Try this:
Code: Select all
$afname = mysql_real_escape_string($_POST['afname']);
$amname = mysql_real_escape_string($_POST['amname']);
$updatesq = "UPDATE Accused SET firstname = '$afname', middlename = '$amname' WHERE briefcasen = '$briefcasen'";
Always,
without exception, sanitize all database inputs that come from the POST and GET arrays. This will protect you from
SQL Injection.
In addition, when placing variables inside double quotes, you do not need to concatenate. See the code below for a working example.
Code: Select all
$myvar1 = 'foo';
$myvar2 = 'bar';
//Using double quotes, we can place variables directly into the string
//without the use of concatenation
echo "The value of my two variables are $myvar1 and $myvar2";
//Alternatively, if we use single quotes, we are required to concatenate
echo 'The value of my two variables are ', $myvar1 ,' and ', $myvar2;
Also take note of my use of commas rather than periods when concatenating the string with single quotes. Commas offer a moderate performance boost over periods in this case.