$time;
$query = "UPDATE newslettersubscribers SET name = '$name', email = '$email', created = '$created' WHERE id = $id)";
mysqli_query($dbc, $query);
 }

It posts, I've echoed all of the variables, they change just fine, but it still won't update the database. Someone please tell me what i'm missing...

i.am.michiel
  • 10,281
  • 7
  • 50
  • 86
user1621945
  • 35
  • 1
  • 7

4 Answers4

2
Community
  • 1
  • 1
John Woo
  • 258,903
  • 69
  • 498
  • 492
0

You got a strange trailing ) in your SQL query. Have you executed it in a SQL client ?

i.am.michiel
  • 10,281
  • 7
  • 50
  • 86
0

Do you have an ID form input?

<input name="id" type="text" value="<?php echo $id; ?>">

Also, you're not escaping sql/html.

NoPyGod
  • 4,905
  • 3
  • 44
  • 72
0

This code will compromise your database's security severely. Since none of the parameters are sanitized before being included in the query, anyone with basic security knowledge can take over your application in seconds.

To address the security issues and your bug, you may want to look into http://php.net/manual/en/pdo.prepared-statements.php

0x90
  • 6,079
  • 2
  • 36
  • 55