mysql_connect('localhost', 'root', '')
or die(mysql_error());
mysql_select_db('shuttle_service_system')
or die(mysql_error());
$ID_No=$_POST['ID_No'];
$CurrentBalance = $_POST['CurrentBalance'];
$AddedAmount = $_POST['AddedAmount'];
$NewBalance = $CurrentBalance + $AddedAmount;
$sql = ("UPDATE balance
SET Balance= '$NewBalance'
WHERE ID_No= '$ID_No' ");
$result=mysql_query($sql);
if($result){
echo"Transaction successful!";
} else {
echo "  Error";
}
Hi guys I'm trying to update my certain values in my database with the use of variables. It updates when I use brute force and not variables. I know my variables are working because I printed them before queuing the update.
Remove the paranthesis outside this UPDATE Statement
$sql = ("UPDATE balance
SET Balance= '$NewBalance'
WHERE ID_No= '$ID_No' ");
It should be
$sql = "UPDATE balance
SET Balance= '$NewBalance'
WHERE ID_No= '$ID_No' ";
Also, add this mysql_error() to read the exact error when your query fails.
$result=mysql_query($sql) or die(mysql_error());
This(mysql_*) extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used. Switching to PreparedStatements is even more better to ward off SQL Injection attacks !
You forgot to add (dot) symbol.
$result = mysql_query("UPDATE balance SET Balance='".$NewBalance."' WHERE ID_No='".$ID_No."';");
This approach is bad and you might want to read this post to prevent SQL injection.
Related
I'm trying to update a table in my database. This is the code I have so far:
$query =
"UPDATE user
SET name='$name', pword='$pword', email='$email', address='$address', city='$city', state='$state', zip='$zip'
WHERE uname ='" . $_SESSION['uname'] . "'";
My page renders correctly but the table is never updated with the new data. I assume it's because the code can't figure our the whole $_SESSION part of this argument. Any ideas?
I'm trying to add this code to populate the $_SESSION['uname'] part of this...
$uname = $_SESSION["sname"]["uname"];
I'm trying to figure out where the sname came from myself...
There are lots of problems with this. It's very vulnerable to SQL injection, to begin with.
But the reason it's not updating your table is that $query is just a string. You don't show a MySQL, MySQLi, or PDO connection anywhere, and you don't show that you're executing the statement on a connection.
Based on your comment above, the problem is that $_SESSION['uname'] is either an empty string or undefined. Your problem isn't in this query; it's in some other part of your code.
<?php
$link = mysqli_connect("myhost","myuser","mypassw","mybd") or die("Error " . mysqli_error($link));
$query = "SELECT uname FROM mytable WHERE somecondition LIMIT 1" or die("Error " . mysqli_error($link));
$result = $link->query($query);
while($row = mysqli_fecth_assoc($result)) {
$user=$row["uname"] ;
}
$_SESSION['uname']=$user;
?>
Here is some basic php to get the user from DB into SESSION,adapt it to your db. Dont forget session_start.
I'm having trouble getting this to update when needed. This is an optout script intended to updated the selected email row with the value of 1 in the removed column. I can't seem to get it to update and I'm thinking its an issue with my sql. Any help in understanding this is much appreciated.
As a note:
I'm making it to Sorry there seems to be an issue with.........
Here is the script.
<?php
if (isset($_GET['e'])) {
include_once "../storescripts/connect_to_mysql.php";
$email = $_GET['e'];
$sql_delete = mysql_query("UPDATE test WHERE email='$email' SET removed = '1'");
if (!$sql_delete) {
echo "Sorry there seems to be and issue when trying to remove your listing. Please email Admin directly using this email address: chris#.com";
} else {
echo "Sorry to see you go! You will not receive our newsletter ever again unless you relist. To gain access to our newsletter again simply let us know by email at chris#.com";
}
}
?>
Try:
$sql_delete = mysql_query("UPDATE test SET removed = '1' WHERE email='$email'");
The problem is your syntax, have a look at the mysql update syntax, where the where clause should go and where set should go http://dev.mysql.com/doc/refman/5.0/en/update.html.
You would have seen this problem had you used proper error handling, like follows:
$sql_delete = mysql_query("UPDATE test SET removed = '1' WHERE email='$email'") or die(mysql_error());
Have a look at mysql_real_escape_string http://www.php.net/manual/en/function.mysql-real-escape-string.php, to prevent SQL injection. Example:
$email = mysql_real_escape_string($email);
$sql_delete = mysql_query("UPDATE test SET removed = '1' WHERE email='$email'") or die(mysql_error());
Also note that mysql_ extension are deprecated, you want to start using mysqli or PDO.
Use SET before your WHERE clause.
