PHP/MySQL problem

[connor4312]

The following code:

PHP Code:

<?php } else {
            if (isset($_GET['go'])) {
                $name=filter_html($_POST['name']);
                $auth=filter_html($_POST['auth']);
                $desc=filter_html($_POST['elm4']);
                if (isset($_POST['updater']))
                    {
                    mysql_query("DELETE FROM `posts` WHERE `id`='$_GET[updater]'");
                    mysql_query("INSERT INTO `posts` (`id`,`name`,`date`,`author`,`desc`) VALUES ('$_POST[updater]','$name',$_POST[thedate],'$auth','$desc');");
                    }
                else
                    mysql_query("INSERT INTO `posts` (`name`,`date`,`author`,`desc`) VALUES ('$name',NOW(),'$auth','$desc');");
                
            }?>

for a post/editing script does not work. The posting is fine, but editing does not work at all. The following code is used on the editing page to check if we're editing a post, and if so provide necessary information.

PHP Code:

<?php if ($_GET['add']) echo '<input type="hidden" name="updater" value="'.$data['id'].'"><input type="hidden" name="thedate" value="'.$data['date'].'">';?>

The MySQL query does not make any errors, and it is executed, but the edits do not appear.

[bluewalrus]

You can't have arrays in quotes (or they wont be read as an array). Try using curly braces around the values:

PHP Code:

{$_POST['updater']} 


[traq]

or do like your second example and leave the string to use the index:

PHP Code:

"this is a string with a ".$_POST['variable']." in it." 


[JShor]

It is perfectly ok to have quotes around an array in a string--it will still be read as a variable, as long as they are encased in double quotes.

I would suggest adding die() to the end of the MySQL query to throw an error if MySQL returns one. I have a feeling that it is a MySQL error, and you can't see it.

PHP Code:

<?php } else {
            if (isset($_GET['go'])) {
                $name=filter_html($_POST['name']);
                $auth=filter_html($_POST['auth']);
                $desc=filter_html($_POST['elm4']);
                if (isset($_POST['updater']))
                    {
                    mysql_query("DELETE FROM `posts` WHERE `id`='$_GET[updater]'") or die(mysql_error());;
                    mysql_query("INSERT INTO `posts` (`id`,`name`,`date`,`author`,`desc`) VALUES ('$_POST[updater]','$name',$_POST[thedate],'$auth','$desc');") or die(mysql_error());;
                    }
                else
                    mysql_query("INSERT INTO `posts` (`name`,`date`,`author`,`desc`) VALUES ('$name',NOW(),'$auth','$desc');") or die(mysql_error());;
                
            }?>

Good luck.

[bluewalrus]

It is not okay to have quotes around an array.

As in Perl, you can access a value from the array inside double quotes. However, with PHP you'll need to enclose your array between curly braces.

http://php.net/manual/en/function.array.php

or as Traq suggested pull it out of the quotes.

[traq]

It is perfectly ok to have quotes around an array in a string--it will still be read as a variable, as long as they are encased in double quotes.

we were referring specifically to complex variables (i.e., arrays with keys, like his $_POST['updater']) variable.

PHP Code:

"string with $_POST[updater]"      // incorrect, but works
"string with $_POST['updater']"    // incorrect, does not work
"string with ".$_POST['updater']     // correct, works
"string with {$_POST['updater']}"  // correct, works 


see here for more.

Edit:

bluewalrus beat me to it

[djr33]

As traq posted above, I strongly suggest always using this method:

PHP Code:

$string = 'Example '.$variable.' example'; 


There are other methods, but I prefer this one.

Here's why:
1) It's consistent. It always works, whatever kind of variable you want to use.
2) Single quotes don't do anything special-- they just contain everything inside them and display it literally. So you can use the $ symbol or anything else you'd like without worrying.
2b) Single quotes actually process faster. Saves time on the server. (Maybe minimal in lots of cases, but doesn't hurt of course.)
3) The only thing you ever need to worry about is escaping single quotes: 'can\'t';
4) It's cleaner from a logical point of view. Embedding variables in output is messy. For example, if you want to translate the website ever, you would not want to have that sort of code. That might be beyond what you're doing now though.


I know it looks like it's more work to type it that way, but it's only a few more characters and once you are in the habit of it you will be writing better code and never have to guess again about what format might work and what might not.

[traq]

agreed; but don't sell those curly braces short. they're a lifesaver in SQL statements:

PHP Code:

mysql_query("SELECT * FROM `$table` WHERE `{$search['column']}` LIKE '%{$search['value']}%' LIMIT 1");
// or similar 


They're also very, very, very useful if you ever use HEREDOC syntax (e.g., for large html blocks):

PHP Code:

<<< HEREDOC
<p>This is a really long $whatever and it has a lot of embedded variables, like in this table:</p>
<table>
   <tbody>
      <tr><th>{$th['col1']}</th><th>{$th['col2']}</th><th>{$th['col3']}</th></tr>
      <tr><td>{$td['row1']['col1']}</td><td>{$td['row1']['col2']}</td><td>{$td['row1']['col3']}</td></tr>
      <tr><td>{$td['row2']['col1']}</td><td>{$td['row2']['col2']}</td><td>{$td['row2']['col3']}</td></tr>
   </tbody>
</table>
<p>etc...</p>
HEREDOC
; 


Edit:

of course, DD's syntax highlighter doesn't clarify much in these examples.

[djr33]

Actually, I never use them. For all of the examples above, even something that complicated, I use the simple method from my last post. (HEREDOCs might be an exception, but I use them so rarely that's irrelevant.)
This is mostly because I always use single quotes. It's a habit now, probably not actually that useful in every single case.
And that's an interesting idea for SQL.

[zakmail007]

You give a incorrect format of super global array i.e. POST and GET
mysql_query("DELETE FROM `posts` WHERE `id`='$_GET[updater]'"); //Incorrect
it should be
mysql_query("DELETE FROM `posts` WHERE `id`=".$_GET[updater].");