0

I just want to know if this is the correct syntax for updating data in the database.

<?php
	$user_id = $_GET['user_Id'];
	$qry = mysql_query("SELECT win_id,win_net_drives,win_asset_no,win_new_pc,win_requirements,win_uid FROM windows_application WHERE win_uid = '".$user_id."'");
	$db = mysql_fetch_array($qry);
	
	if($_GET['process'] == 1){
		$drives = $_POST['network_drive'];
		$asset = $_POST['win_asset_no'];
		$newpc = $_POST['new_pc'];
		$winreq = $_POST['win_requirements'];
		$qry = mysql_query("UPDATE windows_application SET win_net_drives= '".$drives."'");
		$qry = mysql_query("UPDATE windows_application SET win_asset_no= '".$asset."'");
		$qry = mysql_query("UPDATE windows_application SET new_pc= '".$newpc."'");
		$qry = mysql_query("UPDATE windows_application SET win_requirements= '".$winreq."'");
			}
?>
3
Contributors
2
Replies
3
Views
7 Years
Discussion Span
Last Post by rajarajan07
0

Syntaxically, it is correct. I have two comments however:

1. You really should validate every variable being sent to the server from the browser. Otherwise you leave your website open to MySQL injection and XXS attacks.

2. Not really important, however if your string is enclosed in " (double quotes), then you can include variable names in the string itself. This is because double quoted strings are special in that PHP parses them and any variables/logic it finds within them. The opposite is also true. If you don't want PHP to parse the string, use single quotes, as this saves on processing time.

$qry = mysql_query("UPDATE windows_application SET win_net_drives= '$drives'");

R

0

You can simply test your update query in your phpadmin sql editor if it is updated then your query syntax is right otherwise wrong. give it a try. Best Practice..

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.