I am writing php to update a user's balance, but my UPDATE query seems to be throwing an error when it is executed.
$student = $database->quote($_POST ["studentID"]);
$amount = $database->quote($_POST ["update_balance"]);
//sets query to update user balance
$query = "UPDATE `User` SET `balance`= (`.$amount.`) WHERE `userID`= (`.$student.`)";
//excecutes the query
$database->exec($query);
The 'studentID' and 'update_balance' are names of input fields being captured in the HTML.
remove (`. things . and run sql query
$query = "UPDATE `User` SET `balance`= '$amount' WHERE `userID`= '$student'";
You should use prepared statements as it's considered much safer than any string escaping mechanism:
$statement = $somePdoInstance->prepare("UPDATE user SET balance = :balance WHERE userId = :user_id");
$statement->execute(array(
"balance" => $amount, // the values from POST
"user_id" => $student
));
Now your update query should work fine and it's much safer.
Related
I am trying to perform an insert with the information of a query from another table, using php and mysql, I know that I have not done the protection part against sql injection correctly, I will solve that at the end, I tell you why then they only go to scold and do not contribute, would you be kind enough to tell me how to use the value obtained from the query, thank you.
<?php
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
include("conection.php");
$credits = mysqli_real_escape_string($con, $_POST['credits']);
$namesec = mysqli_real_escape_string($con, $_POST['namesec']);
$change = mysqli_real_escape_string($con, $_POST['change']);
$stmt = $con->prepare("UPDATE students
SET student_credits = (student_credits + ?)
WHERE student_qr = ?");
$stmt->bind_param("is", $_POST['credits'], $_POST['namesec']);
$stmt->execute();
$insert_query = $con->prepare("INSERT INTO historical_credits (id_students, credits_paid)
SELECT id_students, ?
FROM students
WHERE student_qr = ?"
);
$insert_query->bind_param("is", $_POST['credits'], $_POST['namesec']);
$insert_query->execute();
mysqli_close($con);
?>
I want to use the value of id_student obtained from the query to insert it into a new table
You forgot to call fetch_assoc() to get the row that the query returns.
You also didn't quote $namesec in the SELECT query, so it's getting an error. This wouldn't be a problem if you used a parameter instead of substituting the variable.
But there's no need to do this in two queries. You can give a SELECT query as the source of the data in INSERT.
$insert_query = $con->prepare("
INSERT INTO historical_credits (id_students, credits_paid)
SELECT id_students, ?
FROM students
WHERE student_qr = ?");
$insert_query->bind_param("is", $_POST['credits'], $_POST['namesec']);
$insert_query->execute();
I have two update queries with different where statements.
Is it possible to do the job with a single one?
$sql = "update users set light = replace(light, '" . $clicked . ",', '') where userid = :aid";
$st = $db->prepare($sql);
$st->execute([":aid" => $_SESSION['userid']]);
$sql = "update users set seen = 'seen' where userid = :aid and xfrom = :axfrom";
$st = $db->prepare($sql);
$st->execute([
":axfrom" => $clicked,
":aid" => $_SESSION['userid']
]);
You could do this in a single update with the help of a CASE expression:
UPDATE users
SET
light = REPLACE(light, ?, ''),
seen = CASE WHEN xfrom = :axfrom THEN 'seen' ELSE seen END
WHERE userid = :aid
Both your updates share a portion of the same WHERE logic, so we can leave that WHERE clause as is. For updating the seen column, we only make a change if the xfrom condition matches, otherwise we no-op.
Not sure if you should also be using a placeholder in the call to REPLACE, but other than this it is good that you are using prepared statements.
I'm sending form data to db with UPDATE query:
mysql_query("UPDATE users SET price = '100-200' WHERE login = '$login'");
mysql_query("UPDATE users SET city = '$city' WHERE login = '$login'");
My question is: how to rebuild it to have query which writes data in db, but do not remove older posts.
For example: If user enters data 'price' and 'city', and after this, he wants to change only 'city', script with update will cancel 'price' and leave blank field in db.
How to make it to update (like in example) only city, but to leave price as it was before (100-200). Is there a proper query for this?
You will want to do a check for NULL or empty variables before running the SQL Statements. Something like this:
if(!empty($price))
{
mysql_query("UPDATE `users` SET `price` = '".$price."' WHERE `login` = '".$login."';");
}
if(!empty($city))
{
mysql_query("UPDATE `users` SET `city` = '".$city."' WHERE `login` = '".$login."';");
}
use "INSERT INTO table (column1, column2,column3) VALUES (val1,val2,val3)";
ps: mysql_* is deprecated update to PDO or MySQLi
I am currently trying to run a query where the current value of a mysql table column increase itself by 1... Let me show this with mysql query example
$sql = mysql_query("UPDATE `table` SET quantity=quantity+1 WHERE id='$id'");
I am unable to do this in PDO prepared statement...
$sql = "UPDATE `table` SET quantity=:quants+1 WHERE id=:userid";
$sql_prep = $db->prepare($sql);
$sql_prep->bindParam(":quants", what will i write here??);
$sql_prep->bindParam(":userid", $id);
$sql_prep->execute();
Help needed..! Thanks
You don't need to pass that as a parameter, just do:
$sql = "UPDATE `table` SET quantity=quantity+1 WHERE id=:userid";
$sql_prep = $db->prepare($sql);
$sql_prep->bindParam(":userid", $id);
$sql_prep->execute();
You don't need the to protect quantity as you're just augmenting a value already in the db.
$sql = "UPDATE `table` SET quantity=quantity+1 WHERE id=:userid";
You can also drop the bind line for the :quants
$sql_prep = $db->prepare($sql);
// NOT NEEEDED --> $sql_prep->bindParam(":quants", what will i write here??);
$sql_prep->bindParam(":userid", $id);
$sql_prep->execute();
Prepared statements are for protecting data being inserted from the outside into your db via your query.
I have the following query
$products = $this->mysqliengine->query("select * from temp_all_product where download_status = 0") or die($this->mysqliengine->error());
$temp_status_update = $this->mysqliengine->prepare("update temp_all_product set download_status = ? where id = ?") or die($this->mysqliengine->error);
$temp_status_update->bind_result($download_status, $id);
while($product = $products->fetch_assoc()) {
$id = $product['id'];
$download_status = 1;
$temp_status_update->execute();
}
In the above statement I can select the values from temp table but unable to update the status. What is the problem here
You need to use bind_param in your update statement instead of bind_result.
$temp_status_update->bind_param('dd', $download_status, $id);
The 'dd' just tells the system that each input is a number.
http://www.php.net/manual/en/mysqli-stmt.bind-param.php
#eggyal was merely suggesting that you could replace all your code with a single update statement. Your remark about LIMIT does not make much sense.
Suggestion: If you don't have much invested in mysqli then switch to PDO. It allows using named parameters which can make your code more robust and easier to maintain:
$sql = "UPDATE temp_all_product SET download_status = :status where id = :id";
$stmt = $pdo->prepare($sql);
$stmt->execute(array('status' => 1, 'id' => $product['id']));
Plus you can configure it to throw exceptions so you don't need all this error checking.
http://www.php.net/manual/en/book.pdo.php
http://net.tutsplus.com/tutorials/php/pdo-vs-mysqli-which-should-you-use/