Page 2 of 2

Posted: Mon Jan 01, 2007 2:49 pm
by volka
ole wrote:You realize you are setting city field to the literal string '{$_POST['Philadelphia']}'.
Its not using the value in $_POST.
No, {$_POST['Philadelphia']} gets substituted

Code: Select all

$_POST = array('Philadelphia'=>'xyz');
echo "UPDATE table  SET city ='{$_POST['Philadelphia']}' WHERE id='1'";
prints
UPDATE table SET city ='xyz' WHERE id='1'
But there might be another issue: sql injections

Posted: Mon Jan 01, 2007 3:45 pm
by Ollie Saunders
The dollar is escaped:

Code: Select all

$pairs[] = "$name ='{\$_POST['" . mysql_real_escape_string($value) . "']}'";

Posted: Mon Jan 01, 2007 4:04 pm
by volka
Ah ok, I thought you responded to
psurrena wrote:The code right now ends up being this:

Code: Select all

"UPDATE table  SET city ='{$_POST['Philadelphia']}' WHERE id='1'"
which seems right to me.