-2

what i am trying to do is to get the value inputed in the textbox then insert that value into the database

this code seems to be working but it only changes the value chosen to 0 

   <?php

 $q1 = $_POST['q1'] ;
$q2 = $_POST['q2'] ;
$q3 = $_POST['q3'] ;
$q4 = $_POST['q4'] ;

$qe = $_POST['qe'] ;

$LT1 = $_POST['LT1'] ;
$LT2 = $_POST['LT2'] ; 

$THW = $_POST['THW'] ;
$TSW = $_POST['TSW'] ;

$Ct = $_POST['Ct'] ;
$Pj = $_POST['Pj'] ;

$insert = mysql_query("UPDATE grades SET HQ1 = ' . $q1 . ' WHERE ID='4011909'");

?>

Das Javilinar
  • 3
  • 4
  • 1
    You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Feb 06 '13 at 17:45
  • Duplicate of your own question: [Update database using values from texbox ](http://stackoverflow.com/questions/14735069/update-database-using-values-from-texbox-php). If a question gets closed then **edit** it, **don't** *duplicate* it. – Quentin Feb 06 '13 at 17:46
  • Should be: $insert = mysql_query("UPDATE grades SET HQ1 = "' . $q1 . '" WHERE ID='4011909'"); – Stefan Feb 06 '13 at 17:48
  • @Stefan — No, that's now a PHP syntax error instead of an SQL syntax error. – Quentin Feb 06 '13 at 17:49
  • nothing happens if mysql_query("UPDATE grades SET HQ1 = ". $q1 ." WHERE ID='4011909'"); – Das Javilinar Feb 06 '13 at 17:51
  • @Quentin - I don't think so...? msql_query() accepts a string, and I supply a string. – Stefan Feb 06 '13 at 17:52
  • @Stefan — No, you have a string literal, then an apostrophe, and that is a syntax error. – Quentin Feb 06 '13 at 17:53
  • @Das Javilinar - That's not what I said you should change it to. – Stefan Feb 06 '13 at 17:53
  • @Quentin: I have (and I quote :) "UPDATE grades SET HQ1 = ' " . $q1 . " ' WHERE ID='4011909' "); – Stefan Feb 06 '13 at 17:54
  • 1
    @Stefan — I copy/pasted it. You have `"` before the `'`. – Quentin Feb 06 '13 at 17:54
  • 1
    It's the wrong solution anyway as it continues being vulnerable to SQL Injection and depends on a deprecated API. – Quentin Feb 06 '13 at 17:55
  • @Quentin: I checked - you are right, I made a mistake. Also agree about deprecated API. – Stefan Feb 06 '13 at 17:56
  • @Quentin sori kind of new here still in highschool thats why im still a bit inexperienced – Das Javilinar Feb 06 '13 at 18:09

1 Answers1

0

remove the concatenation symbol in the query

$insert = mysql_query("UPDATE grades SET HQ1 = '$q1' WHERE ID='4011909'");
John Woo
  • 258,903
  • 69
  • 498
  • 492