-3

I know the code is messy and very imperfect. However when trying to update a mysql record using the following code below, which I updated. Now it wont post into mysql database

Thanks for your help in advance

<?php
define('DB_NAME', 'comics');
   define('DB_USER', 'root');
   define('DB_PASSWORD', '');
   define('DB_HOST', 'localhost');

   $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);

   if (!link) {
    die('Could not connect: ' . mysql_error());
   }

   $db_selected = mysql_select_db(DB_NAME, $link);

   if (!$db_selected) {
    die('Can\'t use ' . DB_NAME . ': ' . mysql_error());
}

if (!isset($_GET['update'])){
        $q = "SELECT * FROM comics where ID = '$_GET[id]'";
        $result = mysql_query($q);
        $comics = mysql_fetch_array($result);
    }

if(isset($_GET['update']))
{


    $email = mysql_real_escape_string($_GET["email"]);
    $title = mysql_real_escape_string($_GET["title"]);
    $issue = mysql_real_escape_string($_GET["issue"]);
    $edition = mysql_real_escape_string($_GET["edition"]);
    $publisher = mysql_real_escape_string($_GET["publisher"]);
    $condition = mysql_real_escape_string($_GET["condition"]);
    $price = mysql_real_escape_string($_GET["price"]);

    $targetid = intval($_GET["id"]);

    $sql =  "UPDATE comics SET Email='$email', Title='$title',     Issue='$issue', Edition='$edition', Publisher='$publisher',     Quality='$condition', Cost='$price' WHERE ID = '$targetid' ";

$myData = mysql_query($sql,$link);
if(!$myData) {die(mysql_error());}

if ($myData == TRUE) {
header('Location: index.html');
exit();
    }
}
Spencer
  • 1
  • 2

1 Answers1

3

You're missing a ' in

Issue='$isuse,

That alone will break the rest of the query. And you misspelled issue. It should be

Issue='$issue',

You also have an extra comma right before your WHERE clause, and you use $id in your query, but you never defined that (I think you must mean $targetid). The whole thing should be:

$sql =  "UPDATE comics SET Email='$email', Title='$title',     Issue='$issue', Edition='$edition', Publisher='$publisher', Quality='$condition',     Cost='$price' WHERE ID = $targetid ";

You really should use an IDE like PHPStorm (no affiliation), which would have caught all of these problems for you, automatically.

That said, please don't use mysql_*; the mysql_* functions are outdated, deprecated, and insecure. They're removed entirely in PHP 7, and have been deprecated for a long time. Use MySQLi or PDO instead.

Also, you are wide open to SQL injection. This is a serious security vulnerability; your code should never be put into production until you fix that.

Community
  • 1
  • 1
elixenide
  • 44,308
  • 16
  • 74
  • 100
  • 2
    It's amazing how we have to include the disclamer! of don't use `mysql_*` even today... – vee Apr 24 '16 at 02:07
  • 1
    @vee Yeah, that library just won't die. – elixenide Apr 24 '16 at 02:07
  • He misspelled issue also. Might wanna update your answer. – DaiBu Apr 24 '16 at 02:10
  • @vee The sad part is that 99% of people who read the warnings of not using `mysqli_` functions and being vulnerable to sql injection will simply ignore it. It scares me that some of these people may go on to design systems that are put into production. – Luke Joshua Park Apr 24 '16 at 02:16
  • 2
    @LukePark, in addition my preference is PDO. I'm not yet certain to call it for sure but perhaps the point system in StackOverflow is what's encouraging people to ask question right away instead of reading any deprecation warning for that matter. – vee Apr 24 '16 at 02:21
  • `mysql_query` is gone in PHP 7 so it's only a matter of time before code like this doesn't do anything at all. – tadman Apr 24 '16 at 02:49
  • Missed the trailing comma – Funk Forty Niner Apr 24 '16 at 03:04
  • @Fred-ii- fixed, thanks. I caught yet another error when I went and looked at it again. This code is... not good. – elixenide Apr 24 '16 at 03:25