This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 4 years ago.
I have a value in my MYSQL database, all I want to do is to increase the current value with a new one, this is what I have tried
} elseif ($gametype == "veckanskluring"){
$sql = "UPDATE users SET veckanskluring='veckanskluring'+'$score' WHERE id='$id'";
$retval = mysql_query( $sql, $link );
echo "GAME == $gametype";
}
But for some odd reason, this won't work.
I have searched online and found examples, but they all look, almost exactly the same as my code.
// Sidenote this is not the whole code, obviously.
Everything except the part where I add the new value to the old value works, and if I remove 'veckanskluring'+ it updates without any problems.
I strongly believe something is wrong with this part - 'veckanskluring'+ as the other part works fine.
//NOTE2 score is always 999, just have it set to $score if I want to change it later.
UPDATE -
MY fault, apparently I had put '' around veckanskluring.
$sql = "UPDATE users SET veckanskluring=veckanskluring +'$score' WHERE id='$id'"; <-- Working.
Assuming that $score and $id are number you shoudl not use sigle quote around this vars
and assuming that veckanskluring is column name you must not use single quote aroud column name
"UPDATE users SET veckanskluring= veckanskluring +$score WHERE id=$id";
But the use of php var in sql is deprecated you at risk for sql injection .. take a look at your mysql driver for bindig param
Related
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
How can I prevent SQL injection in PHP?
(27 answers)
Closed 3 years ago.
I'm working on a website, and I have encountered with an strange MySQL behaviour. I'm trying to use an MySQL Update Query with multiple WHERE Clauses.
$name = $_POST['username'];
$updatequery1 = "UPDATE OTP SET 'Project' = 'ANETSignupUsed' WHERE Name = '$name' AND HashedOTP = '$hashedotp' ";
$sqlconnection->query($updatequery1);
die("DONE");
Note that I've already defined $hashedotp.
When I try doing the same thing in MySQL Console it works pretty well, and I've made sure that the user used to define $sqlconnection has Update rights.
I've tried solutions DESCRIBED
HERE
HERE
I've spent hours searching about it, but to no avail.
Thanks a lot in advance!
Try this Remove single quote from your query
$updatequery1 = "UPDATE OTP SET Project = 'ANETSignupUsed' WHERE Name = '$name' AND HashedOTP = '$hashedotp' ";
This question already has answers here:
Escaping single quote in PHP when inserting into MySQL [duplicate]
(8 answers)
Closed 7 years ago.
I'm having an issue with my MySQL query/php, I try to update a row in my database that will work usually, but when the string has a ' in it, for example
I don't like green eggs and ham.
The ' in it will cancel the whole response out and not update the row, so if I put something like this without the ' for example:
I dont like green eggs and ham.
The string will save to the row. Below is the MySQL query used and where I get the string from.
$NewMessage = $_POST['message123'];
mysql_query("UPDATE Account SET `function` = 'Message', `note` = '$NewMessage' WHERE `id` = '$ID' AND `Online` = '1'");
If you need anymore source or anything, please let me know, let me know what you think, thanks!
Use *_real_escape_string
$NewMessage = mysql_real_escape_string($_POST["message123"]);
But of course, mysql_* API is already deprecated and I would recommend to you to use prepared statement instead.
Hey friend you are need to change single ' with '' commas 2 times. then it is insert your value correct in table other generate error.
Real escape string use where we are need value like this doest. if we user value in database like it does't then right one is use '' 2 time single commas no doule commas
Use simply addslashes() To read more about it click here
E.g in you code simply use addslashes() something like this
$NewMessage = addslashes($_POST['message123']);
I hope it will work for you.
I have a strange situation I have never run into before.
I am calling data from an API and updating my database to match exactly. An issue arises when the value comes back NULL.
My SQL statement:
$update_entry = "UPDATE clientpatientrelationships SET APILastChangeDate=$APILastChangeDate WHERE Id='$Id'";
The reason I have no quotes around the $APILastChangeDate variable, is because to use NULL, I cant use single quotes. But when the value is a string, it needs the quotes. Here lies my issue. Also, part of my issue is the need for triple equal sign when setting a variable to NULL.
I can get each of the following individual statements to work one at a time:
$APILastChangeDate="'0000-00-29 00:00:00'";
$update_entry = "UPDATE clientpatientrelationships SET APILastChangeDate=$APILastChangeDate WHERE Id='$Id'";
And
$APILastChangeDate===NULL;
$update_entry = "UPDATE clientpatientrelationships SET APILastChangeDate=$APILastChangeDate WHERE Id='$Id'";
With out the triple equal sign, the NULL value will not work when inside a variable. But, with triple quotes, the string value will not work.
