I have the following SQL.
$sql_shells = "UPDATE `shells` SET `situation` = 'sold' WHERE `id` = '" . $id . "'";
$conn->query($sql_shells);
I updated the rows with column named buytime and another one called buyer so it would be like this:
$sql_shells = "UPDATE `shells` SET `buyer`= " . $buyer . ", `buytime`= " . $trn_date . " , `situation` = 'sold' WHERE `id` = '" . $id . "'";
$conn->query($sql_shells);
It's not updating.
`$trn_date = $trn_date = date("Y-m-d H:i:s");
and
$buyer = $_SESSION['username'];
Error log is empty.
Another SQL update doesn't have constant values and works fine
$sql_users = "UPDATE `users` SET `amount`= " . $newAmount . ", `gain`= " . $newgain . " WHERE `username` = '" . $buyer . "'";
I tried echoing the SQL query that's not working, this is what I get when I run it.
try to remove ` caracter and i think buytime and buyer should add ' caracter and remove it from id if is int type:
$sql_shells = "UPDATE shells SET buyer= '" . $buyer . "', buytime= '" . $trn_date . "' , situation = 'sold' WHERE id = " . $id ;
$conn->query($sql_shells);
Related
I have a PHP and I want to do 2 inserts and 1 delete, but I can only make an insert. If the array containt the last parameter == "historico" should delete from instant_table all register with same serial_num and inserte the array intro the instant_table and insert in historical_table("SensorData"). Ifnot (the array don't hace the parameter "historico"), should de delete from instant_table all register with same serial_num and only inserte the array intro the instant_table.
My code:
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$serial_numb = test_input($_POST["serial_numb"]);
$DHTtempC = test_input($_POST["DHTtempC"]);
$DHThumid = test_input($_POST["DHThumid"]);
$CCS811_CO2 = test_input($_POST["CCS811_CO2"]);
$CCS811_tVOC = test_input($_POST["CCS811_tVOC"]);
$PM25 = test_input($_POST["PM25"]);
$PM10 = test_input($_POST["PM10"]);
$reading_date = date("Y-m-d");
$update_status = test_input($_POST["update_status"]);
$tipo_tabla = test_input($_POST["tipo_tabla"]);
// Create connection
// Check connection
if ($mysqli->connect_error) {
die("Connection failed: " . $mysqli->connect_error);
}
if ($tipo_tabla == "historico"){
$sql = "INSERT INTO SensorData (serial_numb, DHTtempC, DHThumid, CCS811_CO2, CCS811_tVOC, PM25, PM10, reading_date, update_status)
VALUES ('" . $serial_numb . "', '" . $DHTtempC . "', '" . $DHThumid . "', '" . $CCS811_CO2 . "', '" . $CCS811_tVOC . "', '" . $PM25 . "', '" . $PM10 . "', '" . $reading_date . "', '" . $update_status . "')";
}
$sql = "DELETE FROM instant_data WHERE (serial_numb = '" . $serial_numb . "')";
$sql = "INSERT INTO instant_data (serial_numb, DHTtempC, DHThumid, CCS811_CO2, CCS811_tVOC, PM25, PM10, reading_date, update_status)
VALUES ('" . $serial_numb . "', '" . $DHTtempC . "', '" . $DHThumid . "', '" . $CCS811_CO2 . "', '" . $CCS811_tVOC . "', '" . $PM25 . "', '" . $PM10 . "', '" . $reading_date . "', '" . $update_status . "')";
if ($mysqli->query($sql) === TRUE) {
echo "New record created successfully";
}
else {
echo "Error: " . $sql . "<br>" . $mysqli->error;
}
if ($mysqli->connect_error) {
die("Connection failed: " . $mysqli->connect_error);
}
$mysqli->close();
}
else {
echo "No data posted with HTTP POST.";
}
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
Tu sum up, If the array contains the parameter, INSERTE(TABLE1) + DELETE with same serial_num(TABLE2) + INSERTE(TABLE2). If not DELETE with same serial_num(TABLE2) + INSERTE(TABLE2).
EDIT: Now this code only make the second INSERT
It seems like you are overwriting the content of $sql without executing the queries in between. You have to either:
execute each query before redefining $sql
use $sql .= (instead of $sql =) to concatenate the next query. If you do this, you have to terminate your sql query with an ; before concatenating the next query.
Are you using this code just for an small personal project or are you going to publish this in any way? In case of the later one:
please read into PHP SQL best practices. With your current approach you are vulnerable to SQL injections and your code is kinda difficult to read.
i have two update queries to update mysql db of the system.problem is my second update query works but my first one doesn't execute at all.
cant figure out whats going on...any help would be great
here is my php code.
