updation of table through php mysql

Question

This is my code to update a table. My problem is that after submitting a fresh record I'm unable to update the first time (it shows blank), but the second time it works fine.

One more thing: when I remove the include statement then it is working fine on submessage.php there is no any phpcode. [annakata: I have no idea what this means]

$pid = $_GET['id'];
$title = $_POST['title'];
$summary = $_POST['summary'];
$content = $_POST['content'];
$catid = $_POST['cid'];
$author = $_POST['author'];
$keyword = $_POST['keyword'];
$result1= mysql_query("update listing set catid='$catid',title='$title',
summary='$summary',content='$content', author='$author', keyword='$keyword' where pid='$pid'",$db);
    include("submessage.php");

Answer 1

The things that are wrong with that piece of code are hard to enumerate. However, at the very least, you should establish a connection to the database before you can query it.

Answer 2

Why not just redirect to submessage.php rather than inlining it? Redirecting also prevents duplicate db operations when user refreshed the page. Just replace include statement with:

header('Location: submessage.php?id=' . $pid);
die();

Also, before you deploy your application: DO NOT EVER PUT USER INPUT DIRECTLY IN SQL QUERY . You should used bound parameters instead. Otherwise, you could just as well publicly advertise your database admin password. Read more on PDO and prepared statements at http://ie.php.net/pdo

Here's how I would do it:

$pdo = new PDO(....); // some configuration parameters needed
$sql = "
    UPDATE listing SET
        catid=:catid, title=:title, summary=:summary,
        content=:content, author=:author, keyword=:keyword
    WHERE pid=:pid
";
$stmt = $pdo->prepare($sql);
$stmt->bindValue('catid', $_POST['catid']);
$stmt->bindValue('title', $_POST['title']);
$stmt->bindValue('summary', $_POST['summary']);
$stmt->bindValue('content', $_POST['content']);
$stmt->bindValue('author', $_POST['author']);
$stmt->bindValue('keyword', $_POST['keyword']);
$stmt->bindValue('pid', $pid = $_GET['id']);
$stmt->execute();

header('Location: submessage.php?id=' . $pid);
die();

Or in fact, I would use some ORM solution to make it look more like that:

$listing = Listing::getById($pid = $_GET['id']);
$listing->populate($_POST);
$listing->save();

header('Location: submessage.php?id=' . $pid);
die();

Answer 3

Other than the usual warnings of SQL injection - very likely given your code and where you're obtaining the query parameters from (sans any kind of validation) - then it's quite possible your problem has nothing to do with the queries, particularly if it's working on subsequent attempts. Are you sure $_GET['id'] is set the first time you call the script?

Just to note, there is absolutely no reason to have to perform several update queries for each field you need to update - just combine them into a single query.