I'm learning PHP and SQL, and for this page I am trying to practice preventing SQL Injection. Right now I'm just trying it on two variables. ac1 and ac2. I get an mysql() die error when I submit. What could be wrong?
<?php
$host="localhost"; // Host name
$username="******"; // Mysql username
$password="******"; // Mysql password
$db_name="******_practice"; // Database name
$tbl_name="administration"; // Table name
// Connect to server and select databse.
$dbc = mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$ac1=$_POST['ac1'];
$ac2=$_POST['ac2'];
$fan=$_POST['fan'];
$na=$_POST['na'];
$dh=$_POST['dh'];
$tolerance1=$_POST['tolerance1'];
$temptime1=$_POST['temptime1'];
$tolerance2=$_POST['tolernce2'];
$temptime2=$_POST['temptime2'];
$tolerance3=$_POST['tolerance3'];
$temptime3=$_POST['temptime3'];
$tolerance4=$_POST['tolerance4'];
$temptime4=$_POST['temptime4'];
$tolerance5=$_POST['tolerance5'];
$temptime5=$_POST['temptime5'];
$humidtolerance1=$_POST['humidtolerance1'];
$humidtime1=$_POST['humidtime1'];
$humidtolerance2=$_POST['humidtolerance2'];
$humidtime2=$_POST['humidtime2'];
$humidtolerance3=$_POST['humidtolerance3'];
$humidtime3=$_POST['humidtime3'];
$humidtolerance4=$_POST['humidtolerance4'];
$humidtime4=$_POST['humidtime4'];
$humidtolerance5=$_POST['humidtolerance5'];
$humidtime5=$_POST['humidtime5'];
// To prevent MySQL injection (a form of internet hacking)
$ac1 = stripslashes($ac1);
$ac2 = stripslashes($ac2);
$ac1 = mysql_real_escape_string($ac1);
$ac2 = mysql_real_escape_string($ac2);
$custnum = 0;
$sql="UPDATE {$tbl_name} SET ac1 = '{$ac1}', ac2 = '{$ac2}', fan = '{$fan}', na = '{$na}', da = '{$dh}', tolerance1 = '{$tolerance1}', temptime1 = '{$temptime1}',tolerance2 = '{$tolerance2}', temptime2 = '{$temptime2}',tolerance3 = '{$tolerance3}', temptime3 = '{$temptime3}',tolerance4 = '{$tolerance4}', temptime4 = '{$temptime4}',tolerance5 = '{$tolerance5}', temptime5 = '{$temptime5}', humidtolerance1 = '{$humidtolerance1}', humidtime1 = '{$humidtime1}',humidtolerance2 = '{$humidtolerance2}', humidtime2 = '{$humidtime2}',humidtolerance3 = '{$humidtolerance3}', humidtime3 = '{$humidtime3}',humidtolerance4 = '{$humidtolerance4}', humidtime4 = '{$humidtime4}',humidtolerance5 = '{$humidtolerance5}', humidtime5 = '{$humidtime5}' WHERE custnum = '{$custnum}'";
$result = mysql_query($sql)
or die('Error querying database.');
//Send them back to the page they were at/
header("location:index.php");
?>
You should try using mysqli or even better, use PDO and prepared statements. Calling mysql_query directly is usually not the best approach.
If you wanted to be a little more sure that SQL injection would be prevented, you may want to consider using PDO prepared statements (provided you are using PHP 5.1 or higher,) instead of using mysql_real_escape_string (the old way.)
If that isn't an option:
custnum of 0 in your database? Often, database indexes tend to start at 1. If that's the case, it may be one reason why the query is failing (nothing to update.)Must be quotes in your case:
$sql="UPDATE {$tbl_name} SET `ac1` = '{$ac1}', `ac2` = '{$ac2}', `fan` = '{$fan}', `na` = '{$na}', `da` = '{$dh}', `tolerance1` = '{$tolerance1}', `temptime1` = '{$temptime1}',`tolerance2` = '{$tolerance2}', `temptime2` = '{$temptime2}',`tolerance3` = '{$tolerance3}', `temptime3` = '{$temptime3}',`tolerance4` = '{$tolerance4}', `temptime4` = '{$temptime4}',`tolerance5` = '{$tolerance5}', `temptime5` = '{$temptime5}', `humidtolerance1` = '{$humidtolerance1}', `humidtime1` = '{$humidtime1}',`humidtolerance2` = '{$humidtolerance2}', `humidtime2` = '{$humidtime2}',`humidtolerance3` = '{$humidtolerance3}', `humidtime3` = '{$humidtime3}',`humidtolerance4` = '{$humidtolerance4}', `humidtime4` = '{$humidtime4}',`humidtolerance5` = '{$humidtolerance5}', `humidtime5` = '{$humidtime5}' WHERE `custnum` = '{$custnum}'";
I.e. you should put those field names in the backtick quotes since you put your values in single ones. Nevertheless, let me give you a piece of advice: in production mode you better use PDO, as advised earlier. Good luck