i have some problem
i done my project, but there is problem in it like
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'blink = 'asd' WHERE bid='1'' at line 6 in editing file for edit my book content
<?php
include("../includes/config.php");
$cuser = mysql_query("SELECT * FROM books");
$id = intval($_GET['id']);
$bname = strip_tags($_POST['bname']);
$bpic = strip_tags($_POST['bpic']);
$bdesc = strip_tags($_POST['bdesc']);
$bauthor = strip_tags($_POST['bauthor']);
$blink = strip_tags($_POST['blink']);
if(isset($_GET['edit'])){
$cuuser = mysql_fetch_object($cuser);
echo "<form action='editbook.php?edit=yes&id=".$cuuser->bid."' method='POST'>
<table>
<tr>
<td>bname : </td>
<td><input name='bname' type='text' value='".$cuuser->bname."' /></td>
</tr>
<tr>
<td>bpic : </td>
<td><input name='bpic' type='text' value='".$cuuser->bpic."' /></td>
</tr>
<tr>
<td>bdesc : </td>
<td><input name='bdesc' type='text' value='".$cuuser->bdesc."' /></td>
</tr>
<tr>
<td>blink : </td>
<td><input name='blink' type='text' value='".$cuuser->blink."' /></td>
</tr>
<tr>
<td>bauthor : </td>
<td><input name='bauthor' type='text' value='".$cuuser->bauthor."' /></td>
</tr>
<td><input name='do' type='submit' value='GO' /></td>
</table>
</form>";
}
if($_REQUEST['edit'] == 'yes'){
$uuser = mysql_query("UPDATE books SET
bname = '$bname',
bpic = '$bpic',
bdesc = '$bdesc',
bauthor = '$bauthor'
blink = '$blink'
WHERE bid='$id' ") or die(mysql_error()) ;
if(isset($uuser)){
echo "done";
}
}
?>
when i delete (blink = '$blink') from query its will save and edit but i need it in my project note: i change blink for a lot of times and try another names (same problem)
and if there is another way to edit mysql content via php i will be so happy :) anything let my project worked correctly
Thanks :)
First, you omitted comma in your update statement after
bauthor
andblink
line.Second, I see you did not do any processing for input data. It s very vulnerable for SQL injection. Also if someone types quote mark ' inside of input data, your save query will fail, too. So you should make a fix for this purpose, too. Simply apply
mysql_real_escape_string
function for each input will save you for saving failure of comma contained string data.So try following code for fast fix:
For better security option, you can try PDO with prepared statement.