$dob = $_POST["dob"];
$name = $_POST["name"];
$mob = $_POST["mobileNo"];
$home = $_POST["homeNO"];
$files = $_FILES["filep"]["name"];
echo $files;
$folder = "images/";
$uid = $_SESSION["Uid"];
if($_FILES["filep"]["error"] == 4) {
echo "no file selected";
}
move_uploaded_file($_FILES["filep"]["tmp_name"] , "$folder".$_FILES["filep"]["name"]);
$result = mysqli_query($con,"UPDATE User SET DOB = '" . $uid . "', MOBNO = '" . $mob . "', HOMENO = '" . $home . "',DOB = '" . $dob . "',IMAGE_URL = '" . $files . "' WHERE UID='" . $uid . "'");
$result = mysqli_query($con,"UPDATE User_Credentials SET NAME = '" . $name . "' WHERE CID='" . $uid . "'");
i have checked all the $name,$mob etc variables and value are passing without any problem..
$queryb = "SELECT product, imei, country, warranty, config from PRODUCT WHERE product_slno = '$mnserialno' ";
$resultb = mysql_query($queryb, $gndbconn) ;
if(mysql_num_rows($resultb) > 0)
{
$queryc = "UPDATE PRODUCT SET product='$desc', product_slno='$mnserialno',imei='$imei',country='$country',warranty='$warranty',config='$config' WHERE product_slno = '.$mnserialno.' ";
$resutc = mysql_query($queryc, $gndbconn) ;
}
else{
$querya = "INSERT INTO PRODUCT SET product='$desc', product_slno='$mnserialno',imei='$imei',country='$country',warranty='$warranty',config='$config'";
$resulta = mysql_query($querya, $gndbconn) ;
}
I want to check the serial number if that serial number already exist in database so records get update, otherwise it get insert into the database.
but the code inserting the records only, no updation, what is the fault i am not getting,
how to prevent the duplicate entry?
INSERT INTO PRODUCT SET
(`product`, `product_slno`, `imei`, `country`, `warranty`, `config`)
VALUES
('" . $desc . "', '" . $mnserialno . "', '" . $imei . "', '" . $country . "', '" . $warranty . "', '" . $config . "')
ON DUPLICATE KEY UPDATE
product='" . $desc . "',
product_slno='" . $mnserialno . "',
imei='" . $imei . "',
country='" . $country . "',
warranty='" . $warranty . "',
config='" . $config . "'";
The query isn't updating, not sure what I've done wrong.
$q_result = mysql_query("UPDATE
users
SET
recovery_answer = '".$_POST['answer']."',
recovery_question = '".$_POST['question']."',
date_question_set = '" . mysql_real_escape_string($register_date) . "'
WHERE
username='" . mysql_real_escape_string($_SESSION['username']) . "'");
Can you echo "UPDATE
users
SET
recovery_answer = '".$_POST['answer']."',
recovery_question = '".$_POST['question']."',
date_question_set = '" . mysql_real_escape_string($register_date) . "'
WHERE
username='" . mysql_real_escape_string($_SESSION['username']) . "'" and post?
this script is simply not working... can anyone tell me what I'm doing wrong?
$id = $_POST['id'];
$name = $_POST['name'];
$date = $_POST['date'];
$shortdesc = $_POST['shortdesc'];
$link = $_POST['link'];
$target = $_POST['target'];
$sort = $_POST['sort'];
$html = $_POST['html'];
include('appvars.php');
$query = "UPDATE insight SET name='".$name."' AND SET date='". $date . "' AND SET html='" . $html . "' AND SET shortdesc='" . $shortdesc . "' AND SET link='" . $link . "' AND SET target='" . $target . "' AND SET sort='" . $sort . "' WHERE id='" . $id . "'";
mysqli_query($dbc, $query);
You aren't escaping your values so you are vulnerable to SQL injection and also construction of invalid statements. For example, if any of your input strings contain an apostrophe then it could cause your code to fail.
Have a look at prepared statements that will make it much easier to construct your queries with parameters.
In your query you will also need to use commas instead of AND SET.
$query = "UPDATE insight SET name='foo', date='2012-12-10' WHERE id=42";
The syntax for UPDATE is described in the MySQL documentation:
UPDATE syntax
Use it like this,
$query = "UPDATE insight SET name='".$name."' ,date='". $date . "' ,html='" . $html . "' ,shortdesc='" . $shortdesc . "' ,link='" . $link . "' ,target='" . $target . "' ,sort='" . $sort . "' WHERE id='" . $id . "'";
Its working ... check now
$id = $_POST['id'];
$name = $_POST['name'];
$date = $_POST['date'];
$shortdesc = $_POST['shortdesc'];
$link = $_POST['link'];
$target = $_POST['target'];
$sort = $_POST['sort'];
$html = $_POST['html'];
include('appvars.php');
$query = "UPDATE insight SET name='".$name."' ,date='". $date . "' ,html='" . $html . "' ,shortdesc='" . $shortdesc . "' ,link='" . $link . "' ,target='" . $target . "' ,sort='" . $sort . "' WHERE id='" . $id . "'";
mysqli_query($dbc, $query);
I aint a pro at mysql, but a try.
I guess id is an integer. So, dont quote it.
Try this,
$query = "UPDATE insight SET name='".$name."' , date='". $date . "' , html='" . $html . "' , shortdesc='" . $shortdesc . "' , link='" . $link . "' , target='" . $target . "' , sort='" . $sort . "' WHERE id=". $id ;
I think the SQL syntax is not correct, you can use it like this: UPDATE tablename SET rowname = value , ....