We Keep Coding

How to add an int value (+1) in query php

I want to +1 a value because when I return the book, this query will run and return the book but it doesn't return the value just keep subtracting the value of book thanks for helping me
$id=$_GET['id'];
$book_id = $_GET['book_id'];
if(isset($id)){
$b=mysqli_query($dbcon, "SELECT * FROM book WHERE book_id='$book_id'");
$row=mysqli_fetch_array($b);
$copies=$row['book_copies'];
$new = $copies++;
mysqli_query($dbcon,"UPDATE book ON book_copies = $new");
}

You can simply do
UPDATE book SET book_copies = book_copies + 1
WHERE book_id='$book_id'
Although this leaves your script at risk of SQL Injection Attack
Even if you are escaping inputs, its not safe!
Use prepared parameterized statements
You should be preparing and parameterising the query like this
$sql = "UPDATE book SET book_copies = book_copies + 1
WHERE book_id=?";
$stmt = $dbcon->prepare($sql);
$stmt->bind_param('i', $_GET['id']); // assuming integer here
$res = $stmt->execute();
if (! $res ) {
echo $dbcon->error;
exit;
}

You are using the update statement wrong it would something like this:
UPDATE table_name
SET column1 = value1, column2 = value2, ...
WHERE condition;
In your case you should try something like:
"UPDATE book SET book_copies=$new WHERE book_id='$book_id'"

Insert Data in Oracle DB using PHP

Inserting data in oracle DB using oci_8. Sample query to insert string with special characters or quotes
update TABLENAME set COMMENTS = 'As per Mark's email dated 28-Feb-2015 - Bill Gates & Team's effort' where ID = 99;
To insert/update
$query = 'update TABLENAME set COMMENTS = '$_POST[comments]';
$result = customexecute($new_query);
public function customexecute($query)
{
$resutlt = parent::customquery($query);
return $resutlt;
}
public static function customquery($query)
{
try{
$stmt = oci_parse($conn, $query);
oci_execute($stmt,OCI_COMMIT_ON_SUCCESS);
oci_commit(db_singleton::getInstance());
oci_free_statement($stmt);
}catch (Exception $e)
{
print_r($e);
}
}
Executing it on ORACLE DB it says SQl command not properly ended. Looked into Parameterized queries mentioned here but not able to integrate it succesfully.
$query = 'UPDATE tablename SET field = :field WHERE id = :id';
$stmt = oci_parse($oracleConnection, $query);
oci_bind_by_name($stmt, ':field', "The field value with 'apostrophes' and so");
oci_bind_by_name($stmt, ':id', '125');
$result = oci_execute($stmt);
I can pass :bind_comments in my query which is in my controller. But $stmt resides in my db_singleton file (general for all DB queries) and can not pass seperately for a individual query.
How can I sanitize user input or do not allow data to be used in creating SQL code

From the update function, pass everything needed to the execute function:
$result = customExecute(
'update xxx set comments=:COMMENTS where id=:ID',
[
':COMMENTS' => $_POST['comment'],
':ID' => 99
]
);
Then in the execute function simply iterate the array to bind all params:
public static function customExecute($sql, array $params = [])
{
$stmt = oci_parse($conn, $sql);
foreach ($params as $key => &$value) {
oci_bind_by_name($stmt, $key, $value);
}
$result = oci_execute($stmt);
...
}

No, unsurprisingly, MySQL functions won't work with Oracle DB :)
You need to parameterise things, e.g.:
$query = 'update TABLENAME set COMMENTS = :bind_comments where id = :bind_id';
$stmt = $dbh->prepare($query);
$stmt->bindParam(':bind_comments', $_POST['comments']);
$stmt->bindParam(':bind_id', $_POST['id']);
$stmt->execute();

The correct way of using the OCI8 PHP extensions is:
$query = 'UPDATE tablename SET field = :field WHERE id = :id';
$stmt = oci_parse($oracleConnection, $query);
oci_bind_by_name($stmt, ':field', "The field value with 'apostrophes' and so");
oci_bind_by_name($stmt, ':id', '125');
$result = oci_execute($stmt);
More information: http://php.net/manual/book.oci8.php

Prepare seems to be stripping quotes from string so that it is not accepted by the mysql datetime field

I would like to update a DATETIME mysql field using a php STRING in a prepared statement
$stmt = $mysqli->prepare("UPDATE TABLE1 SET DATETIME1 = ? where ID = ?");
$stmt->bind_param('si',$date,$id);
$date = "2013-12-04 00:00:00"; /*string '2013-12-04 00:00:00' (length=19)*/
$id = 4;
$stmt->execute();
I had expect that mysql should treat the statement as
UPDATE TABLE1 SET DATETIME1 = '2013-12-04 00:00:00' where ID = ?;
/*which works when directly entered*/
However I assume it is treating like
UPDATE TABLE1 SET DATETIME1 = 2013-12-04 00:00:00 where ID = ?;
/*giving the result of null*/
I have tried adding using the STR_TO_DATE mysql function to force it to treat the $date as a string and then convert it to DATETIME. ie
$stmt = $mysqli->prepare("UPDATE TABLE1 SET DATETIME1 = STR_TO_DATE(?,'%Y-%m-%d %T') where ID = ?");
/*again the result is null*/
Do I need to bind a quoted string? what am I missing?

