Home/ Questions/Q 7621275
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T04:09:25+00:00

I am scratching my head to make this lines of code to work, but

  • 0

I am scratching my head to make this lines of code to work, but no success…Would be nice if someone can point out what is the best practice to write such queries?

if(isset($_POST) && $_POST["id"] > 0)
{
    include('../../config.php');            

    $id = $_POST["id"];
    $title = mysql_real_escape_string($_POST["title"]);
    $desc = mysql_real_escape_string($_POST["desc"]);        

    $cat = $_POST["catid"];

    $_DB->Execute("UPDATE gallery_imgs SET title = `$title`, description = `$desc` WHERE id = $id");

    header("location: admin.php?mode=images&id=$cat");
}
else
{
     //Other stuff!
}

This is the error I get:

Error number: 1054
Error       : Unknown column 'The SIEK!' in 'field list'
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    First, you have called mysql_real_escape_string() on the string values, but you must also validate the contents of $_POST['id'].

    // invalid string values will convert to integer 0
// If that is not allowable, you should not proceed with the query.
$id = intval($_POST['id']);

    Input strings must be enclosed in single quotes, not backquotes (which are used for column and table identifiers);

    $_DB->Execute("UPDATE gallery_imgs SET title = '$title', description = '$desc' WHERE id = $id");

    As an aside, you should validate the contents of $_POST['catid'] before using it in a redirection header. For example, if it is supposed to be numeric:

    // At least cast it to an int if it is an invalid string....
$catid = intval($_POST['catid']);
    • 0