Whar the blazes is wrong with this if else insert

Tezread

I do not know why but this procedure I have created inserts fine but doesn't update

<?php
include("include/session.php");
$username = $_SESSION['username']; 

// Set the page title and include the HTML header. 
$page_title = 'Update details'; 

if (isset($_POST['submit'])) { // Handle the form. 

include ("connect.php"); // Connect to the db. 

$message = NULL; // Create an empty new variable. 

// Check for a name. 
if (empty($_POST['firstname'])) { 

    $message .= '<p>You forgot to enter your first name!</p>'; 
} 

// Check for an second name. 
if (empty($_POST['secondname'])) { 

    $message .= '<p>You forgot to enter your second name</p>'; 
} 
    $query = "SELECT * FROM qualityuser WHERE username='$username'";         
    $result = @mysql_query ($query); 
    $num = mysql_num_rows ($result); 
    if ($num == 0) { 
        $row = mysql_fetch_array($result, MYSQL_NUM); 
				$_SESSION['formdata']=$_POST;
		 $sql = "INSERT INTO qualityuser SET qualityuser_id =  NULL ";
foreach ($_SESSION['formdata'] as $col =>$val ){
	if($col <> 'submit'){
	$sql .=", $col = '$val' ";
		mysql_query($sql, $connection) or die(mysql_error()); 
	}

else
		if ($num == 1) { 

		 // Make the query. 
        $query = "UPDATE qualityuser SET title = '$title',
firstname = '$firstname',
secondname = '$secondname',
organisation = '$organisation',
telephone = '$telephone',
address1 = '$address1',
address2 = '$address2',
town = '$town',
postcode = '$postcode',
registeredcharity = '$registeredcharity',
incorporated = '$incorporated',
regionalassociation = '$regionalassociation',
regionalcharity = '$regionalcharity',
project = '$project',
nature_selfhelp = '$nature_selfhelp',
nature_frontline = '$nature_frontline',
nature_intermediary = '$nature_intermediary',
nature_infrastructure = '$nature_infrastructure',
nature_partnership = '$nature_partnership',
involved_volunteers = '$involved_volunteers',
involved_paid = '$involved_paid',
funded_unrestrictedfunds = '$funded_unrestrictedfunds',
funded_localcouncil = '$funded_localcouncil',
funded_undercontract = '$funded_undercontract',
funded_grants_fees = '$funded_grants_fees',
funded_socialenterprise = '$funded_socialenterprise',
activity_care = '$activity_care',
activity_advice_individual = '$activity_advice_individual',
activity_advice_organisations = '$activity_advice_organisations',
activity_specialist = '$activity_care',
activity_community = '$activity_community',
activity_awareness = '$activity_awareness',
activity_mutual_support = '$activity_mutual_support',
have_policies_procedures = '$have_policies_procedures',
have_management_structure = '$have_management_structure',
have_communication = '$have_communication',
have_supervision = '$have_supervision',
have_strategy = '$have_strategy',
have_aims = '$have_aims',
have_review = '$have_review'

WHERE username = '$username'";

       	mysql_query($query, $connection) or die(mysql_error());  // Run the query. 

} // End of the main Submit conditional. 
}
}
}
// Print the error message if there is one. 
if (isset($message)) { 
    echo '<font color="red">', $message, '</font>'; 
} 
?>

ps leatherback- this is a contingency in case I cannot achieve the dynamic approach on the other thread

sneakyimp

The first thing I notice is that you appear to be expecting register_globals to be in effect which is a pretty bad idea.

the other is that you insert information into your database without escaping ANYTHING. this script is totally vulnerable to sql injection.

thirdly, you run queries without checking for any error conditions. if your queries fail, you should show an error or log an error or something.

does it do anything when you try to update? does it blank out the records? what, exactly, is going wrong?

leatherback

Your else is missing an opening bracket:

else
if ($num == 1) {

Furthermore: See post above... 😃

Edit: What happened to the code in this thread

Did you try to run it? I am fairly confident it could work that way..