It makes no much sense to prepare it, bind it and then execute it in such an obscure way. Besides the problems outlined on the comments, consider changing it to:
$date = "2013-12-04 00:00:00"; /*string '2013-12-04 00:00:00' (length=19)*/
$id = 4;
$stmt = $mysqli->prepare("UPDATE TABLE1 SET DATETIME1 = ? where ID = ?");
$stmt->execute(array($date, $id));
Besides, you were binding them wrong. You were using the prepare statement but then binding three values (or two values and a wrongly set parameter). Please refer to the documentation for more info about binding parameters.
Note that with PHP >= 5.4 you can simply do:
$date = "2013-12-04 00:00:00"; /*string '2013-12-04 00:00:00' (length=19)*/
$id = 4;
$stmt = $mysqli->prepare("UPDATE TABLE1 SET DATETIME1 = ? where ID = ?");
$stmt->execute([$date, $id]);

Inserting date in oracle database using Php

I am trying to insert date in Oracle 10g using php. This is my query:
$dat='1989-10-21';
$did="0011";
$nam="George";
$sql= "insert into table (did, name, date_of_birth) values (:did,:nam, TO_DATE(:dat,’YYYY-MM-DD’))";
$stmt = oci_parse($conn, $sql);
oci_bind_by_name($stmt, ':did', $did);
oci_bind_by_name($stmt, ':nam', $nam);
oci_bind_by_name($stmt, ':dat', $dat);
$result = oci_execute($stmt);
But it is giving me the following error:
oci_execute() [function.oci-execute]: ORA-00911: invalid character in
C:\Apache2.2\htdocs\new2.php on line 14
I have tried running it without binding but its still not working. I checked it on sql plus its working fine. Please help

Maybe you can try to quote the first param when use to_date,at least I use it like this:
$date = '2013-11-11';
$sql = "select t.* from my_table t where create_date>to_date('". $date ."','yyyy-mm-dd hh24:mi:ss')";
Perhaps it can give you some ideas.

Not able to update rows using PDO

When I run the following code:
// Loop through each store and update shopping mall ID
protected function associateShmallToStore($stores, $shmall_id) {
foreach($stores as $store_id) {
$sql .= 'UPDATE my_table SET fk_shmallID = :shmall_id WHERE id = :store_id';
$stmt = $this->db->prepare($sql);
$stmt->bindParam(':shmall_id', $shmall_id);
$stmt->bindParam(':store_id', $store_id);
$stmt->execute();
}
}
I get the following message:
Warning: PDOStatement::execute() [pdostatement.execute]: SQLSTATE[HY093]: Invalid parameter number: mixed named and positional parameters
I've also tried the following without success (without $stmt->bindParam):
$stmt->execute( array($shmall_id, $store_id));
I don't understand what I'm doing wrong.
UPDATE
I've updated my code to reflect what I actually got in my source code. There should not be any typos here.
UPDATE 2
I tried this, but I still get the same error message.
protected function associateShmallToStore($stores, $shmall_id) {
$i = 0;
$sql .= "UPDATE sl_store ";
foreach($stores as $store_id) {
$i++;
$sql .= 'SET fk_shmallID = :shmall_id, lastUpdated = NOW() WHERE id = :store_id_'.$i.',';
}
$sql = removeLastChar($sql);
$stmt = $this->db->prepare($sql);
$stmt->bindParam(':shmall_id_'.$i, $shmall_id);
$i = 0;
foreach($stores as $store_id) {
$i++;
$stmt->bindParam(':store_id_'.$i, $store_id);
}
$stmt->execute();
}
This is the output of the SQL query:
UPDATE sl_store
SET fk_shmallID = :shmall_id, lastUpdated = NOW() WHERE id = :store_id_1,
SET fk_shmallID = :shmall_id, lastUpdated = NOW() WHERE id = :store_id_2
UPDATE 3
The code I endet up using was this:
foreach($stores as $store_id) {
$sql = "UPDATE sl_store SET fk_shmallID = :shmall_id WHERE id = :store_id";
$stmt = $this->db->prepare($sql);
$stmt->bindParam(':shmall_id', $shmall_id);
$stmt->bindParam(':store_id', $store_id);
$res = $stmt->execute();
}

It's just as the error says, you have mixed named and positional parameters:
:name (named)
:person_id (named)
? (positional)
More than that, you have the named parameter :person_id, but you're binding to :id.
These are your parameters, I'll call them P1, P2 and P3:
UPDATE my_table SET name = :name WHERE id = :person_id ?
^ P1 ^ P2 ^ P3
And this is where you bind them:
$stmt->bindParam(':name', $name); // bound to P1 (:name)
$stmt->bindParam(':id', $person_id); // bound to nothing (no such param :id)
You probably want to bind the second parameter to :person_id, not to :id, and remove the last positional parameter (the question mark at the end of the query).
Also, each iteration through the foreach loop appends more to the query, because you're using the concatenation operator instead of the assignment operator:
$sql .= 'UPDATE my_table SET name = :name WHERE id = :person_id ?';
You probably want to remove that . before =.
For more about this, take a look at the Prepared statements and stored procedures page in the PDO manual. You will find out how to bind parameters and what the difference is between named and positional parameters.
So, to sum it up:
Replace the SQL line with:
$sql = 'UPDATE my_table SET name = :name WHERE id = :person_id';
Replace the second bindParam() call with:
$stmt->bindParam(':person_id', $person_id);

Try:
$sql = 'UPDATE my_table SET name = :name WHERE id = :id';