These lines of code seem to work fine:
if(isset($_POST['result'])) {
if($_POST['result'] == 'true'){
$delete_post_query = mysqli_query($con, "UPDATE posts SET deleted='yes' WHERE id='$post_id'");
if($stmt = mysqli_prepare($con,$delete_post_query)){
}
}
}
However the prepared equivalent doesnt below doesnt seem to execute:
if(isset($_POST['result'])) {
if($_POST['result'] == 'true'){
$delete_post_query = mysqli_query($con, "UPDATE posts SET deleted='yes' WHERE id=?");
if($stmt = mysqli_prepare($con,$delete_post_query)){
mysqli_stmt_bind_param($stmt, "s",$post_id);
mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
}
}
}
I am quite confused by this and am fairly certain i am missing something obvious. Any suggestions/solution ?
UPDATE/EDIT:
I made a silly mistake copy/pasting the code so i updated that as suggested.
Have also tried the binding parameters as an integer and as a double respectively.
I believe the issue has something to do with binding parameters as when i replace the placeholder (i.e. '?') with the hardcoded variable $post_id, it works just fine.
Since you are using MySQLi you could take a different approach to your code, and use something like
if(isset($_POST['result'])) {
if($_POST['result'] == 'true'){
$id = $_POST['post_id']; // make sure to define id
$delete_post_query = "UPDATE posts SET deleted='yes' WHERE id=? LIMIT 1"
if ($stmt = $mysqli->prepare($delete_post_query))
{
$stmt->bind_param("i",$id);
$stmt->execute();
$stmt->close();
}
}
}
You haven't passed reference for any parameter for input.
$delete_post_query = mysqli_query($con, "UPDATE posts SET deleted='yes' WHERE id='$post_id'");
This query says to delete and you have also given a $post_id but below
mysqli_stmt_bind_param($stmt, "ss",$friend_array,$user_to_remove);
you have binding parameter which server couldn't find what's it's reference. Your query should be like this
$delete_post_query = mysqli_query($con, "UPDATE posts SET deleted='yes' WHERE id=?");
and binding paramter should be like this. Since you have only one reference ? you can only bind one parameter. Also id is int then use i if string then use s
mysqli_stmt_bind_param($stmt, "i",$user_to_remove);
//New Way
$stmt = $con->prepare("UPDATE posts SET DELETED='yes' WHERE id=?");
$stmt->bind_param("i",$user_to_remove);
$stmt->execute();
Related
When I'm using mysqli_query, website after submitting the form reloads with visible change, but if I use mysqli_multi_query to change more than one table, page display "No result" (or whatever I have set to display if there's no result), but if I then reload website manually, everything has been changed, which means the records are updated in the database. I need to change the page and get back again or refresh to see the result.
For example:
$query = "UPDATE tools SET quantity=quantity+$quantity WHERE id = $tools;";
$query .= "UPDATE tools SET quantity=quantity-$quantity_edit WHERE id = $tools;";
$query .= "UPDATE rent SET quantity=$quantity_edit WHERE id=$rent_id;";
mysqli_multi_query($db, $query);
If I submit the form with this code, the result will be "No result", but If I reload the page, I will see result e.g. changed value. But if I do this:
$query = "UPDATE tools SET quantity=quantity+$quantity WHERE id = $tools;";
$query2 = "UPDATE tools SET quantity=quantity-$quantity_edit WHERE id = $tools;";
$query3 = "UPDATE rent SET quantity=$quantity_edit WHERE id=$rent_id;";
mysqli_multi_query($db, $query);
mysqli_multi_query($db, $query2);
mysqli_multi_query($db, $query3);
It will work as I expect it, after submitting the form, page will show result.
Don't use mysqli_multi_query(). It is a special function, which has a very narrow use case that doesn't apply in your case.
You must use prepared statements instead.
You have 3 separate queries, so you need to prepare and execute 3 statements. This is the correct way to execute your SQL statements:
$stmt = $db->prepare('UPDATE tools SET quantity=quantity + ? WHERE id = ?');
$stmt->bind_param('ss', $quantity, $tools);
$stmt->execute();
$stmt = $db->prepare('UPDATE tools SET quantity=quantity - ? WHERE id = ?');
$stmt->bind_param('ss', $quantity_edit, $tools);
$stmt->execute();
$stmt = $db->prepare('UPDATE rent SET quantity = ? WHERE id = ?');
$stmt->bind_param('ss', $quantity_edit, $rent_id);
$stmt->execute();
on my first UPDATE statement, im trying to have my WHERE value contain the variable $couponCode but it does not work as of now. This is so that the correct row updates depending on what the input is. any help would be appreciated.
if ($couponCode == $coupons_db3['coupon_code']){
echo $couponCode;
$stmt = $db->prepare('UPDATE promocode_3 SET used = 1 WHERE coupon_code ='.$couponCode);
$stmt = $db->prepare('UPDATE usr_customer_profile SET packageid = 3 WHERE usrcustomerid = :usrcustomerid');
$stmt->bindValue(':usrcustomerid', $_SESSION['usrcustomerid'], PDO::PARAM_INT);
$stmt->execute();
break;
}
You need to bind the couponCode as well.
