The query isn't updating, not sure what I've done wrong.
$q_result = mysql_query("UPDATE
users
SET
recovery_answer = '".$_POST['answer']."',
recovery_question = '".$_POST['question']."',
date_question_set = '" . mysql_real_escape_string($register_date) . "'
WHERE
username='" . mysql_real_escape_string($_SESSION['username']) . "'");
Can you echo "UPDATE
users
SET
recovery_answer = '".$_POST['answer']."',
recovery_question = '".$_POST['question']."',
date_question_set = '" . mysql_real_escape_string($register_date) . "'
WHERE
username='" . mysql_real_escape_string($_SESSION['username']) . "'" and post?
Related
Im having some issues will my queries in my model. I have this edit function and inside that is a foreach that controls what gets updated and inserted where. the problem Im having is the last set of else statements that write to the communication table.
The records being written are tied to an overall campaign id. that id is stored to each record. So each record may have its own communication_id but they all would have the same campaign_id.
So currently setting the WHERE to campaign_id edits all records. I need to use the communication_id in this instance but how do I get it before the communication queries? Say a record has communication_id 50 I want to get that id and then use that in the WHERE. Im not sure how to do that though.
public function editCampaign($campaign_id, $data) {
$this->db->query("UPDATE " . DB_PREFIX . "campaigns SET campaign_name = '" . $this->db->escape($data['campaign_name']) . "', campaign_giving_goal = '" . (float)$data['campaign_giving_goal']
. "', code = '" . $this->db->escape($data['code']) . "', campaign_active = '" . $this->db->escape($data['campaign_active']) . "', campaign_giving_count_goal = '" . (float)$data['campaign_giving_count_goal'] . "', campaign_owner = '" . $this->db->escape($data['campaign_owner']). "'
, date_beginning = '" . $this->db->escape($data['date_beginning']). "', date_ending = '" . $this->db->escape($data['date_ending']). "' WHERE campaign_id = '" . (int)$campaign_id . "'");
$parent_id = 0;
$this->db->query("DELETE FROM " . DB_PREFIX . "campaign_components WHERE campaign_id = '" . (int)$campaign_id . "'");
//$this->db->query("DELETE FROM " . DB_PREFIX . "communication WHERE campaign_id = '" . (int)$campaign_id . "'");
foreach($data['component_module'] as $component_data) {
if ($component_data['component_type'] =='EVENT'){
if(isset($component_data['component_parent_id'])){
$parent_id = $component_data['component_parent_id'];
$this->db->query("UPDATE " . DB_PREFIX . "product SET model = '" . $this->db->escape($component_data['component_type']) . "', date_starting = '" . $this->db->escape($component_data['component_start_date']). "', date_ending = '" . $this->db->escape($data['date_ending']). "', date_added = NOW() WHERE product_id = '" . (int)$parent_id . "'");
$this->db->query("UPDATE " . DB_PREFIX . "product_description SET name = '" . $this->db->escape($component_data['component_name']) . "', language_id = '1' WHERE product_id ='" . (int)$parent_id . "'");
}else{
$this->db->query("INSERT INTO " . DB_PREFIX . "product SET model = '" . $this->db->escape($component_data['component_type']) . "', date_starting = '" . $this->db->escape($data['date_beginning']). "', date_ending = '" . $this->db->escape($data['date_ending']). "', date_added = NOW()");
$parent_id = $this->db->getLastId();
$this->db->query("INSERT INTO " . DB_PREFIX . "product_description SET name = '" . $this->db->escape($component_data['component_name']) . "', language_id = '1', product_id ='" . (int)$parent_id . "'");
$this->db->query("INSERT INTO " . DB_PREFIX . "product_to_category SET category_id = '82', product_id ='" . (int)$parent_id . "' ");
}
}else{
$this->db->query("UPDATE " . DB_PREFIX . "communication SET subject = '" . $this->db->escape($component_data['component_name']) . "', channel = '" . $this->db->escape($component_data['component_type']) . "', status = '" . $this->db->escape($component_data['component_status']) . "'
, status_date = '" . $this->db->escape($component_data['component_start_date']). "', status = '" . $this->db->escape($component_data['component_status']) . "', created_by = '" . $this->db->escape($component_data['component_owner']) . "', date_added = NOW(), campaign_id = '" . (int)$campaign_id . "'");
}
$this->db->query("INSERT INTO " . DB_PREFIX . "campaign_components SET component_name = '" . $this->db->escape($component_data['component_name']) . "', component_type = '" . $this->db->escape($component_data['component_type']) . "', component_status = '" . $this->db->escape($component_data['component_status']) . "'
, component_owner = '" . $this->db->escape($component_data['component_owner']). "', component_start_date = '" . $this->db->escape($component_data['component_start_date']). "', campaign_id = '" . (int)$campaign_id . "', parent_id = '" . (int)$parent_id . "'");
}
$this->cache->delete('parent_id');
return $campaign_id;
}
Join with the communication table:
UPDATE campaigns AS ca
JOIN communication AS co ON ca.communication_id = co.communication_id
SET ca.col1 = val1, ca.col2 = val2, ...
