You need to run mysql_real_escape_string() on all of your input
variables before using them:
function editproduct($item_id, $item_name, $item_desc, $item_price,
$item_pix, $item_man_id, $item_cat_id) {
$item_id = mysql_real_escape_string($item_id);
$item_name = mysql_real_escape_string($item_name);
$item_desc = mysql_real_escape_string($item_desc);
$item_price = mysql_real_escape_string($item_price);
$item_pix = !empty($item_pix) ? mysql_real_escape_string($item_pix) : null;
$item_man_id = mysql_real_escape_string($item_man_id);
$item_cat_id = mysql_real_escape_string($item_cat_id);
connect();
$sql = "UPDATE items SET item_name='{item_name}',
item_desc='{item_desc}', item_price='{item_price}', " .
(!empty($item_pix) ? "item_pix='{item_pix}', " : "") .
"item_man_id='{item_man_id}', item_cat_id='{item_cat_id}' WHERE
item_id={$item_id}";
mysql_query($sql) or die('Insert failed: ' . mysql_error());
}
It looks like you're getting the values for the parameters from a form
- you should have some sort of validity check on it after fetching the
values.
Evert
On Mon, Sep 8, 2008 at 5:11 PM, Chris Hale <php@xxxxxxxxxxxxxxx> wrote:
> Niel Archer wrote:
>>
>> Hi
>>
>>
>>>
>>> I have the following function:
>>>
>>> function
>>> add_item($item_name,$item_desc,$item_price,$item_man_id,$item_cat_id,$item_pix)
>>> {
>>> connect();
>>> if($item_pix == "")
>>> {
>>> $sql = "INSERT INTO items
>>> (item_name,item_desc,item_price,item_man_id,item_cat_id) VALUES
>>> ('$item_name','$item_desc','$item_price','$item_man_id','$item_cat_id')";
>>> }
>>> else {
>>> $sql = "INSERT INTO items
>>> (item_name,item_desc,item_price,item_pix,item_man_id,item_cat_id) VALUES
>>> ('$item_name','$item_desc','$item_price','$item_pix','$item_man_id','$item_cat_id')";
>>> }
>>> mysql_query($sql);
>>> return;
>>> }
>>>
>>> I am using the if statement because i want it so that if no picture is
>>> uploaded the entry is blank and the mysql database has a default entry of
>>> na.gif which is a "picture coming soon picture".
>>>
>>> It works fine when i run in localy on MAMP, but if i run it on my web
>>> server it doesnt add the row.
>>>
>>
>> You should be checking the mysql_query call for success and output the
>> error if it fails. Something like:
>>
>> mysql_query($sql) or die('Insert failed: ' . mysql_error());
>>
>> You'll now why it's failing then. Make sure you have error reporting
>> enabled.
>>
>>
>>>
>>> Is this a compatability error? or is there a better way to write this?
>>>
>>>
>>
>>
>> --
>> Niel Archer
>>
>>
>>
>>
>
> Oh no i havnt =[ i thought i had but no i now get this error:
>
> Insert failed: You have an error in your SQL syntax; check the manual that
> corresponds to your MySQL server version for the right syntax to use near
> 'Tactel', which is soft, breathable and quick drying and easy to care for.
> ' at line 1
>
> Which makes no sense.
>
> This is the function:
>
> function editproduct($item_id, $item_name, $item_desc, $item_price,
> $item_pix, $item_man_id, $item_cat_id)
> {
> connect();
> if($item_pix == "")
> {
> $sql = "UPDATE items SET item_name='$item_name',
> item_desc='$item_desc', item_price='$item_price',
> item_man_id='$item_man_id', item_cat_id='$item_cat_id' WHERE
> item_id=$item_id";
> }
> else
> {
> $sql = "UPDATE items SET item_name='$item_name',
> item_desc='$item_desc', item_price='$item_price', item_pix='$item_pix',
> item_man_id='$item_man_id', item_cat_id='$item_cat_id' WHERE
> item_id=$item_id";
> }
> mysql_query($sql) or die('Insert failed: ' . mysql_error());
> return;
> }
>
> adn this is the process:
>
> $item_id = $_POST['item_id'];
> $item_name = $_POST['fname'];
> $item_desc = $_POST["fdesc"];
> $item_price = $_POST['fprice'];
> $item_man_id = $_POST['fman'];
> $item_cat_id = $_POST['fcat'];
> $item_pix = $_FILES['pix']['name'];
> $dest = 'images/items/'.$_FILES['pix']['name'];
> $temp_file = $_FILES['pix']['tmp_name'];
> move_uploaded_file($temp_file,$dest);
> editproduct($item_id, $item_name, $item_desc, $item_price, $item_pix,
> $item_man_id, $item_cat_id);
> $message = 'Product Updated';
> header("Location:admin.php?message=$message");
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
