0

Hey i am aware mysql is now deprecated but for example purposes i am unable to get this query to work. No errors are displayed but it doesn't work. A previous questioned helped with protection but the query is the issue i believe with this.

The query:

if (isset($_POST['update'])){
$UpdateQuery = "UPDATE tbl_venues SET venue_id='$_POST[id]', venue_name='$_POST[name]', venue_description ='$_POST[desc]', venue_address ='$_POST[address]', venue_type ='$_POST[type]' WHERE venue_id='$_POST[hidden]'"; 
mysql_query($UpdateQuery, $connect);

Data example:

echo"<form action=venuelist.php method=post>";
echo "<td><input type='text' name='name' value='"  . $record['venue_name'] . "'> </td>";
echo "</form>";

Please note there are multiple of the above all with names corresponding to the query.

Any help appreciated, thanks.

  • **By building SQL statements with outside variables, you are leaving yourself open to SQL injection attacks.** Also, any input data with single quotes in it, like a name of "O'Malley", will blow up your SQL query. Please learn about using parametrized queries, preferably with the PDO module, to protect your web app. [This question](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has many examples in detail. You can also see http://bobby-tables.com/php for alternatives and explanation of the danger. – Andy Lester Apr 17 '14 at 21:58
  • did my answer work for you? – Gadgetster Apr 18 '14 at 17:52
  • I am still playing round with it but it did not work unfortunately –  Apr 19 '14 at 13:37

3 Answers3

0

Try

if (isset($_POST['update'])){
$UpdateQuery = "UPDATE tbl_venues SET venue_id='$_POST['id']', venue_name='$_POST['name']', venue_description ='$_POST['desc']', venue_address ='$_POST['address']', venue_type ='$_POST['type']' WHERE venue_id='$_POST['hidden']'"; 
mysql_query($UpdateQuery, $connect);

You need to have [' '] inside the $_Post

Gadgetster
  • 473
  • 3
  • 12
  • 33
0

Try Query after removing "isset($_POST['update'])" Condition you might not setting 'update' properly, just to make sure this is not a problem remove if condition or show us your form too.

A H K
  • 1,758
  • 17
  • 29
0

please check if this works .

 <?php
$UpdateQuery = "UPDATE tbl_venues SET venue_id='".$_POST[id]."', venue_name='".$_POST[name]."', venue_description ='".addslashes($_POST[desc])."', venue_address ='".addslashes($_POST[address])."', venue_type ='".$_POST[type]."' WHERE venue_id='".$_POST[hidden]."'";
?>
ashutosh
  • 81
  • 7