PHP Insert into database not working

Question

Greetings I made the following php script so that I could edit text and it would save to a db for future use. However I'm hitting a slight snag at the update / insert queries. I'm not sure what I'm doing wrong but only one of the commands will execute. I'm not sure if this is a hosting issue or am I doing something wrong.

Any ideas?

if (isset($_SESSION["logged"]) && $_SESSION["logged"]==1){  
    if ($_POST['action']=="edit"){
        $query=mysql_query("select * from page where active=1 AND heading='".$_POST['selectedpage']."'");
        $row = mysql_fetch_array($query, MYSQL_ASSOC);

        echo "<h1>HTML Editor </h1><br>";
        echo "<form name='saveform' action='./action.php'  method='post'>";
        echo "<textarea rows='100' cols='100' name='updateBox'>".$row['content']."</textarea>";
        echo "<br><input name='action' type='submit' value='save edit'>";
        echo "<input name='heading' type='hidden' value='".$row['heading']."'>";
        echo "</form>";
    } else if($_POST['action']=="save edit"){
        $query=mysql_query("UPDATE page SET active='0' where heading='".$_POST['heading']."'");
        $query=mysql_query("INSERT into page(heading,content,active) values('".$_POST['heading']."','".$_POST['updateBox']."','1')");
        echo "<p>Changes saved succesfully!</p>";
        echo "$_POST['updateBox']";
    }
}

Answer 1

If you call echo mysql_error($query) after each query you run, you will be able to see if there is an error with that query. There could be a problem with your query content.

You are not performing any sanitizing for SQL injection, so if your content has a quotation mark in it, it will break your query. This is fairly dangerous (your queries are vulnerable to SQL injection from user input), and you should consider using mysql_real_escape_string on all your query variables, or switching to the PDO or MySQLi drivers. These drivers support query binding, which is an excellent method to prevent SQL injection.

Edit for editorialism :)

As an aside, it's generally pretty easy to come up with a quick database wrapper or function handler to handle these kind of errors for you automatically. I use a class-based wrapper, but if you didn't want to go that far just now, you could do something like this:

//very quick-and-dirty
function queryOrDie($query)
{
    $query = mysql_query($query);
    if (! $query) exit(mysql_error());
    return $query;
}

You could just pass all your queries through that, and you'd have an easier time of debugging it. There are a lot of database wrapper classes out there too, I'd highly recommend you take a poke around. They make life much easier. :)

Answer 2

What's the error?

At the start of the script add this PHP:

ini_set('display_errors', 'On');
error_reporting(E_ALL);

Also try this:

$query=mysql_query("INSERT into page(heading,content,active) values('".$_POST['heading']."','".$_POST['updateBox']."',1)");

Also :) using data from the POST directly in the insert query is a security threat: http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php