1

My update form script works only, if I use numbers but, if I try use any words it won't work. I need help, thanks!

<?php if(isset($_POST['teams'])){ $home_team = $_POST['home_team']; $visitor_team = $_POST['visitor_team']; $sql = mysql_query("UPDATE table1 SET home_team = $home_team, visitor_team = $visitor_team WHERE active = 1") ; $retval = mysql_query( $sql, $conn ); if(! $retval ){ die("<p>Error! Could not update team names. Click return button.</p>"); } echo "<p>Team names set successfully!</p>"; mysql_close($conn); } ?>
Improve this question

2 Answers 2

Reset to default
1

try with use of '' into your query,

$sql = mysql_query("UPDATE table1 SET home_team = '".mysql_real_escape_string($home_team)."', visitor_team = '".mysql_real_escape_string($visitor_team)."' WHERE active = '1'") ;

also add mysql_real_escape_string() to prevent from SQL Enjection..

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

mysql_real_escape_string() doesn't fully protect sql injection at all. see here SQL injection that gets around mysql_real_escape_string()
0

      Every string passed to a SQL statement must be enclosed within a ''; if they are not, it will result in an error.
      That being said, throwing content straight from a form into the database is very, very, very, very (I need another very) bad. Your database can simply be wiped by anyone; it's called SQL injection
      To protect your database, you can start with this good article on PDO

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.