Am trying to do an update of a record...
Is this the correct syntax..
$query= "UPDATE $table_name SET fname='$fname', sname='$sname' WHERE id= $id";
R.
Technically this is right as long as your variables are giving out the real intented values.
For extra knowledge, your $query should look something like this to make it secure:
$query = 'Update `'.mysql_escape_string($table_name).'` SET fname = "'.mysql_escape_string($fname).'", sname = "'.mysql_escape_string($sname).'" WHERE id = "'.mysql_escape_string($id).'"';
Now the mysql_escape_string is used to escape ' and " characters in your string in case they are not already escape which may cause a security hole in your code. Also note that you should place "" around all values in your SQL string even for numeric values in case your data was sent an incorrect text value (Which you should filter beforehand but that's up to you)
Finally, for even more security, you should use $_POST[] or $_GET[] arrays if the above values come from a form, if they are calculated or extracted from something else don't mind this.
PS: i forgot about the `` around table and field names, this prevents mysql of interpreting a word in your SQL as a keyword, for example, using `` you can easily use `date` as a table or field name (not recommended) but it will allow to bypass the keyword DATE.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
