Which one you prefer ?

Im getting both errors (one or the other) when i modify my code.

Its either QUERY WAS EMPTY (which i dunno what it means)
Or its





Obviously i dunno what i am doing Im trying to create an EDIT page for my profile. Somehow i am not using the username correctly... or when i am the problem comes from my query !

If anyone can make it cleaner and nicer... or find my error... god bless you !

Point #1, your foreach statement makes no sense, and even if it did do what I think you're intending it is bad practice to directly alter the $_POST superglobal, it should contain the raw data, and it should always be the raw data. Also your method for sanitisation is flawed, one of them just won't work and the one that would should still be replaced by a context specific sanitisation function.

Point #2, this seems to have no validation at all, surely there are some format rules the input must follow? No point doing any other execution if the input is junk.

Point #3, your error is likely in the generated query, so echo that out if you're getting an error and look at the syntax. In this case it's because you've left a comma before the WHERE, so it expects another field to be modified in the UPDATE query.

Wow, and i thought some stuff was good.

Well thanks for pointing im doing everything wrong. Can you somehow show me a good way of doing this ? I mean i did not write this, and other user from here did... i was just modified it to suit my needs but somehow ended up bad.

What i am actually trying to do (after this error is fixed) Is just replace the fields on my database but if the username does not exist (because it replaces by the table's username) than create this username and add the following data.

Kind of weird.

Thanks for pointing the stuff out !

If you are putting things submitted by users into the database you should use the following function to protect yourself from SQL Injection attacks.

$var = mysql_real_escape_string($_POST['var']);

That function is already made for the sole purpose of stripping the SQL from infectious junk that a user might put into the field.

If you want to do that to the whole $_POST thing like it seems you are trying to do, you can use the following...

$_POST = array_map('mysql_real_escape_string', $_POST);

That would apply the function mysql_real_escape_string(); to every value that is stored in the array $_POST

I also use the function strip_tags to strip any HTML that could be in the $_POST array values...

But I wouldn't, because as I said directly altering $_POST is bad practice, and in addition it can lead to injection where you've thought "oh, the entire $_POST is being sanitised, I don't need to bother" when actually... it isn't - Bread knows what I'm talking about, he did it.

I prefer to put more thought into the input, in some cases sanitisation is unnecessary because you have determined in the validation rules that it is of a safe form, or you might have put it through a cryptographic hashing algorithm like md5() which would also make it safe. You are right about using mysql_real_escape_string() though, and that was what I was alluding to when I said "a context specific sanitisation function".

What is really best practice isn't supported in PHP mysql_ functions. Which would be to bind values into the query, whereupon it would automatically sanitise. That's what you tend to do in other languages. PDO does this, and MySQLi can do this as well. Could roll your own, but usually best to use the provided libraries where you can.