Can't get mysql query to work with double or single qoute

Question

I am scratching my head to make this lines of code to work, but no success...Would be nice if someone can point out what is the best practice to write such queries?

if(isset($_POST) && $_POST["id"] > 0)
{
    include('../../config.php');            

    $id = $_POST["id"];
    $title = mysql_real_escape_string($_POST["title"]);
    $desc = mysql_real_escape_string($_POST["desc"]);        

    $cat = $_POST["catid"];

    $_DB->Execute("UPDATE gallery_imgs SET title = `$title`, description = `$desc` WHERE id = $id");

    header("location: admin.php?mode=images&id=$cat");
}
else
{
     //Other stuff!
}

This is the error I get:

Error number: 1054
Error       : Unknown column 'The SIEK!' in 'field list'

Answer 1

Those aren't single quotes you are using there. the tick mark ` is for column names.

Answer 2

MySQL uses single quotes wrapping strings. Like this: '.

$_DB->Execute("UPDATE gallery_imgs SET title = '$title', description = '$desc' WHERE id = $id");

You should also look at validating the $id. (Using is_numeric() or casting to int).

Tip: For a more robust and secure MySQL solution you should look at PHP PDO.

Answer 3

First, you have called mysql_real_escape_string() on the string values, but you must also validate the contents of $_POST['id'].

// invalid string values will convert to integer 0
// If that is not allowable, you should not proceed with the query.
$id = intval($_POST['id']);

Input strings must be enclosed in single quotes, not backquotes (which are used for column and table identifiers);

$_DB->Execute("UPDATE gallery_imgs SET title = '$title', description = '$desc' WHERE id = $id");

As an aside, you should validate the contents of $_POST['catid'] before using it in a redirection header. For example, if it is supposed to be numeric:

// At least cast it to an int if it is an invalid string....
$catid = intval($_POST['catid']);