I want to +1 a value because when I return the book, this query will run and return the book but it doesn't return the value just keep subtracting the value of book thanks for helping me
$id=$_GET['id'];
$book_id = $_GET['book_id'];
if(isset($id)){
$b=mysqli_query($dbcon, "SELECT * FROM book WHERE book_id='$book_id'");
$row=mysqli_fetch_array($b);
$copies=$row['book_copies'];
$new = $copies++;
mysqli_query($dbcon,"UPDATE book ON book_copies = $new");
}
You can simply do
UPDATE book SET book_copies = book_copies + 1
WHERE book_id='$book_id'
Although this leaves your script at risk of SQL Injection Attack
Even if you are escaping inputs, its not safe!
Use prepared parameterized statements
You should be preparing and parameterising the query like this
$sql = "UPDATE book SET book_copies = book_copies + 1
WHERE book_id=?";
$stmt = $dbcon->prepare($sql);
$stmt->bind_param('i', $_GET['id']); // assuming integer here
$res = $stmt->execute();
if (! $res ) {
echo $dbcon->error;
exit;
}
You are using the update statement wrong it would something like this:
UPDATE table_name
SET column1 = value1, column2 = value2, ...
WHERE condition;
In your case you should try something like:
"UPDATE book SET book_copies=$new WHERE book_id='$book_id'"
Related
I am in need of some help, please? I can successfully do a MySQL query using:
IP_Address/fund_list.php?Id_Number=555666
With this below:
$ID = $_GET['Id_Number'];
$sql = "SELECT * FROM fund_list WHERE Number = ".$ID;
Now I want to use 2 different things in my web call. Like:
IP_Address/fund_list.php?Id_Number=555666&Name=Billy
But I don't know how to write the 'get' line below.
$ID = $_GET['Id_Number'] & $Name = $_GET['Name']; <-- Does not work
I would think the SQL select statement would be:
$sql = "SELECT * FROM fund_list WHERE TheNumber = .$ID AND TheName = .$Name";
All the things I look up online, the syntax is overly confusing, I can't dissect it and make something work. Thank you.
To start with you should really be preparing your statements, passing data directly from a query string into a SQL query is really dangerous. You should also avoid using * in your SELECTs if you insist on not preparing them.
Your issue in this case is you need '' around TheName =
$sql = "SELECT * FROM fund_list WHERE TheNumber = {$ID} AND TheName = '{$Name}'";
Regardless, what you should be doing is this:
$sql = "SELECT Param1, Param2 FROM fund_list WHERE TheNumber = ? AND TheName = ?";
$stmt = $conn->prepare($sql);
$stmt->bind_param("is", $ID, $Name);
$stmt->execute();
$stmt->bind_result($param1, $param2);
while($stmt->fetch()) {
//Your code
}
That code prevents SQL injection attacks, and a number of other potential issues you can create not using PDO or mysqli prepared statements.
Edit per request:
$ID = $_GET['Id_Number'];
$Name = $_GET['Name'];
$sql = "SELECT * FROM fund_list WHERE TheNumber = {$ID} AND TheName = '{$Name}'";
$result = $conn->query($sql);
while($row = $result->fetch_assoc()) {
//your code
}
You need '' when comparing string parameters in SQL.
Have you tried doing this? This always works to me
$ID = $_GET['Id_Number'];
$Name = $_GET['Name'];
I want to know, can I just use prepared statements one time?
Here is my script:
$stm = $db->prepare("UPDATE
qanda AS ans1
JOIN qanda AS ans2 ON ans2.related = ans1.related
JOIN qanda AS ques ON ans2.related = ques.id
SET ans1.acceptedanswer = 1,
ans1.aadate = IF( ans1.id <> ?, ans1.aadate, ?)
WHERE ques.author_id = ? AND ans2.author_id = ?
");
$stm->execute(array($answer_id, time(), $_SESSION["Id"], $author_id));
$done = $stm->rowCount();
if ($done){
/* I don't use prepared statement here */
$stm1 = $db->prepare("UPDATE user SET rep = rep + 15 WHERE id = $author_id");
$stm1->execute();
}
As you see I didn't use prepared statement for second query. Because I did it for first query and if first query is working then I'm sure arguments are valid and don't need to bind them by prepared statement.
