Posted by Mathieu Dumoulin on 05/05/05 15:18

Ross wrote:
> Am trying to do an update of a record...
>
> Is this the correct syntax..
>
> $query= "UPDATE $table_name SET fname='$fname', sname='$sname' WHERE id=
> $id";
>
> R.

Technically this is right as long as your variables are giving out the
real intented values.

For extra knowledge, your $query should look something like this to make
it secure:

$query = 'Update `'.mysql_escape_string($table_name).'` SET fname =
"'.mysql_escape_string($fname).'", sname =
"'.mysql_escape_string($sname).'" WHERE id =
"'.mysql_escape_string($id).'"';

Now the mysql_escape_string is used to escape ' and " characters in your
string in case they are not already escape which may cause a security
hole in your code. Also note that you should place "" around all values
in your SQL string even for numeric values in case your data was sent an
incorrect text value (Which you should filter beforehand but that's up
to you)

Finally, for even more security, you should use $_POST[] or $_GET[]
arrays if the above values come from a form, if they are calculated or
extracted from something else don't mind this.

PS: i forgot about the `` around table and field names, this prevents
mysql of interpreting a word in your SQL as a keyword, for example,
using `` you can easily use `date` as a table or field name (not
recommended) but it will allow to bypass the keyword DATE.

[Back to original message]