UPDATE test
SET removed = '1'
WHERE email = '$email'
The update syntax is
UPDATE
table
SET
column = value
WHERE
condition = met
On another note, I see you're using a very unsafe method of dynamic entries ($_GET) and Mysql_* function are deprecated in new version of php >= 5.5. I'd highly recommend researching PDO for the use of bind variables otherwise you can easily get "hacked" if
$_GET['e'] = "fake' OR '1'='1" // known as sql injection
Good Read
How to prevent SQL injection in PHP?
Why shouldn't I use mysql_* functions in PHP?
You are right, your UPDATE syntax is incorrect. This is the correct form:
UPDATE test
SET removed = '1'
WHERE email = '$email'
Your query should be
mysql_query("UPDATE test SET removed = '1' WHERE email='$email'");
But please notice that this extension is deprecated.
Use MySQLi or PDO_MySQ instead.
the solution in both extensions are as follows.
MySQLi:
$mysqli = new mysqli(GDB_HOST, GDB_USERNAME, GDB_PASSWORD, GDB_NAME);
$cmd = $mysqli->prepare("UPDATE test SET removed = '1' WHERE email= ? ");
$cmd->bind_param('s', $email);
$cmd->execute();
PDO
$dbh = Database::connect();
$query = "UPDATE test SET removed = '1' WHERE email= ? ";
$sth = $dbh->prepare($query);
$sth->execute(array($email));
One of the big importances of using one of these 2 extensions is the fact that you avoid any attempt of SQL injection
i wrote the following code,but its not updating the database,,its a part of a script and it cease to work..cant find a way around it .. need suggestions
<?php
$link = mysql_connect('xxxxxxxx');
if (!$link) {
die('Could not connect: ' . mysql_error());
}
mysql_select_db("xxx", $link);
$usernames='aneeshxx';
echo $usernames;
$update = "INSERT sanjana SET $name ='$usernames'";
mysql_query($update, $link);
$update1 = "INSERT INTO sanjana (name)VALUES ($usernames)";
mysql_query($update1, $link);
?>
$update = "INSERT sanjana SET $name ='$usernames'";
this probably is meant as an UPDATE statement, so for an update it should be
$update = "UPDATE sanjana set name = '$usernames'";
I put name and not $name due to your second query and not seeing $name being defined anywhere. Be aware that this will change the value in the column name of every row in the sanjana table to the value of $usernames, normally a statement such as this gets limited by conditions, e.g. WHERE userid = 33
$update1 = "INSERT INTO sanjana (name) VALUES ($usernames)";
for an INSERT statement it needs to have the values quoted so
$update1 = "INSERT INTO sanjana (name) VALUES ('$usernames')";
Be wary that this way of putting variables directly into your query string makes you vulnerable to SQL injection, to combat this please use the PDO or mysqli extensions, they both protect you from injection by providing you with prepared statements ; plain old mysql_* is not recommended for use anymore.
using pdo you'd use prepared statements like this
<?php
// we got $usernames from wherever you define it
$pdo = new PDO('mysql:dbname=mydb;host=localhost','username','password');
// to insert
$statement = $pdo->prepare('INSERT INTO `sanjana` (name) VALUES (:name)');
// the following replaces :name with $usernames in a safe manner, defeating sql injection
$statement->bindParam(':name',$usernames);
$statement->execute(); // it is done
// to update
$statement = $pdo->prepare('UPDATE `sanjan` SET `name` = :name');
$statement->bindParam(':name',$usernames);
$statement->execute(); // it is done
so as you can see protecting your code from malicious input is not hard and it even makes your SQL statements a lot easier to read. Did you notice that you didn't even need to quote your values in the SQL statement anymore? Prepared statements take care of that for you! One less way to have an error in your code.
Please do read up on it, it will save you headaches. PDO even has the advantage that it's database independent, making it easier to use another database with existing code.
The right update sql clause is like so:
UPDATE table
SET column = expression;
OR
UPDATE table
SET column = expression
WHERE predicates;
SQL: UPDATE Statement
Your query should be like this:
$update = "UPDATE sanjana SET $name ='$usernames'";
mysql_query($update, $link);
Of course you need to specify a row to update (id), other wise, the whole table will set column $name to $usernames.
UPDATE:
Because you are inserting a data in empty table, you should first execute $update1 query then execute $update query. UPDATE clause will make no change/insert on empty table.
