I have a table called pack_details with 4 columns. I'm trying to insert new data into an existing table. Can somebody tell me what's wrong with my codes and why i have a parse error?
$sql_query = "UPDATE pack_details SET $delivery_date = $_POST["delivery_date"], $delivery_time = $_POST["delivery_time"]
WHERE $delivery_building = $_POST["delivery_building"]
AND $delivery_room = $_POST["delivery_room"]";
Try any from below options:
$sql_query = "UPDATE pack_details SET $delivery_date = '{$_POST['delivery_date']}', $delivery_time = '{$_POST['delivery_time']}' WHERE $delivery_building = '{$_POST['delivery_building']}' AND $delivery_room = '{$_POST['delivery_room']}'";
or
$sql_query = "UPDATE pack_details SET delivery_date = '".$_POST["delivery_date"]."', delivery_time = '".$_POST["delivery_time"]."' WHERE delivery_building = '".$_POST["delivery_building"]."' AND delivery_room = '".$_POST["delivery_room"]."'";
Note: If field name doesn't contain $, remove $ from field name in query. For eg. "$delivery_date" should be "delivery_date"
Suggestion: Instead of using string concatenation for building, You should use bind parameters to pass value to query. It helps to prevent SQL injection as well as code look well.
Related
I am trying to update varchar cell in SQL users table. Now the value of groups_id is 3. $last_id = 4. I want to change it to 3, 4. Could you please tell me what I am doing wrong?
With this code the value remains the same
$sql = "UPDATE registration.users SET groups_id = groups_id+', $last_id' WHERE username = '$user_name'";
$update_groups_id = $db->query($sql);
$val = $groups_id . ", ".$last_id;
$sql = "UPDATE registration.users SET `groups_id` = '$val' WHERE username = '$user_name'";
$update_groups_id = $db->query($sql);
your SQL query is wrong, you are not concatenating variables properly, try doing this way, I think it should help you
There is a syntax fault in your $sql object as you use +', $last_id'. If you want to append in PHP you can use . in string context
Also I'm pretty sure you can leave the '' from the variables so '$last_id' will become $last_id
But more important is that you do not check for any security issues. I hope $user_name and $last_id are not just taken from the input as SQL injections are possible.
I recommend you to look at mysqli_prepare and mysqli_bind
After logging into ones account and clicking 'Accept' button the system should insert a sequence of numbers in mysql table under "otp" column for validation purpose. The problem here is I want to make it dynamic in the WHERE clause. It should recognize and insert otp according to user ids itself.
Following is the code.
if(isset($_POST['generate']))
{
$num = (rand(111111, 999999));
file_get_contents("somelink");
$query = mysqli_query($con, "UPDATE users SET otp='".$num."' WHERE id = 21");
$qry_run = mysqli_query($con, $query);
mysqli_close($con);
header("location: otp.php");
}
You should not use var concatenated with your sql .. this behavior can allow sql injection so you should use prepare bind_param and execute
and assuming you have in var the valure for match the id you coould use this var for param too
$con = $con->prepare("UPDATE users SET opt = ? WHERE id = ?");
$con->bind_param('ii', $num, $id);
$num = (rand(111111, 999999));
$id = 21;
$con->execute();
mysqli_close($con);
Have you thought about using RAND() in SQL?
UPDATE users SET otp = RAND() WHERE id = 21
I'm trying to create a function for my forum that will increment my user's "Posts" attribute by 1. For whatever reason, the following PHP does not work.
function postCountIncrease($username) {
//get the connection variable
global $con;
//change to the users database (this function works correctly)
sqlconnect_users();
//get current post number (this is also working)
$getCurrentPosts = "SELECT Posts\n"
. "FROM users\n"
. "WHERE Username='".$username."'";
$query1 = mysqli_query($con, $getCurrentPosts) or die(mysqli_error($con));
$currentPosts = mysqli_fetch_array($query1);
//here is the problematic post. Assume that $username is a valid value, and that I've already done mysqli_real_escape_string() on it
$incrementPostsQuery = "UPDATE users.users SET Posts=". $currentPosts[0]+1 ." WHERE Username='". $username ."'";
$query2 = mysqli_query($con, $incrementPostsQuery) or die(mysqli_error($con));
//return the result
$result = mysqli_fetch_array($query2);
return $result;
}
I honestly don't see what I'm doing wrong, because the SQL works fine. If I use UPDATE users.users SET Posts=1 WHERE Username='Lampitosgames' in the console, it works with no errors. Help is much appriciated. Also, here is the error it is throwing at me:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1 WHERE Username='Lampitosgames''
You can not concatenate that way "toto ".$var+1, you have to surround with brackets "toto ".($var+1)
In your case, this is declaration of var $incrementPostsQuery which fails
Look at your errors, your syntax is off
$getCurrentPosts = "SELECT Posts
FROM users
WHERE Username='$username'";
The error is in the building of your query.
