PHP/MySQL update a news record in a database problem

Question

I have this PHP code that I am trying to use to let a user edit a news record in a form and then when they hit the submit button, it will update the record in a database. The problem is that everything works but the record is not actually updated in the database.

Could someone look at my code and see where a problem could occur?

<?php
    $title = "Edit News";
    include("../includes/header.php");
    include("../includes/database.php");
    $done = false;
    $expected = array('newstitle', 'newscontent', 'id');
    if ($_GET && !$_POST) { 
     if (isset($_GET['id']) && is_numeric($_GET['id'])) { 
      $id = $_GET['id']; 
     } 
     else { 
      $id = NULL; 
     } 
     if ($id) { 
      $sql = "SELECT * FROM news WHERE id = $id"; 
      $result = mysql_query($sql) or die ("Error connecting to database..."); 
      $row = mysql_fetch_assoc($result);
     } 
     // if form has been submitted, update record 
     if (array_key_exists('update', $_POST)) { 
      // prepare expected items for insertion into database 
      foreach ($_POST as $key => $value) { 
       if (in_array($key, $expected)) { 
        ${$key} = mysql_real_escape_string($value); 
       } 
      } 
      // abandon the process if primary key invalid 
      if (!is_numeric($id)) { 
       die('Invalid request'); 
      }
      // prepare the SQL query 
      $query = "UPDATE news SET title = '$title', content = '$content' WHERE id = $id"; 
      // submit the query 
      $done = mysql_query($query) or die("Error connecting to database..."); 
     }
    }
    // redirect page if $id is invalid 
    if ($done) { 
     header("Location: $ROOT/admin/listnews.php"); 
     exit; 
    }
?>

Answer 1

If you run that UPDATE from the mysql cli with the same data the user sends does it update?

If not check for escaping characters.

Answer 2

if ($_GET && !$_POST) {

...

if (array_key_exists('update', $_POST)) {

Won't that ensure the update code never fires?

Answer 3

Should $content and $title in the line below be $newstitle and $newscontent?

// prepare the SQL query 
$query = "UPDATE news SET title = '$newstitle', content = '$newscontent' WHERE id = $id";

Answer 4

Couple of things to try and narrow down the problem:

• echo out some debug text just inside the if (array_key_exists('update', $_POST)) block to make sure you're actually getting in there. The top of your "if" is if($_GET && !$_POST), so you may need to change this $_POST to $_GET
• have you tried echoing out $query just before the db call? Does it run on the command line mysql interface ok?
• if my reading of your foreach ($_POST as $key => $value) is correct, you'll end up setting variables with the same names as those in $expected - ($newstitle, $newscontent, $id) - but in your sql reference $content and $title. They may be the cause of this bug, but something to keep an eye out for.

Answer 5

It's a little hard to know exactly what's going on without seeing the HTML source of your form, but I think that the

if (array_key_exists('update', $_POST)) {

block needs to be moved out of the outer if, since it will never be executed if it's there.

If you don't want to use some sort of testing framework, print() is your friend when it comes to debugging your code. Try to find what's executing and what's not; you'll quickly discover which of your assumptions are incorrect, and therefore where the bug is.

Answer 6

Thanks a lot guys, I'm not on my development machine right now but I will look into those suggestions.

Answer 7

noobs im the php mysql god