WHERE co.campaign_id = $campaign_id
(I've left out all the PHP variables so you can see the general structure of the query.)
Hey Guys I am trying to pass data to my model, but for some reason I keep getting an "undefined customitem_id" in my model file. I am testing to see if it will even send to the model so:
the code is as follows. My controller file from customer.php file
$data['customitem_id']= 19;
if(isset($this->request->post['customitem_id'])) {
$this->request->post['customitem_id'];
}
My code from:
public function editCustomer($customer_id, $data) {
if (!isset($data['custom_field'])) {
$data['custom_field'] = array();
}
$this->db->query("UPDATE " . DB_PREFIX . "customer SET customer_group_id = '" . (int)$data['customer_group_id'] . "', sales_representative = '" . $this->db->escape($data['username']) . "', firstname = '" . $this->db->escape($data['firstname']) . "', lastname = '" . $this->db->escape($data['lastname']) . "', email = '" . $this->db->escape($data['email']) . "', telephone = '" . $this->db->escape($data['telephone']) . "', fax = '" . $this->db->escape($data['fax']) . "', custom_field = '" . $this->db->escape(isset($data['custom_field']) ? serialize($data['custom_field']) : '') . "', newsletter = '" . (int)$data['newsletter'] . "', status = '" . (int)$data['status'] . "', approved = '" . (int)$data['approved'] . "', safe = '" . (int)$data['safe'] . "' WHERE customer_id = '" . (int)$customer_id . "'");
$this->db->query("UPDATE " . DB_PREFIX . "custom_item SET customer_id = '" . (int)$customer_id . "' WHERE customitem_id = '" . (int)$customitem_id . "'");
it keeps giving me an undefined variable in the model file. How would I go about making sure it sends the data?
Thanks for your help.
Looks like you're passing an array $data to your editCustomer($customer_id, $data) right?
Try changing this from:
$this->db->query("UPDATE " . DB_PREFIX . "custom_item SET customer_id = '" . (int)$customer_id . "' WHERE customitem_id = '" . (int)$customitem_id . "'")
to
$this->db->query("UPDATE " . DB_PREFIX . "custom_item SET customer_id = '" . (int)$customer_id . "' WHERE customitem_id = '" . (int)$data['customitem_id'] . "'")
note that I changed (int)$customitem_id to (int)$data['customitem_id']
You're using variable $customitem_id in your model but in your controller it is $data['customitem_id']. You likely just need to change $customitem_id to $data['customitem_id'] in your model.
Here is my code, it works and no errors pop up and the correct data for the variables are there.
When it's all done it shows Done for the last echo.
However, when I go into heidisql to view the database table, nothing has changed, even when I run the query in heidisql, still same results.
// Make connection to database
$connection = mysqli_connect($host,$user,$pass,$dbnm);
// Make query
$myQuery = "
UPDATE Ekhaya_Inventory SET
ekhaya_inventory_stock_item = '" . $stockItemPost . "',
ekhaya_inventory_stock_left = '" . $stockLeftPost . "',
ekhaya_inventory_stock_out = '" . $stockOutPost . "',
ekhaya_inventory_stock_minimum = '" . $stockMinimumPost . "',
ekhaya_inventory_stock_price_per_item = '" . $stockPricePIPost . "',
ekhaya_inventory_value_of_stock_left = '" . $stockValueOfStockLeftPost . "'
WHERE
ekhaya_inventory_stock_code = '" . $stockCodePost . "'
AND
ekhaya_inventory_stock_code = '" . $stockLocationPost . "'
";
mysqli_query($connection,$myQuery)or die("Error: ".mysqli_error($connection));
mysqli_close($connection)or die("Error: ".mysqli_error($connection));
echo "<br>Done";
WHERE
ekhaya_inventory_stock_code = '" . $stockCodePost . "'
AND
ekhaya_inventory_stock_code = '" . $stockLocationPost . "'
it is wrong because one field can`t contain two different values in the same time
I have jtable working perfectly fine with adding/editing/removing records however I cant insert/update a record that contains an apostrophe ! Someone please help!
