1

Here is my code of php which is not working properly....

It is not taking the query which is in if condition and every time it's executing else part.... 

  <?php
  include('admin/class.php');

** Here is my DB connection**

  $hostname="localhost";
  $username="root";
   $password="";

 $dbhandle = mysql_connect($hostname, $username, $password)
 or die("Unable to connect to MySQL");
  echo "Connected to MySQL<br>"; 
  $se = mysql_select_db("timesheet1234",$dbhandle)
  or die("Could not select timesheet1234");
 echo "connected to db";

 if(isset($_POST['save']))
   {  
   echo "post if";

 $sel=@$_POST['selpro'];
  $mon=@$_POST['mon'];
  $tue=@$_POST['tue'];
  $wed=@$_POST['wed'];
  $thu=@$_POST['thu'];
  $fri=@$_POST['fri'];
  $sat=@$_POST['sat'];
   $sun=@$_POST['sun'];

Here is my code where the problem starts and it's not working properly

  if(isset($_SESSION['user']))
  {
   echo "session user";
        $sql="UPDATE empdaytimesheet SET `project  code`='$sel',`mon`='$mon',`tue`='$tue',`wed`='$wed',`thu`='$thu',`fri`='$fri',`sat`='$sat',`sun`='$sun' where `username`='".$_SESSION['user']."'";

 $res=mysql_query($sql,$dbhandle);
 if($res){
 echo "<script type='text/javascript'>";
 echo "alert('TimeSheet Saved..!')";
 echo "</script>";
 echo "<script type='text/javascript'>";
 echo "window.location='my_timesheet.php'";
 echo "</script>";
 }
  else
 {
 echo "<script type='text/javascript'>";
  echo "alert('Some Error Occured ! Retry..!')";
 echo "</script>";
 echo "<script type='text/javascript'>";
echo "window.location='my_timesheet.php'";
echo "</script>";
}
}
}
?>
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Ganesh
  • 75
  • 7
  • 2
    You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin May 11 '13 at 07:07
  • What do you mean by `SET project code='$sel'`? – Praveen Kumar Purushothaman May 11 '13 at 07:08
  • It's a column name in db.. – Ganesh May 11 '13 at 07:09
  • Have you var_dump($_SESSION['user'])? to whether session is set or not? Because you described that always goes to `else` condition and not in `if` condition – Smile May 11 '13 at 07:11
  • Is space allowed in `column` name? And Is it valid? – Smile May 11 '13 at 07:24
  • 2
    In order to debug a query, it is often useful to echo the sql that is being sent to the database. That way you can use a tool such as phpMyAdmin to ask the same query directly to the database and see if there are any syntax errors, or if the results are as expected. Alternatively in your 'else' clause you could have the script display the actual error message returned using something like mysql_error. As has been pointed out, you should probably look at using mysqli instead. – Loopo May 11 '13 at 07:34
  • Did you try to run this query on mysql or phpmyadmin console `UPDATE empdaytimesheet SET `project code`='$sel',`mon`='$mon',`tue`='$tue',`wed`='$wed',`thu`='$thu',`fri`='$fri',`sat`='$sat',`sun`='$sun' where `username`='".$_SESSION['user']."'";` – Yogus May 11 '13 at 08:51
  • Spaces are allowed in column names (provided the column name is enclosed in backticks`` `) - but that's not to imply that they're a good idea! – Strawberry May 17 '13 at 15:50

2 Answers2

2
UPDATE table empdaytimesheet SET...

is not valid SQL. What you mean to do is probably;

UPDATE empdaytimesheet SET...

Also, column names with spaces need to be quoted with - in MySQL's case - backticks, that is;

UPDATE empdaytimesheet SET `project code`=...

What you need to be aware of though is that you're open to SQL injection. If anyone posts a value for sel that contains a single quote, they can rewrite your SQL. For example, using Fiddler to post a value of sel as ',username=' would make your sql update the username column of the table too;

UPDATE empdaytimesheet SET `project code`='',username='',mon=...

In general just putting unchecked post variables into an SQL string is a bad thing. That's one big reason the mysql_* APIs are obsoleted by PDO and mysqli, they have methods for dealing with this.

Joachim Isaksson
  • 176,943
  • 25
  • 281
  • 294
  • Dang beat me to it! On top of that, you should use prepared sql statements, scrubbing your paramters. Have a look at this answer as well. http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php" http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php – clamchoda May 11 '13 at 07:16
2

Change

$sql="UPDATE table empdaytimesheet SET project  code='$sel',...

to

$sql="UPDATE empdaytimesheet SET `project  code`='$sel', ...
             ^ no table here     ^             ^ backticks
peterm
  • 91,357
  • 15
  • 148
  • 157
  • ya...k but whatever the input am giving it is not storing that data it is saving as 0 far all attributes – Ganesh May 11 '13 at 08:25
  • @Ganesh Can you do `echo $sql` before you call `mysql_query()` and post the result? – peterm May 12 '13 at 05:13