HomeBuilding Your WebsiteWeb Programming and Application Development

Is this SQL update query correct?

drew22299 posted this at 11:24 — 3rd August 2007.

They have: 105 posts

Joined: Mar 2006

I have a form which has a field called requestId which reference a friend request from another user. When the user clicks the accept button it runs this script to update the pending status from 'y' to 'n', but I am unsure how to write this php update query when using the form data, I know what is needed but not the syntax!

<?php
$sql=\"UPDATE friends SET pending = 'y' WHERE (requestId)
VALUES
('$_POST[requestId]')\";if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo \"friend request accepted\";mysql_close($con)
?>

kb posted this at 16:53 — 3rd August 2007.

He has: 1,380 posts

Joined: Feb 2002

Ok...

This would be appropriate:

<?php
$sql = \"UPDATE friends SET pending = 'y' WHERE userid = '$userid'\";
?>

..what is all the stuff afterwards? Not only is it not making sense to me, but it seems to be wrong? If you can explain what you are doing from "VALUES" on, then I can help you rewrite it.

JeevesBond posted this at 16:58 — 3rd August 2007.

JeevesBond's picture

He has: 3,956 posts

Joined: Jun 2002

Wow, that's some confusing code you've got there! Smiling

<?php
$con = mysql_connect($server, $username, $password) or die(\"Could not connect!\");
mysql_select_db(\"database_name\", $con);
$requestId = (int) $_POST['requestId'];
$sql = \"UPDATE friends SET pending='y' WHERE requestId=\". $requestId;
if (mysql_query($sql, $con) {
  echo \"Friend request accepted!\";
}
else {
  die(\"Friend request failed \". mysql_error());
}
mysql_close($con);
?>

If you don't want to get your site cracked, always cast variables before putting them into a SQL query, secondly if you're putting a string into a query always run it through: mysql_escape_string first. Don't ever trust any input from the user, assume that everyone who uses your site is out to get you: paranoid? Yes, but it works. Smiling

*** EDIT ***
I changed your code to use PHP syntax highlighting, to do this on future posts enclose the code in: [ php ][ /php ]. Just makes it easier to read. Wink

a Padded Cell our articles site!

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.