if ($couponCode == $coupons_db3['coupon_code']){
echo $couponCode;
$stmt = $db->prepare('UPDATE promocode_3 SET used = 1 WHERE coupon_code =:couponCode');
$stmt->bindValue(':couponCode', $couponCode, PDO::PARAM_STR);
$stmt->execute();
$stmt = $db->prepare('UPDATE usr_customer_profile SET packageid = 3 WHERE usrcustomerid = :usrcustomerid');
$stmt->bindValue(':usrcustomerid', $_SESSION['usrcustomerid'], PDO::PARAM_INT);
$stmt->execute();
break;
}
Edit
Please ignore.. #Bira's answer is more accurate
Try this:
$stmt = $db->prepare("UPDATE promocode_3 SET used = 1 WHERE coupon_code ='".$couponCode."'");
you missed the quote in coupon code value.
P.S. I don't know which database you are using. Please mention that next time. :)
This should work but it's not an ideal case for a prepared statement because in case of prepared statements you should give parameters only at the time of execution.
"prepare" should only compile an sql statement and parameters should be passed later on.
I've created an UPDATE statement that updates only if the string's length is greater than 0.
I'm trying to escape quotes within my UPDATE statement once the condition is met. I've been using addslashes($name), but with this new condition addslashes no longer works.
Previous:
$mysqli->query("UPDATE table SET name='".addslashes($name)."' WHERE id=1") or die($mysqli->error);
Current:
$mysqli->query("UPDATE table SET name=IF(LENGTH($name)=0, name, '$name') WHERE id=1") or die($mysqli->error);
Where do I place addslashes() for this function to correctly escape characters? Will this function even work within this particular MySQL statement for PHP?
The problem with your second query is that $name inside the call to LENGTH needs to be in quotes too i.e.
$mysqli->query("UPDATE table SET name=IF(LENGTH('$name')=0, name, '$name') WHERE id=1") or die($mysqli->error);
To use addslashes in that query, you would write:
$mysqli->query("UPDATE table SET name=IF(LENGTH('".addslashes($name)."')=0, name, '".addslashes($name)."') WHERE id=1") or die($mysqli->error);
But really you should consider using a prepared statement instead; then you won't have to worry about escaping quotes. Additionally, you should check the length of $name in PHP and not run the query at all if it is empty. Something like this should work (I'm assuming you have a variable called $id which stores the id value for the update).
if (strlen($name)) {
$stmt = $mysqli->prepare("UPDATE table SET name=? WHERE id=?");
$stmt->bind_param('si', $name, $id);
$stmt->execute() or die($stmt->error);
}
If you have multiple pieces of data to update, you could try something like this:
$name = 'fred';
$city = '';
$state = 'SA';
$id = 4;
$params = array();
foreach (array('name','city','state') as $param) {
if (strlen($$param)) $params[$param] = $$param;
}
$sql = "UPDATE table SET " . implode(' = ?, ', array_keys($params)) . " = ? WHERE id = ?";
$types = str_repeat('s', count($params)) . 'i';
$params['id'] = $id;
$stmt = $mysqli->prepare($sql);
$stmt->bind_param($types, ...$params);
$stmt->execute() or die($stmt->error);
Title is a little hard to understand, so basically I'm making a Pastebin clone and am attempting to do a kind of viewmember.php?id=1213 thing for viewing pastes. However, I can't figure it out at all. I've done a lot of research, and after finally understanding what I had to do (or so I thought) I made this up and don't know why it isn't working.
<?php
require 'connection.php';
$getid = $_GET["id"];
$sql = "SELECT * FROM pasteinfo WHERE id = ?";
$stmt = $con->prepare($sql);
$stmt->bind_param("i", $getid);
echo $stmt;
?>
I'm probably just stupid. Thanks for the help.
You need to run the command to execute the query.
$sql = "SELECT field1, field2 FROM pasteinfo WHERE id = ?"; // Specify fields in query
$stmt->bind_param("i", $getid); /* bind parameters for markers */
$stmt->execute(); /* execute query */
$stmt->bind_result($field1, $field2); /* bind result variables */
$stmt->fetch(); /* fetch value */
echo "Field 1:".$field1;
echo "Field 2:".$field2;
Reference: Example #1 mysqli::prepare() example
// save result in a variable and then run a loop and echo
$result = $stmt->execute();
foreach($result as $val){
echo $val->item_name;
}
I can update my columns dynamically, but I dont know how to update it with set values (stupid I know)
This is my sql code that updates the columns with set values:
if (isset($_POST['delete'])) {
$sql = 'UPDATE users SET user_deletion_date = NOW(), user_deleted_by = '.$_SESSION['id'].', deleted = Y
WHERE user_id = ?';
if ($stmt->prepare($sql)) {
// bind the query parameters
$stmt->bind_param('i', $_GET['user_id']);
// bind the result to variables
$stmt->bind_result($user_id, $user_deletion_date, $user_deleted_by, $deleted);
// execute the query, and fetch the result
$done = $stmt->execute();
$stmt->fetch();
}
}
if ($done) {
header('Location: update_users_confirm.php');
exit;
}
this doesn't update the table at all, I know that the issue is with my bind_param, could someone please help
Michael B's answer is mostly likely the solution. Change the $_GET to $_POST