Hi all, I have a small script that should process the data from a previous page and enter it into the database and then redirect the user. It is redirecting the user but not updating the information in the database. Any thoughts or ideas would be appreciated as always!
Not only is your query prone to SQL injection, you’re not even quoting your associative keys, forcing PHP to assume that undefined constant is actually a string… (to translate, it’s not $_POST[prodname], it’s $_POST[‘prodname’]);
‘Location’ header expects FULL URL, not path, it’s terrible to redirect users like that, some browser might not understand it.
And what Guido said, echo the query with variables and run it within some MySQL GUI so you can see the result.
Hey guys/gals, apologies, I did not realize I had any replies to this post. I’m using $_GET as I dragging up data from the database with the option to update that data. It’s part of a Point of Sale Intranet I’m working on. With regards to reformatting the query string, I will get on that straight away, appreciate the help and advice on here, cheers all
Incidentally, if I use double quotes on my query string such as mysql_query(“UPDATE users SET names='”.$_POST[‘name’].“'”); would I need not to use the mysql_real_escape_string?
No. $_REQUEST is evil, for the simple reason that you just don’t know where any of its values are coming from, which makes it very error-prone. It’s slightly less evil than register_globals but it comes pretty close.
Not sure I fully agree that “$_REQUEST is evil”. I would classify it as convenient more than evil. As long as all external data is fully scrubbed, I don’t think it matters. I’d say register_globals is certainly evil as it actually creates variables in global scope. Obviously a personal preference issue.