Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Can I anybody help with this?

Started by iamchristill, Nov 19 2011 10:46 AM

Please log in to reply

2 replies to this topic

#1
iamchristill

Posted 19 November 2011 - 10:46 AM

Newbie

Members
13 posts

Hi,

Can anybody see what im doing wrong here? Im trying to update a record in mysql db and it works fine until I add the variable $soldtrader. Here is the code.

<?php


$con = mysql_connect("localhost","root","root");

if (!$con)

  {

  die('Could not connect: ' . mysql_error());

  }

mysql_select_db("mssystems1", $con);


$id = $_POST['id'];

$name = $_POST['name'];

$score = $_POST['score'];

$pricesold = $_POST['pricesold'];

$soldtrader = $_POST['traderid'];



mysql_query("UPDATE vehiclerequests SET collected='0', sold='1', soldfor= $pricesold tradersoldto= $soldtrader WHERE id = $id ");


mysql_close($con);

?>

Thanks

Chris

#2
Orjan

Posted 20 November 2011 - 01:16 AM

Writes binary right handed and hex left handed

Moderators
3,299 posts

Location:Karlstad, Sweden
Programming Language:C, Java, C++, C#, PHP, JavaScript, Pascal
Learning:Java, C#

I'd advice you to put ' around all data in the query.

__________________________________________
I study Information Systems at Karlstad University when I'm not on CodeCall

#3
SoN9ne

Posted 23 November 2011 - 08:55 AM

Programmer

Members
129 posts

Orjan said:

I'd advice you to put ' around all data in the query.

Asides from obvious inject issues, this should resolve your issue.
Use mysql_real_escape_string to prepare your data for insertion. I would also recommend you filter the data before you escape it. Also, you should put some fail-safes in the code as well. What happens if there is no id or if all of the values are empty? Remember, you cannot trust your user's input.

"Life would be so much easier if we only had the source code."

Back to PHP Development