I can update my database using the following code:
$id = 1;
$client = 3456;
$sql = "UPDATE production SET client=$client WHERE id=$id";
However, if the $client variable is a text string (instead of numeric), it won't work.
$id = 1;
$client = "some text";
$sql = "UPDATE production SET client=$client WHERE id=$id";
The client field in my database is VARCHAR with a limit of 50 characters. Is there anything obvious I'm overlooking?
Add single or double quotes at start and end of string to make is string in mysql query.
Replace
$sql = "UPDATE production SET client=$client WHERE id=$id";
With
$sql = "UPDATE production SET client='$client' WHERE id=$id";
The above can break if there is single quote in string so you can use addslashes to value.
Try
$sql = "UPDATE production SET client='".addslashes($client)."' WHERE id=$id";
Note:
There are SQL injection possibilities in above query. Please try to use prepare query to prevent SQL injections
add single quotes in query while you pass the string like this,
$sql = "UPDATE production SET client='$client' WHERE id=$id";
Related
I'm having a problem with updating a table where the id matches the post-id. My code looks like this at the moment.
$id = $_POST['id'];
$vote =$_POST['vote'];
$sql = "UPDATE images SET votes=votes+1, value=value+$vote, WHERE 'id'='$id'";
$result = mysqli_query($conn, $sql) or die(mysqli_error($conn));
echo "hej då";
Try this
$sql = "UPDATE images SET votes=votes+1, value=value+'$vote' WHERE id='$id'";
The syntax of your query appears a bit off. Try removing the single quotes around $id in the WHERE clause, and also get rid of that trailing comma after the SET list.
$sql = "UPDATE images SET votes=votes+1, value=value+$vote WHERE id=$id";
$sql = "UPDATE images SET votes=votes+1, value=value+$vote, WHERE 'id'='".$id."'";
I know that i shouldn't use mysql_query for make database query, but i need to modify an existing code.
What i need to do is to pass a php variable as field name of sql query.
I've try in this way:
$my_field = "field_name";
mysql_query("UPDATE my_table SET ".$my_field." =somevalue") or die(mysql_error());
but i've noticed that it's wrong, because resulting query is
UPDATE my_table SET =somevalue
What's the correct way to do it?
you missed the closing quotes, change to:
mysql_query("UPDATE my_table SET ".$my_field." =somevalue") or die(mysql_error());
for checking, add the statement to variable and echo it, as:
$my_field = "field_name";
$query = "UPDATE my_table SET ".$my_field." =somevalue");
echo $query; //see the output to check if it shows correct statement
try this
$my_field = "my_field";
$my_value = "my_value;
$query = "UPDATE my_table SET $my_field=$my_value");
php allows variables to work inside double quotes
I am using php and mysql to update rows in my DB. I have 4 update statements in a row, yet only the last one works. I have confirmed that the statements work if they are used alone, but when I have them executed one after another only the last one executed works. I am receiving no error messages. Any help? Thanks!
$sql = "UPDATE comlog SET name='$name1', message='$message1' WHERE id=1";
$sql = "UPDATE comlog SET name='$name2', message='$message2' WHERE id=2";
$sql = "UPDATE comlog SET name='$name3', message='$message3' WHERE id=3";
$sql = "UPDATE comlog SET name='$name', message='$message' WHERE id=4";
In the above code, only the row with id 4 is being updated.
The answer is simple.
You are declaring the same variable for EACH sql string.
