MySQL database updates only using numbers

Question

My update form script works only, if I use numbers but, if I try use any words it won't work. I need help, thanks!

<?php
if(isset($_POST['teams'])){
  $home_team = $_POST['home_team'];
  $visitor_team = $_POST['visitor_team'];
  $sql = mysql_query("UPDATE table1 
SET home_team = $home_team, visitor_team = $visitor_team
WHERE active = 1") ;
  $retval = mysql_query( $sql, $conn );
  if(! $retval ){ 
die("<p>Error! Could not update team names. Click return button.</p>");
}
echo "<p>Team names set successfully!</p>";
mysql_close($conn);
} 
?>

score 1 · Answer 1 · answered Nov 28 '12 at 04:24

1

try with use of '' into your query,

$sql = mysql_query("UPDATE table1 SET 
            home_team = '".mysql_real_escape_string($home_team)."', 
            visitor_team = '".mysql_real_escape_string($visitor_team)."'
       WHERE active = '1'") ;

also add mysql_real_escape_string() to prevent from SQL Enjection..

answered Nov 28 '12 at 04:24

jogesh_pi

9,762
4
37
65

`mysql_real_escape_string()` doesn't fully protect sql injection at all. see here [SQL injection that gets around mysql_real_escape_string()](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string/5741264#5741264) – John Woo Nov 28 '12 at 04:50

score 0 · Answer 2 · answered Nov 28 '12 at 04:36

   Every string passed to a SQL statement must be enclosed within a ''; if they are not, it will result in an error.
   That being said, throwing content straight from a form into the database is very, very, very, very (I need another very) bad. Your database can simply be wiped by anyone; it's called SQL injection
   To protect your database, you can start with this good article on PDO

MySQL database updates only using numbers

2 Answers2