Below is a snapshot fo my code
Blockquote //Updating a record (updateAction)
$result = mysql_query("UPDATE teg_priority SET CustomerName = '" . $_POST["CustomerName"] . "', Service_Manager = '" . $_POST["Service_Manager"]. "', NGM = '" . $_POST["NGM"] . "', Tag = '" . $_POST["Tag"] . "', CBS = '" . $_POST["CBS"]. "' WHERE CIDN = " . $_POST["CIDN"] . ";");
//Return result to jTable
$jTableResult = array();
$jTableResult['Result'] = "OK";
print json_encode($jTableResult);
}
Blockquote
You can use addslashes on the variables before putting them in the query.
$result = mysql_query("UPDATE teg_priority SET CustomerName = '" . addslashes($_POST["CustomerName"]) . "', Service_Manager = '" . addslashes($_POST["Service_Manager"]). "', NGM = '" . addslashes($_POST["NGM"]) . "', Tag = '" . addslashes($_POST["Tag"]) . "', CBS = '" . addslashes($_POST["CBS"]). "' WHERE CIDN = " .addslashes( $_POST["CIDN"]) . ";");
this script is simply not working... can anyone tell me what I'm doing wrong?
$id = $_POST['id'];
$name = $_POST['name'];
$date = $_POST['date'];
$shortdesc = $_POST['shortdesc'];
$link = $_POST['link'];
$target = $_POST['target'];
$sort = $_POST['sort'];
$html = $_POST['html'];
include('appvars.php');
$query = "UPDATE insight SET name='".$name."' AND SET date='". $date . "' AND SET html='" . $html . "' AND SET shortdesc='" . $shortdesc . "' AND SET link='" . $link . "' AND SET target='" . $target . "' AND SET sort='" . $sort . "' WHERE id='" . $id . "'";
mysqli_query($dbc, $query);
You aren't escaping your values so you are vulnerable to SQL injection and also construction of invalid statements. For example, if any of your input strings contain an apostrophe then it could cause your code to fail.
Have a look at prepared statements that will make it much easier to construct your queries with parameters.
In your query you will also need to use commas instead of AND SET.
$query = "UPDATE insight SET name='foo', date='2012-12-10' WHERE id=42";
The syntax for UPDATE is described in the MySQL documentation:
UPDATE syntax
Use it like this,
$query = "UPDATE insight SET name='".$name."' ,date='". $date . "' ,html='" . $html . "' ,shortdesc='" . $shortdesc . "' ,link='" . $link . "' ,target='" . $target . "' ,sort='" . $sort . "' WHERE id='" . $id . "'";
Its working ... check now
$id = $_POST['id'];
$name = $_POST['name'];
$date = $_POST['date'];
$shortdesc = $_POST['shortdesc'];
$link = $_POST['link'];
$target = $_POST['target'];
$sort = $_POST['sort'];
$html = $_POST['html'];
include('appvars.php');
$query = "UPDATE insight SET name='".$name."' ,date='". $date . "' ,html='" . $html . "' ,shortdesc='" . $shortdesc . "' ,link='" . $link . "' ,target='" . $target . "' ,sort='" . $sort . "' WHERE id='" . $id . "'";
mysqli_query($dbc, $query);
I aint a pro at mysql, but a try.
I guess id is an integer. So, dont quote it.
Try this,
$query = "UPDATE insight SET name='".$name."' , date='". $date . "' , html='" . $html . "' , shortdesc='" . $shortdesc . "' , link='" . $link . "' , target='" . $target . "' , sort='" . $sort . "' WHERE id=". $id ;
I think the SQL syntax is not correct, you can use it like this: UPDATE tablename SET rowname = value , ....