Problem 1: use the correct "insert into" (create new record) vs. "update" (modify existing record)
Problem 2: It's good practice to create your SQL string before you call mysql_query(), so you can print it out for debugging
Problem 3: It's also good practice to detect errors
EXAMPLE:
<?php
$link = mysql_connect('xxxxxxxx')
or die('Could not connect: ' . mysql_error());
mysql_select_db("xxx", $link);
$usernames='aneeshxx';
$sql = "INSERT INTO sanjana (name) VALUES ('" . $usernames + ")";
echo "sql: " . $sql . "...<br/>\n";
mysql_query($sql, $link)
or die(mysql_error());
You have INSERT keyword for your update SQL, this should be changed to UPDATE:
$update = "UPDATE sanjana SET $name ='$usernames'";
Can anyone tell my why this update query is not working?
if ($_GET['update']) {
include 'config.php';
//Connect to MYSQL Database server
$connect = mysql_connect(DB_HOST, DB_USER, DB_PASS) or die("Could not connect to MYSQL Database.");
$result = mysql_select_db(DB_NAME, $connect) or die("Could not connect to MYSQL table.");
mysql_query("UPDATE contact SET read = 1 WHERE id = '$_GET[update]'")or die("Query failed.");
echo "Update works!";
} else {
echo "Update does not work...ughh.";
}
Thank you in advance.
Edit: I got the query to work. For anyone who was worrying about the security, I was using this script as a test to see if I wanted to use it. I just added the security now that the script works. Thank you all for the help and tips.
What is column read?
mysql_query("UPDATE contact SET read = 1 WHERE id = '$_GET[update]'")
Judging by the non-capitalization of read, I suspect you are using a reserved word in MySQL for that column.
See:
Reserved Words in MySQL
To Get around this, just put a single quote around read. I.E.
mysql_query("UPDATE contact SET 'read' = 1 WHERE id = '$_GET[update]'")
Or better per j.bruni:
mysql_query("UPDATE contact SET `read` = 1 WHERE id = '$_GET[update]'")
Try this for your query line:
mysql_query("UPDATE contact SET read = 1 WHERE id = '".$_GET[update]."'")or die("Query failed: " . mysql_error());
Notice the change of the die() statement for better error handling:
die("Query failed: " . mysql_error());
*Also, just an FYI, you should really escape user variables (e.g. GET variables) like so to prevent SQL injections:
mysql_query("UPDATE contact SET read = 1 WHERE id = '".mysql_real_escape_string($_GET[update])."'")or die("Query failed: " . mysql_error());
Please report back the result.
I believe you need to escape the string to have $_GET['update'] to add it's value to the string. But you really should be using prepared statements least you be attacked by malicious users.
Prepared Statements: http://php.net/manual/en/pdo.prepared-statements.php
READ is a reserved word. You need to put it within backticks or rename your field.
Take a look at this link:
http://dev.mysql.com/doc/refman/5.5/en/reserved-words.html
You can test so
mysql_query("UPDATE contact SET read = 1 WHERE id = '".(int)$_GET['update']."'")or die("Query failed.");
if isn't this the problem specific
mysql_query("UPDATE contact SET read = 1 WHERE id = '.$_GET[update].'")or die("Query failed.");
echo "Update works!
Please try to not use the mysql_query. It's old and it's not efficient. why don't try to learn about the PDO and prepare statements .. ?
I've followed all the mySQL tutorials correctly but it still won't update the values in my table, can someone please help me?, these are my values below:
$editid = $_GET['id'];
$newtitle = $_POST['title'];
$newsneak = $_POST['sneak'];
$newbody = $_POST['body'];
$connect = mysql_connect("localhost","username","password") or die("Couldn't Connect. ");
mysql_select_db("dr") or die ("Couldn't Find DB.");
$query = mysql_query("SELECT * FROM news WHERE id=$editid");
$numrows = mysql_num_rows($query);
if($numrows=!0)
{
$querytitle = mysql_query("UPDATE news SET title=$newtitle WHERE id=$editid");
$querysneak = mysql_query("UPDATE news SET summary=$newsneak WHERE id=$editid");
$querybody = mysql_query("UPDATE news SET body=$newbody WHERE id=$editid");
header("Location: ../index.php");
}
On your select (add myql_error to check error):
$result = mysql_query("SELECT * FROM news WHERE id='$editid'");
if (!$result) {
die('Invalid query: ' . mysql_error());
}
On your update:
$querytitle = mysql_query("UPDATE news SET title='$newtitle' WHERE id='$editid'");
$querysneak = mysql_query("UPDATE news SET summary=$newsneak WHERE id='$editid'");
$querybody = mysql_query("UPDATE news SET body='$newbody' WHERE id='$editid'");
use single quote around input data also use mysql_real_escape_string(); avoid sql injection.
PHP mysql_real_escape_string
As per #Tchalvak suggestion to include mention of binding, these are more updated tools against SQL Injections plus better optimization, but keep in mind PDO and MySQLi are supported if you have PHP 5+:
PHP PDO
and
PHP MySQLi
Can I add as well once you finish debugging to please remove any mysql_error() output? This is awesome info for attackers since it reveals database details. Either log it or don't show errors...adds a little extra security.
You want to use the mysql_error function to see what error your query returns.
As integration pointed out by Jeremy Conley, pay attention to don't let the mysql_error function output get published in your production HTML.