You need to declare it something like:
$sql1 = "";
$sql2 = "";
$sql3 = "";
$sql4 = "";
I'm trying to create a function for my forum that will increment my user's "Posts" attribute by 1. For whatever reason, the following PHP does not work.
function postCountIncrease($username) {
//get the connection variable
global $con;
//change to the users database (this function works correctly)
sqlconnect_users();
//get current post number (this is also working)
$getCurrentPosts = "SELECT Posts\n"
. "FROM users\n"
. "WHERE Username='".$username."'";
$query1 = mysqli_query($con, $getCurrentPosts) or die(mysqli_error($con));
$currentPosts = mysqli_fetch_array($query1);
//here is the problematic post. Assume that $username is a valid value, and that I've already done mysqli_real_escape_string() on it
$incrementPostsQuery = "UPDATE users.users SET Posts=". $currentPosts[0]+1 ." WHERE Username='". $username ."'";
$query2 = mysqli_query($con, $incrementPostsQuery) or die(mysqli_error($con));
//return the result
$result = mysqli_fetch_array($query2);
return $result;
}
I honestly don't see what I'm doing wrong, because the SQL works fine. If I use UPDATE users.users SET Posts=1 WHERE Username='Lampitosgames' in the console, it works with no errors. Help is much appriciated. Also, here is the error it is throwing at me:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1 WHERE Username='Lampitosgames''
You can not concatenate that way "toto ".$var+1, you have to surround with brackets "toto ".($var+1)
In your case, this is declaration of var $incrementPostsQuery which fails
Look at your errors, your syntax is off
$getCurrentPosts = "SELECT Posts
FROM users
WHERE Username='$username'";
The error is in the building of your query.
$incrementPostsQuery = "UPDATE users.users SET Posts=". $currentPosts[0]+1 ." WHERE Username='". $username ."'";
I'll suggest you some tips to create query like this:
"update table set field = value"; // you can write the value directly
"update table set field = ". $value; // easy
"update table set field = ". ($a+$b); // ...
"update table set field = {$value}"; // you can add a variable with curly braces
"update table set field = {$va[3]}"; // more compless way
"update table set field = {$a->b}"; // an object field
What is wrong with this query? It appears to be correct to me:
mysql_query("UPDATE culture SET cult_desc=$culture WHERE cult_id is $UID");
Modified it, NetBeans is still giving me an error. Here's my total code for the page:
$culture = $_POST["culture"];
if (isset($_POST["id"]))
$UID = $_POST["id"];
mysql_query("UPDATE culture SET cult_desc='$culture' WHERE cult_id=$UID");
else
mysql_query("INSERT INTO culture
VALUES(cult_desc='$culture')");
what's the value of $culture?
If it's a string, you'll need to encapsulate it with quotes.
Same thing for $UID.
Also, The 'is' in the where-condition should be '='
Also: watch our with this code. Make sure that $culture and $UID can not contain any malicious values (e.g. malicious input from users)
cult_desc probably string so need to wrap with ' '
mysql_query("UPDATE culture SET cult_desc='$culture' WHERE cult_id = $UID");
Seeing the newly edited code, your update-statement is now correct, but your insert statement now is wrong.
Try:
mysql_query("INSERT INTO culture (culture_desc)
VALUES ('$culture')");
if SET cult_desc is a string then
mysql_query("UPDATE culture SET cult_desc='$culture' WHERE cult_id = $UID");
or
mysql_query("UPDATE culture SET cult_desc=$culture WHERE cult_id = $UID")
your problem in the { and } of if else statement
$culture = $_POST["culture"];
if (isset($_POST["id"])){
$UID = $_POST["id"];
mysql_query("UPDATE culture SET cult_desc='$culture' WHERE cult_id=$UID");
}else{
mysql_query("INSERT INTO culture
VALUES(cult_desc='$culture')");
}
$sql = "UPDATE 'culture' SET `cult_desc` = '$culture' WHERE `cult_id` = '$UID'";
Basically, you're using is instead of =
Depending on the data type of $culture and $UID you might be missing quotes. Cult_desc sounds like a string and thus $culture should be enclosed in quotes.
You should always check the output of mysql_error.http://php.net/manual/en/function.mysql-error.
I also usually use = instead of 'is' and also wrap all of my input data in quotation marks. eg
$sql = "UPDATE 'culture' SET cult_desc = '".$culture."' WHERE cult_id = '".$UID."'";