Morning All,

I am having a few problems with this code below, been trying to figure out where i'm going wrong, can any one shead some light to where I may be going wrong? I keep getting a 500 Server Error, when trying to process the form




$1st_body = mysql_real_escape_string( stripslashes( $_POST[ '_1st_body' ] ) );


$sql="UPDATE db SET 1st_body='$1st_body' WHERE 1st_rem_id='$id'";

if (!mysql_query($sql))
  die('Error: ' . mysql_error());
header("Location: 1st_not.php");


3 Years
Discussion Span
Last Post by urbanthistleuk

comment out the header() and see if it still happens.

BTW header() should have an exit after it.

Also, prob. unrelated...

Check for the exitence of a variable before you assign it to another...


What happens if it doesn't exist? ERROR

Is there a reason why you're passing GET and POST params? Never pass GET params for modification of DB data. Also you don't clean your GET input, so you are open to SQL injection.
Also, not a rule BTW, fields and various array items starting with numbers tend to be avoided. Some used to cause problems in the past, but I think systems are more forgiving these days, but the convention has sort of stuck. I'm open to disagreement on this.


Thanks for the update,

Tried commenting it out but still getting the same, will have a play arround with it later,

Whats the best way to pass params for modification to a db this is the way I was shown a while ago, never really understood why though, what the best way to not clean your GET input



You can insert a hidden form field to hold any id values you want posted with the form.

If you expect an integer - e.g. $_POST['id'] - check with is_int(), or force typing (or 'cast') with intval() or by prefixing the variable with (int).

You should aim to validate all numerics, dates, patterned text (e.g. e-mail) fields before processing with DB.

You can clean input by a number of methods. I noticed that you were using old-soon-to-die-style mysql - so for that it's vitally important that you use functions like mysql_real_escape_string or intval. If you use mysqli or PDO, then you're pretty safe with binding parameters, so no need for a mysqli_real_escape_string type thingy.

Have a look at SANITIZE/VALIDATE FITLERS: http://www.php.net/manual/en/filter.filters.php

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.