Please don't ask me why you don't want to use prepared statemen't for second query, because the reason is too long.
So what I'm doing is correct? Isn't there any security problem?
The straight answer is: yes, you can.
The reason why is actually up to you, since it's anyway good practice to use prepared statement whenever you pass values.
Also consider that, if you are not binding any parameter, it makes more sense to use the query() method, just to be explicit on the fact that you are not going to bind anything. So your second query would be
$stm1 = $db->query("UPDATE user SET rep = rep + 15 WHERE id = $author_id");
(see http://php.net/manual/en/pdo.query.php)
instead of
$stm1 = $db->prepare("UPDATE user SET rep = rep + 15 WHERE id = $author_id");
$stm1->execute();
Moreover you mentioned a dynamic query, but this is not the case of your sample code. Anyway I will give you an example of how two use prepared statement also on queries dynamically generated.
It's a silly example, but should be enough to give you an idea.
Assume we have some values to update 'email', 'date_of_birth' and 'website'. Let's say we want to do some check on this data before inserting them. I'll pretend we have a valid() function already in place.
$dynamic_sql = array();
$parameters[':date_of_bird'] = $date_of_birth;
if(valid($email)) {
$dynamic_sql['email_sql'] = "email = :email";
$parameters[':email'] = $email;
}
if(valid($website)) {
$dynamic_sql['website_sql'] = "website = :website";
$parameters[':website'] = $website;
}
if(count($dynamic_sql)>0) {
$dynamic_sql = ','.implode($dynamic_sql);
}
$query = "UPDATE user
SET date_of_birth = :date_of_birth $dynamic_sql
WHERE
user_id = :user_id";
$stm = $db->prepare($query);
$stm->execute($parameters);
This kind of approach will allow you to keep using prepared statement also with dynamically generated SQL.
Is this query right? Can i pass array key like this?
mysqli_query("UPDATE subjects SET has_notes = 1 WHERE sub_id = '$notes_data['sub']'");
If not please help me with a solution.
Thanks in advance
Im surprised no one told you to prepare that query:
/* create a prepared statement */
if ($stmt = mysqli_prepare($link, "UPDATE subjects SET has_notes = 1 WHERE sub_id = ?")) {
/* bind parameters for markers */
mysqli_stmt_bind_param($stmt, "i", $notes_data['sub']);
/* execute query */
mysqli_stmt_execute($stmt);
}
or the object oriented way:
/* create a prepared statement */
if ($stmt = $mysqli->prepare("UPDATE subjects SET has_notes = 1 WHERE sub_id = ?")) {
/* bind parameters for markers */
$stmt->bind_param("i", $notes_data['sub']);
/* execute query */
$stmt->execute();
}
Please read up on mysqli::prepare/mysqli_prepare
mysqli_query("UPDATE subjects SET has_notes = 1 WHERE sub_id = '".$notes_data['sub']."'");
A simply solution can be this:
mysqli_query('UPDATE subjects SET has_notes = 1 WHERE sub_id = ' . $notes_data['sub']);
Note: this solution is correct if sub_id is an integer field and $notes_data['sub'] is an integer too
otherwise:
mysqli_query("UPDATE subjects SET has_notes = 1 WHERE sub_id = '" . $notes_data['sub'] ."'");
You need to use { and } to enclose the value you're including:
mysqli_query("UPDATE subjects SET has_notes = 1 WHERE sub_id = '{$notes_data['sub']}'");
I'd encourage you, however, to seriously consider writing using MySQLi's prepared statements rather than building up the query like this - if the $notes_data['sub'] variable has come from the web then you'll be at serious risk of an SQL injection vulnerability.