I am trying to write a single function to handle all of this, but I cant figure out the === along with the quotes or no quotes.
My function:
function null_test($value)
{
if (is_null($value)){
return NULL;
} else {
return "'".$value."'";
}
}
Since the value coming back from the API might be NULL or, say, 25 - I cant figure out how to write a single function with a single update statement to handle this.
The only way I have gotten this to work is to use two different update statements with an IF clause to test if(is_null($value)).
I have done research on google, but to no avail. Is it possible to handle both a NULL or a string in one SQL statement?
I worked with php some years ago, when I built queries, I always used sprintf, it's a good way to build queries in php and you can use str_replace to replace the value 'NULL' for NULL. You have to do something like this:
$arrayNulls = ("'null'", "'NULL'");
$query = sprintf ("UPDATE clientpatientrelationships SET APILastChangeDate='%s' WHERE Id='%s'", $APILastChangeDate, $Id);
$query = str_replace($arrayNulls, "NULL", $query);
I hope this information helps you.
Good Luck.
I am currently working on a php project and used the word 'value' as a column name. The problem being that when I run the query, it overwrites all entries in the database, even though I have a delimiter (primary key = *). I have tried everything I can think of to get this to work, and it hasn't yet. here is the complete line of code:
$SqlStatement = "UPDATE rev_exp SET Date_Entered = '".date('Y-m-d')."', Description = '".$_POST['txtUtilityType']." ".$_POST['txtAccountNumber']." ".$_POST['txtDateAdded']."', `Value` = ".$_POST['txtValueBalance'].", Notes = '".$_POST['txtNotes']."' WHERE PK_Rev_Exp = ".$row['FK_Rev_Exp'];
Note here, that $row['FK_Rev_Exp'] is the delimiter I was talking about. It is being pulled accurately from a previous query. Also, please ignore any sql injection problems, I'm just working on getting the project functional, I can optimize later.
EDIT 1: I have also tried enclosing the "value" in everything I can think of that may get rid of this problem, but no luck.
EDIT 2: I also don't think it is a problem with the statement itself, as I directly entered the statement into the mysql command line and it only affected 1 row, possibly a php problem?
EDIT 3: Full block, including the execution of the sql. Here, ExecuteSQL runs all necessary mysqli statements to execute the sql command. it takes in a sql statement and a true/false if there is a result set:
$SqlStatement = "UPDATE rev_exp SET Date_Entered = '".date('Y-m-d')."', Description = '".$_POST['txtUtilityType']." ".$_POST['txtAccountNumber']." ".$_POST['txtDateAdded']."', `Value` = '".$_POST['txtValueBalance']."', Notes = '".$_POST['txtNotes']."' WHERE PK_Rev_Exp = ".$row['FK_Rev_Exp'];
ExecuteSQL($SqlStatement, false);
I can't figure it out, and any help would be appreciated.
I think your problem is not about mysql reserver keywords because your correctly surrounded Value with backtick and that makes database understand this is a field. I'm more concerned about treating not integers as integers so i would suggest to surround with quotes '' your value since it is a decimal
`Value` = '".$_POST['txtValueBalance']."',
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 6 years ago.
I am having trouble getting this SQL command to work correctly. (I know this code is insecure, I just need to get it working first.)
When I run this I get the error: "Unknown column 'username' in 'where clause'"
$login_username = $_POST['username'];
$login_password = $_POST['password'];
$lc = "SELECT * FROM user WHERE username = $login_username AND password = $login_password";
$lcr = mysql_query($lc);
$lcgr = mysql_num_rows($lcr)or die(mysql_error());
If you are getting that error it means that your user table has no column called username.
Secondly, your code is open to SQL Injection. You should validate and secure your $_POST values.
Also, you should perform the die check on mysql_query rather than mysql_num_rows.
try using the quotes in the query:
$lc = "SELECT * FROM user WHERE username = '$login_username' AND password = '$login_password'";
It appears that username in your query is not the correct column name. Can you check?
Do you have the column 'username' in your 'user' table? Try DESC user so you're sure of what your field names are in the table and you can amend your query accordingly.
You'll also want to encapsulate your strings (presumably username and password are strings) in quotes.
You've already alluded to knowing your code is insecure so I'll leave any injection commentary out :)
first - do you have a column named "username" in the user table in your database?
Second = put $login_username and $login_password in single quotes as they are strings, right?