I try to update a row in a database, but I can't do that. Here is my sql:
$sql = "UPDATE `voting_nomination_counter`
SET `quantity`=quantity+1
WHERE `nid` = '$nid'
AND nominee = '$nominee'";
I suspect the problem is here - AND nominee = '$nominee'"; because when I remove this from the query all works and updates fine. Help, please.
Try this:
$sql = "UPDATE voting_nomination_counter SET quantity=quantity+1 WHERE nid = '$nid' AND nominee = '$nominee'";
I solve this problem, if I want to update WHERE string = string I just need to use this statement UPDATE table SET field = REPLACE(field, 'string', 'anothervalue') WHERE field LIKE '%string%';, thanks guys!)
#excluded_once Looks like you were able to solve your issue. So in future do not ever use variable names directly into SQL string. Always use db_query or db_select and then always bind the variables into SQL, it will help you prevent from SQL injections and other attacks.
Related
I'm trying to retrieve a filename from a database from table HORSE and column HORSE_IMAGE
$path = "horse_images/".$row["HORSE_IMAGE"];
$query = "DELETE FROM HORSE WHERE HORSE_ID=".$_GET["horseno"]." AND HORSE_IMAGE=".$row["HORSE_IMAGE"];
Currently HORSE_IMAGE returns nothing, but if I change it to HORSE_ID or HORSE_NAME, it works.
i.e. If i echo $row["HORSE_NAME"] it returns "You Beauty".
If I look up the row in the database I can see the filename shop-1.jpg is there.
Any ideas?
If you want to change a single column of a row, use an UPDATE statement. DELETE is for removing complete rows only. And yes, escape anything before using it in your query.
"UPDATE HORSE SET HORSE_IMAGE = NULL WHERE HORSE_ID=".(int)$_GET["horseno"];
As far as I understood the question, ToBe's answer might be correct, but you really should consider using PDO for MySql queries, in order to prevent Sql injection.
Try:
<?php
$query = "UPDATE HORSE SET HORSE_IMAGE = NULL WHERE HORSE_ID = ?";
$db = new PDO(dsn, username, password);
$prep = $db->prepare($query);
$res = $prep->execute(array((int)$_GET["horseno"]));
?>
Take a look at the documentation: http://php.net/manual/de/book.pdo.php
I have a variable, $ids
It is a , separated string so it can be $ids = "1" or $ids = "1, 3, 7, 8"
What i want to do is update the database based on these values so i have :
$query = "UPDATE Fields SET Value = '1' WHERE Id IN '$ids'";
And also:
$query = "UPDATE Fields SET Value = '1' WHERE Id '$ids'";
What is the best way to update the database, should i split the string in to an array, and then do a for each loop? or is there a better way?
Save the fact that it's wide open to SQL Injection, this line works for one or many id's:
$query = "UPDATE Fields SET Value = '1' WHERE Id IN ($ids)";
Now, to keep yourself from SQL Injection attacks, which is obviously up to you, you'd want to explode that array and send multiple update statements like this:
$query = "UPDATE Fields SET Value = '1' WHERE Id = :Id";
There's nothing inherently wrong with using an IN clause here. Any WHERE clause works for an UPDATE statement. You'll just want to treat the numbers as a list of values instead of a string. Something like this:
$query = "UPDATE Fields SET Value = '1' WHERE Id IN ($ids)";
The really important part is how you get the $ids value into the query in the first place. You don't show that in the question, but you'll want to make sure you're not opening yourself to a SQL injection vulnerability. Make sure you're properly sanitizing inputs and using prepared statements. How prepared statements handle lists of values vs. individual values is up to the data access technology being used.
Use this query:
$query = "UPDATE Fields SET Value = '1' WHERE Id IN ($ids)";
Where $ids should be formatted als 1,2,3,4. Don't forget to check them before execution (SQL Injection).
$get="SELECT dial_prod_total FROM dial_product WHERE dial_prod_id='$dpname'";
$idgen=mysql_query($get) or die(mysql_error());
$total=$idgen+$dpqty;
$dpbuy="UPDATE dial_product set dial_prod_total= '$total'".
"WHERE dial_prod_id='$dpname'";
$result1=mysql_query($dpbuy) or die(mysql_error());
I want to get the data in the column dial_prod_total using the ID stored in $dpname and then update the value and store in the same column. The value is replaced in the column but it's not the correct value. What is the mistake I have made? Please help me.
Why don't you just do
UPDATE dial_product SET dial_prod_total = dial_prod_total + $dpqty
WHERE dial_prod_id = '$dpname'
Your code is vulnerable to injection. You should use properly parameterized queries with PDO or mysqli.
You query can be rebuild as below.
"UPDATE dial_product set dial_prod_total = dial_prod_total + ".$total." WHERE dial_prod_id = ".$dpname." ";
This may be an easy questions but i am wondering if an "insert" sql statement can be writen with equals signs.
Example: Right now my sql looks like this and works fine:
$query = "INSERT INTO people (
id,
name,
) VALUES (
{$id},
'{$name}',
)
So i was wondering if i can write the sql statement like this or something similar to this using = signs:
$query = "INSERT INTO people
id = {$id},
name = '{$site_url}',
Thank you for any help. I am just looking for an easier way to write this code especially when i have a lot of form fields. Thanks.
Yes.
You have to use SET
$query = "INSERT INTO people
SET id = {$id},
name = '{$site_url}'";
INSERT INTO people SET id={$id}.....
http://dev.mysql.com/doc/refman/5.5/en/insert.html
Please refer to the second syntax.
For your example, I think it would look like:
$query = "INSERT INTO people
SET id={$id},
name={$name},
etc"
Just a simple SQL question - Bbut i can't figure out whats wrong
"UPDATE veranstaltungen
SET name = '$nameV', SET Datum = '$DatumV', SET beschreibung = '$beschreibungV'
WHERE id = '$id'"
I want to update the table row where the id is $id. But nothing happens here?
the variables are all correct
give it like
"UPDATE veranstaltungen SET name = '$nameV', Datum = '$DatumV', beschreibung = '$beschreibungV' WHERE id = '$id'"
but i can't figure out whats wrong
Mysql has a wonderful feature, personally for you. It is called mysql_error()
run this function and echo it's output to see what your server will tell about this query.
I believe that you can trust to your server much more than someone who passed along this question.