$incrementPostsQuery = "UPDATE users.users SET Posts=". $currentPosts[0]+1 ." WHERE Username='". $username ."'";
I'll suggest you some tips to create query like this:
"update table set field = value"; // you can write the value directly
"update table set field = ". $value; // easy
"update table set field = ". ($a+$b); // ...
"update table set field = {$value}"; // you can add a variable with curly braces
"update table set field = {$va[3]}"; // more compless way
"update table set field = {$a->b}"; // an object field
So I am using CONCAT to combine 2 strings together and want to update a TEXT field in my database by adding a new string onto the end of the existing string.
// This code works great. will add "EXTRA" at end of the feed.
$insert = ("update $username set feed = CONCAT(feed, 'EXTRA')");
mysql_query($insert);
// This code doesn't work. not sure what to change in the variable area?
$extra = "EXTRA";
$insert = ("update $username set feed = CONCAT(feed, '$extra')");
mysql_query($insert);
I tried many variations of the variable declaration but can't seem to get it to work like i can when i just write in a string. any help or insight is appreciated.
thanks!
I think you mixed up your SQL here:
"update $username set feed = CONCAT(feed, 'EXTRA')"
$username = TABLE NAME ??
And looks like you probably want to update a field WHERE it equals a certain $username which would be:
"update TABLENAME set feed = CONCAT(feed, '$extra') WHERE username = '$username'"
Look example query:
UPDATE table_name SET field1 = CONCAT(field1, "new data" ) WHERE field2 = value;
and adjust to your needs.
To get the word 'EXTRA' at the end of feed I think you need to do something like this:
$insert = ("update $username set feed = CONCAT(feed, '" . $extra . "')");
I have a number of textareas, each with a unique assigned name (name="adcode$ID", for example). When I try to pass those names to the code below, it doesn't work because of the dynamic part.
if (isset($_POST['editadapp'])) { // Edit AD
$newadcode = mysql_real_escape_string($_POST['.adcode$ID.']);
$doedit = "UPDATE ads SET adcode = '".$newadcode."') WHERE ads_ID=$ID" or die(mysql_error());
$updatead = mysql_query($doedit) or die(mysql_error());
header("Location: " . $_SERVER['PHP_SELF']);
How can I resolve this?
There is so much wrong with this that it's frightening.
Firstly,
$doedit = "UPDATE ads SET adcode = '".$newadcode."') WHERE ads_ID=$ID" or die(mysql_error());
That code snippet is wrong on many levels.
The sql syntax is wrong
The sql is formatted with strings from user input (see parameterization of queries here
or die() should not be used here, you're creating a string
Ideally you should have code like:
$dbh = new PDO('connectionstring to connect to your database');
$sql = 'update ads set adcode = ? where ads_id = ?';
$sth = $dbh->prepare($sql);
$sth->execute(array($_POST['adcode' . $ID], $ID));
Other topics:
Are Paramerterized queries necessary in pdo?
prepared queries with pdo
Preventing sql injection in php
You seem to be attempting string concatenation. Here's how to do that correctly:
$newadcode = mysql_real_escape_string($_POST['adcode' . $ID]);
The following line should simply create a string containing your SQL query; you don't execute it until the next line, there is no function call so the or die is out of place. You also mix concatenation with interpolation (variable names within a double quoted string) which is fine but probably not helping you understand your syntax issues, so let's be consistent:
$doedit = "UPDATE ads SET adcode = '" . $newadcode . "' WHERE ads_ID = " . $ID;
you should use array like adcode[<?php echo $ID;?>] at your page where the text area is and a hidden field name=adID[$ID]. At the page where the query executes
$adID = $_POST['adID'];
$newadcode = mysql_real_escape_string($_POST['adcode']);
$N = count($adID);
for($i=0;$N<$i;$i++){
$doedit = mysql_query("UPDATE ads SET adcode = '$newadcode[$i]' WHERE ads_ID=$adID[$i];") or die(mysql_error());