Update Mysql Record, Please Help.

I want to update mysql records with basic form by using OOP PHP.

Im doing in following way but i want to do by a function, so that i dont. please anybody help me, how can that.

Thanks everybody.

<?if($_POST[submit]){		$title = $_POST['title'];		$body = $_POST['body'];			$result = mysql_query("UPDATE blog SET title='$title', body='$body' WHERE id='$postid' ") or die (mysql_error());		echo "<b>Thank you! News UPDATED Successfully!<br>";		  			}						?><?$result = mysql_query("SELECT * FROM blog WHERE id='$postid' ") or die (mysql_error());			while($myrow = mysql_fetch_assoc($result))			{				$title = $myrow["title"];				$body = $myrow["body"];				?><br><h3>::Edit News</h3><form method="post">Title: <input name="title" size="40" maxlength="255" value="<? echo $title; ?>"><br>Text1: <textarea name="body"  rows="7" cols="30"><? echo $body; ?></textarea><br><input type="submit" name="submit" value="Submit"></form>

whats if($_POST[submit]) ? submit is not even declared in your code.

($_POST[submit])==TRUE or FALSE?I suggest you add some trace code when the result is false.try it and check it.good luck

<input type="submit" name="submit" value="Submit">

This is known as the "redux" method to allow a form and its handling to be performed all on one page. The $_POST['submit'] is obtained only if the form has been submitted by pressing the Submit button on the form. The "hidden" input is added to the POST array and checked at the top of the page to see if the first section of code needs to be handles, otherwise, the form is presented for submission.
And if the form has been submitted, after handling the submission, the form is re-displayed.

As for handling this by way of a function, the use of a function may not be the best way to handle this event. Functions are best suited for reusable code. I don't see much advantage to using a function here. But I might be wrong.

Place single quotes around the value inside the square brackets, too.

Place single quotes around the value inside the square brackets, too.

Single quotes or double quotes. It shouldn't matter. You just want to let PHP know that the array indices that you are attempting to retrieve are in string format.

You might want to add Anti-MYSQL injection in there, that is only if this web page is viewable by the public or just you, If it's just you then you don't have to do that.

I whipped this up for you.

<?$query = anti_injection($query);function anti_injection($sql) {   // removes words that contain sql syntax   $sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$sql);   $sql = trim($sql); // strip whitespace   $sql = strip_tags($sql); // strip HTML and PHP tags   $sql = addslashes($sql); // quote string with slashes   return $sql;}if($_POST[submit]){		$title = anti_injection($_POST['title']);		$body =  anti_injection($_POST['body']);			$result = mysql_query("UPDATE blog SET title='$title', body='$body' WHERE id='$postid' ") or die (mysql_error());		echo "<b>Thank you! News UPDATED Successfully!<br>";		  			}						?><?$result = mysql_query("SELECT * FROM blog WHERE id='$postid' ") or die (mysql_error());			while($myrow = mysql_fetch_assoc($result))			{				$title = $myrow["title"];				$body = $myrow["body"];				?><br><h3>::Edit News</h3><form method="post">Title: <input name="title" size="40" maxlength="255" value="<? echo $title; ?>"><br>Text1: <textarea name="body"  rows="7" cols="30"><? echo $body; ?></textarea><br><input type="submit" name="submit" value="Submit"></form>

Edited January 25, 2009 by Antv912 (see edit history)

would if($_POST[submit]){ still work? I would think you need quotes like 'submit' or "submit" no?

You might want to add Anti-MYSQL injection in there, that is only if this web page is viewable by the public or just you, If it's just you then you don't have to do that.
I whipped this up for you.

Using addslashes is usually not the best method - from what I've heard, it is possible to use certain multi-byte character sets which could cause the backslash added to go in the wrong place and not actually escape the quote. Also, removing common words that are SQL commands will affect posts that have those words even if isn't an injection attempt - for example it would be quite difficult to write a post about SQL

The best method is to use mysql_real_escape_string($string). This does not have the vulnerabilities of addslashes.

Using $_POST[submit] shouldn't work, unless for some reason submit is defined by PHP to be the string 'submit', which it isn't. You would need to use $_POST['submit'] (or alternatively with double-quotes, but single-quotes is probably better)

Agreed I've used both ways, this was just something I added for the Ha ha's, I usually use mysql_real_escape_string in all my scripts.

Correct me if I'm wrong but doesn't PHP 5 block SQL injection attacks automatically? As long as you put quotes around it in your query I think php automatically adds slashes to input posted.

Edited January 26, 2009 by galexcd (see edit history)

Correct me if I'm wrong but doesn't PHP 5 block SQL injection attacks automatically? As long as you put quotes around it in your query I think php automatically adds slashes to input posted.

I think you're thinking about magic_quotes_gpc, which is removed from PHP 6 as stated on the linked page. This (as well as addslashes) has the vulnerabilities of SQL injection with certain multi-byte character sets, and example can be found here (this is from three years ago, but I couldn't find anything about it being fixed..). And so, it is always best to use mysql_real_escape_string, and you should stripslashes if magic_quotes_gpc is on (you can check by using get_magic_quotes_gpc()).