Why not do something like this:
$stmt = mysqli_prepare($link, 'UPDATE subjects SET has_notes = 1 WHERE sub_id = ?');
mysqli_stmt_bind_param($stmt, 's', $notes_data['sub']);
mysqli_stmt_execute($stmt);
just a quick question about binding in php
I know if you do something like
$select = update my_table set name ='".$posted_name.'" where id=1;
and that is subjected to sql injection
but how will you bind the query below
$select = update my_table set name ='".$posted_name[$a].'" where id=1;
IN my bind array this is how I am binding anything without [$a]
for any example with the first statement I am doing
$select = update my_table set name =:p_update_name where id=1;
$bind_update = array('p_update_name' => $t_update_name);
Try like this:
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->bindParam(1, $name);
$stmt->bindParam(2, $value);
// insert one row
$name = 'one';
$value = 1;
$stmt->execute();
you don't have to make all the names equal.
$select = "update my_table set name =:whatever where id=1";
$bind_update = array('whatever' => $random_variable);
will do. so it can be any variable you can think of. As long as it's scalar variable though
When I run the following code:
// Loop through each store and update shopping mall ID
protected function associateShmallToStore($stores, $shmall_id) {
foreach($stores as $store_id) {
$sql .= 'UPDATE my_table SET fk_shmallID = :shmall_id WHERE id = :store_id';
$stmt = $this->db->prepare($sql);
$stmt->bindParam(':shmall_id', $shmall_id);
$stmt->bindParam(':store_id', $store_id);
$stmt->execute();
}
}
I get the following message:
Warning: PDOStatement::execute() [pdostatement.execute]: SQLSTATE[HY093]: Invalid parameter number: mixed named and positional parameters
I've also tried the following without success (without $stmt->bindParam):
$stmt->execute( array($shmall_id, $store_id));
I don't understand what I'm doing wrong.
UPDATE
I've updated my code to reflect what I actually got in my source code. There should not be any typos here.
UPDATE 2
I tried this, but I still get the same error message.
protected function associateShmallToStore($stores, $shmall_id) {
$i = 0;
$sql .= "UPDATE sl_store ";
foreach($stores as $store_id) {
$i++;
$sql .= 'SET fk_shmallID = :shmall_id, lastUpdated = NOW() WHERE id = :store_id_'.$i.',';
}
$sql = removeLastChar($sql);
$stmt = $this->db->prepare($sql);
$stmt->bindParam(':shmall_id_'.$i, $shmall_id);
$i = 0;
foreach($stores as $store_id) {
$i++;
$stmt->bindParam(':store_id_'.$i, $store_id);
}
$stmt->execute();
}
This is the output of the SQL query:
UPDATE sl_store
SET fk_shmallID = :shmall_id, lastUpdated = NOW() WHERE id = :store_id_1,
SET fk_shmallID = :shmall_id, lastUpdated = NOW() WHERE id = :store_id_2
UPDATE 3
The code I endet up using was this:
foreach($stores as $store_id) {
$sql = "UPDATE sl_store SET fk_shmallID = :shmall_id WHERE id = :store_id";
$stmt = $this->db->prepare($sql);
$stmt->bindParam(':shmall_id', $shmall_id);
$stmt->bindParam(':store_id', $store_id);
$res = $stmt->execute();
}
It's just as the error says, you have mixed named and positional parameters:
:name (named)
:person_id (named)
? (positional)
More than that, you have the named parameter :person_id, but you're binding to :id.
These are your parameters, I'll call them P1, P2 and P3:
UPDATE my_table SET name = :name WHERE id = :person_id ?
^ P1 ^ P2 ^ P3
And this is where you bind them:
$stmt->bindParam(':name', $name); // bound to P1 (:name)
$stmt->bindParam(':id', $person_id); // bound to nothing (no such param :id)
You probably want to bind the second parameter to :person_id, not to :id, and remove the last positional parameter (the question mark at the end of the query).
Also, each iteration through the foreach loop appends more to the query, because you're using the concatenation operator instead of the assignment operator:
$sql .= 'UPDATE my_table SET name = :name WHERE id = :person_id ?';
You probably want to remove that . before =.
For more about this, take a look at the Prepared statements and stored procedures page in the PDO manual. You will find out how to bind parameters and what the difference is between named and positional parameters.
So, to sum it up:
Replace the SQL line with:
$sql = 'UPDATE my_table SET name = :name WHERE id = :person_id';
Replace the second bindParam() call with:
$stmt->bindParam(':person_id', $person_id);
Try:
$sql = 'UPDATE my_table SET name = :name WHERE id = :id';