Home/ Questions/Q 7842217
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-02T16:16:07+00:00

I’m making an editing post feature for my site, but I’m stuck at this.

  • 0

I’m making an editing post feature for my site, but I’m stuck at this. This is my code:

$post = htmlspecialchars($_GET["story"]);
mysql_select_db("xxxxxx", $con);

$sql="INSERT IGNORE INTO tool WHERE id=$post (title, details, author) 
VALUES
('$_POST[title]','$_POST[details]','$_SESSION[Username]')";

if (!mysql_query($sql,$con))
{
  die('Error: ' . mysql_error());
}
echo "The story<b> " . $_POST[title] . " </b>has been edited.";

mysql_close($con)

I know the error has something to do with INSERT IGNORE INTO tool WHERE id=$post. I obviously don’t want to change every post in the DB to the same thing, so I need it to find the post ID, which is $post, and then change the info for just that specific DB item.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Besides SQL injection, as @ThiefMaster and @djdy opposed (and that is iminent) it is much better to use UPDATE query for updating (editing) an existing entry (rather then INSERT IGNORE where INSERT should only be used for inserting of new entries).

    Your query then should be:

    $sql="
    UPDATE `tool` SET 
        `title` = '".mysql_real_escape_string($_POST['title'])."', 
        `details` = '".mysql_real_escape_string($_POST['details'])."', 
        `author` = '".mysql_real_escape_string($_SESSION['Username'])."' 
    WHERE `id` = $post;";

    You have to escape the MySQL reserved words like id, etc, using backquotes. Also using a mysql_real_escape_string() on every value passed into a query is a very good habit.

    • 0