Page 1 of 1

Update query to a MYSQL database is the death of me

Posted: Mon Sep 29, 2008 9:50 am
by cardoso
Hi all,

I'm new to this forum... *wave*

I have had a problem for the past month that has caused some of my hair to grow white faster. At first I had this big complicated page that did fancy stuff.... but at the heart of it was a simple update query that should update a mysql db record. I have now striped everything down to only the form and the query and I'm still getting the error.

It seems as though if the word "from" or "select" is used in the textarea (my content), my query breaks down and It doesn't write to the db. If I remove those words from the text... it writes to the db.

I've checked the error log and it doesn't help much.

Here's the query:

$content = $_POST['content'];
$id = $_POST['id'];
//update database
$query = "UPDATE articles SET content = '$content' WHERE id = '$id'";

I've also tried adding mysql_real_escape_string around content like this....
$content = mysql_real_escape_string($_POST['content']);

and the thing is... there isn't one single or double quote in the entire content text causing this issue.

Can anybody help? My client is getting ready to run :-(

Thanks in advance

Nelson

Re: Update query to a MYSQL database is the death of me

Posted: Mon Sep 29, 2008 10:01 am
by The_Anomaly
At the moment I don't have the time to really look at this, but you really should be escaping your data whether you feel like it'll fix your problem or not. You spoke of escaping the $_POST['content'], but not the $_POST['id']. Not doing so is simply begging for someone to crack you.