SQL Query不更新数据

I wrote a simple form from which a user will change his/her name , Facebook Name and image here is the profile.php code with the form

 <!!--edit form--!!>

 <div id="edit">
 <table width="300" border="0"  align="center" cellpadding="0" cellspacing="1"   
 bgcolor="#CCCCCC">
 <tr>
 <td>
 <table width="100%" border="0" cellpadding="1" cellspacing="1"bgcolor="#FFFFFF">
 <tr>
 <form method="POST" action="save_profile.php">
 <td colspan="3"><strong>Username<br><? echo $row['session'];?></strong></td>
 <td colspan="3"><strong>Name</strong><input type="text" name="name" id="name" 
 value="<?      echo $row['name'];?>"/><br></td>
 <td colspan="3"><strong>Facebook</strong><input type="text" name="fb" id="fb" value="<? echo $row['facebook'];?>"/></td>
 <td colspan="3"><strong>Image</strong><input type="text" name="img" id="img" value="<? echo $row['img'];?>"/></td>
 <input type="hidden" name="pros" />
 <input type="submit" value="Save" />
 </form>

and this is the save_profile.php

 <?
 include"sp-includes/sp-config2.php";
 $resultz = mysql_query($slctq);
 while($rowqw = mysql_fetch_array($resultz, MYSQL_ASSOC))
 {
 if($_POST['pros']){
 $name=$_POST['name'];
 $fb=$_POST['fb'];
 $img=$_POST['img'];
 $do =mysql_query("UPDATE profile SET name='$name', facebook='$fb', img='$img' WHERE      id='$rowqw[id]'");
 }
 echo $rowqw['id'];
 }
 ?>

I dont Know where i am wrong..

First of all, PLEASE SANITIZE YOUR QUERIES. Your query is completely open for exploitation right now and that might entirely be the reason why it fails.

Write your query like this:

mysql_query('UPDATE profile SET name="'.mysql_real_escape_string($name).'", facebook="'.mysql_real_escape_string($fb).'", img="'.mysql_real_escape_string($img).'" WHERE      id="'.mysql_real_escape_string($rowqw['id']).'";');

Also, note that the rowqw index should be written as 'id' instead of id.

The problems with your code:

  • You are not checking for errors. Use mysql_error().
  • You are not checking your input (if it's valid or not). You should be binding parameters or escaping with mysql_real_escape_string.
  • Put the query in a separate string. Something like $query = "UPDATE ..."; $do = mysql_query($query);. It is useful for debugging. You know what the exact query you are sending is.
  • You are using $rowq[id] the wrong way. When in a string you either use the . notation, you concatenate multiple strings; or you enclose it in {$rowq[id]}.

When you do all this, you'll solve the problems yourself. Read the docs too.

Change the code to $do = mysql_query("UPDATE profile SET name = '$name', facebook = '$fb', img = '$img' WHERE id = '$rowqw[id]'");