DiigIT | IT Community
No Profile Image
Welcome Guest
New User? Register | Login
Post your Article

Updating mysql db through a simple form

By: | 18 Feb 2009 4:25 pm

Hi,

The code below takes variables vrb1 through vrb5 from a form and it is supposed to update a database. It is displaying the results coming from the form on the screen (so the form works correctly) but this code can not update the database,
displaying "I could not update the database" as below - and when I check it is
really not updated. Can anybody tell me why it can not update the database? The
columns written here also match with database columns.

<?php
//Connect To Database
$hostname=`..............`;
$username=`.............`;
$password=`........`;
$dbname=`.............`;
$usertable=`table1`;

mysql_connect($hostname,$username, $password) OR DIE (`Unable to connect to
database! Please try again later.`);
mysql_select_db($dbname);
$vrb1=$_POST[`vrb1`];
$vrb2=$_POST[`vrb2`];
$vrb3=$_POST[`vrb3`];
$vrb4=$_POST[`vrb4`];
$vrb5=$_POST[`vrb5`];
echo "updated database as follows: " ;

echo $vrb1 .$vrb2. $vrb3. $vrb4. $vrb5;
$query="INSERT INTO table1 (iid, title1, par1, par2, par3) VALUES
($vrb1,$vrb2,$vrb3,$vrb4,$vrb5)";
mysql_query($query) or die (` I could not update the database`);
?>

Comments

You haven`t told us anything about your table structure so we have to make a guess to attempt to help you. You can get the MySQL error by adding something like this to the die() part of the statement:

or die(`I could not update the database<hr>` . mysql_error() . `<hr>` .
$query);

The mysql_error() function will display the last error message supplied by the MySQL server.

My prediction is that your column is not named "iid" but rather "id". I also wonder about the "1" after "title". Again, these are issues we could more directly resolve with info about the table structure (ie the output of a "DESC
table1;" query.

I also don`t see quotes around your values and this is another problem which
would cause your query to fail.

$query="INSERT INTO table1 (iid, title1, par1, par2, par3) VALUES
(`$vrb1`,`$vrb2`,`$vrb3`,`$vrb4`,`$vrb5`)";

I find it easy to make an error with the INSERT syntax you have. I would
normally use:

$query="INSERT INTO table1 SET iid=`$vrb1`, title1=`$vrb2`, par1=`$vrb3`,
par2=`$vrb4`, par3=`$vrb5`";

This way you have the field/column names next to their corresponding values.

I know you are just beginning but you will want to look at validating the data received from the form to make sure that it is the kind of information you are expecting. This form would be vulnerable to SQL Injection which could cause some nasty surprises down the road.

By: | 18 Feb 2009

Hi.

The whole depends on what kind of date are you inserting in the database, but I assume title is a string. Strings, and basically every other kind of data except integers, have to be in single or double quotes when you give it in the sql syntax. So basicly the line should look like this:

query="INSERT INTO table1 (iid, title1, par1, par2, par3) VALUES
($vrb1,`$vrb2`,`$vrb3`,`$vrb4`,`$vrb5`)";

Or by escaping the double quotes:

query="INSERT INTO table1 (iid, title1, par1, par2, par3) VALUES ($vrb1,
"$vrb2","$vrb3","$vrb4","$vrb5")";

regards

By: | 18 Feb 2009

Leave a comment

Enter the text in the image
img
Can't read?
Type the characters you see in the picture below.
Close Move