This is my first UPDATE query, I have checked using jQuery for any empty fields. I want the user to input at least one field and then update the field(s). Doing a query with all the $_POST names might generate empty or undefined input fields in my database which doesn't work.. here is my query:
$first = $_POST['first'];
$last = $_POST['last'];
$birth = $_POST['birth'];
$bio = $_POST['bio'];
$UID = $_SESSION['id'];
$query = "UPDATE `user` SET `firstname`=$first,`lastname`=$last,`birthday`=$birth,`biography`=$bio WHERE `user_id` = '$UID'";
$result = mysql_query($query) or die($result . "<br/><br/>" . mysql_error());
The error:
syntax to use near 'birthday=,biography= WHERE user_id = '11'' at line 1
I don't want to go through nested if's to check whether has a value or not. Thanks.
NOTE: Use mysql_real_escape_string() to prevent from sql injection.
if( !empty($first) &&
!empty($last) &&
!empty($birth) &&
!empty($bio) ){
$query = "UPDATE `user`
SET
`firstname`='$first',
`lastname`='$last',
`birthday`='$birth',
`biography`='$bio'
WHERE `user_id` = '$UID'";
}
Related
I am trying to update multiple rows in a single query. Data doesnt get updated in my code. I am trying to join the two tables. When user enters a no. The data from the 2 tables will be displayed which is connected through the foreign key.The data from the table1 gets updated. Where as the columns from the table 2 doesnt get updated. I need to update the second table based on unique id
if($_REQUEST["profile"] == "profile")
{
$Id = $_REQUEST["id"];
$firstname = mysql_real_escape_string($_REQUEST["firstname"]);
$serial = mysql_real_escape_string($_REQUEST["serial"]);
$dom = mysql_real_escape_string($_REQUEST["dom"]);
$idno = $_REQUEST["idno"];
$pow = mysql_real_escape_string(stripslashes($_REQUEST["pow"]));
$address = mysql_real_escape_string(stripslashes($_REQUEST["address"]));
$bookno = mysql_real_escape_string(stripslashes($_REQUEST["bookno"]));
$zone = mysql_real_escape_string(stripslashes($_REQUEST["zone"]));
$mobile = mysql_real_escape_string(stripslashes($_REQUEST["phone"]));
$phone = mysql_real_escape_string(stripslashes($_REQUEST["mobile"]));
$mothertongue=mysql_real_escape_string(stripslashes($_REQUEST["mothertongue"]));
$nof=mysql_real_escape_string(stripslashes($_REQUEST["nof"]));
$email=mysql_real_escape_string(stripslashes($_REQUEST["email"]));
$nom=$_REQUEST["nom"];
$nofemale=$_REQUEST["nofemale"];
mysql_query("UPDATE profile SET firstname='".$firstname."',serial='".$serial."',dom='".$dom."',idno='".$idno."',pow='".$pow."',address='".$address."',bookno='".$bookno."',
zone='".$zone."',phone='".$mobile."',mobile='".$phone."',mothertongue='".$mothertongue."',email='".$email."',nof='".$nof."',nom='".$nom."',nofemale='".$nofemale."' WHERE id = '".$_POST['id']."' " ) or die(mysql_error());
for($i=0;$i<count($_REQUEST['slno1']);$i++)
{
$mid=$_REQUEST['mid'][$i];
$slno1 = mysql_real_escape_string(stripslashes($_REQUEST["slno1"][$i]));
$name1 = mysql_real_escape_string(stripslashes($_REQUEST["name1"][$i]));
$rhof1 = mysql_real_escape_string(stripslashes($_REQUEST["rhof1"][$i]));
$dob1 = mysql_real_escape_string(stripslashes($_REQUEST["dob1"][$i]));
$dobapt1 = mysql_real_escape_string(stripslashes($_REQUEST["dobapt1"][$i]));
$doc1 = mysql_real_escape_string(stripslashes($_REQUEST["doc1"][$i]));
$doconf1 = mysql_real_escape_string(stripslashes($_REQUEST["doconf1"][$i]));
$qualification1 = mysql_real_escape_string(stripslashes($_REQUEST["qualification1"][$i]));
$school1 = mysql_real_escape_string(stripslashes($_REQUEST["school1"][$i]));
$occupation1 = mysql_real_escape_string(stripslashes($_REQUEST["occupation1"][$i]));
$run=mysql_query("UPDATE member SET
slno1='".$slno1."',name1='".$name1."',rhof1='".$rhof1."',dob1='".$dob1."',dobapt1='".$dobapt1."',doc1='".$doc1."',doconf1='".$doconf1."',qualification1='".$qualification1."' WHERE mid = '".$mid."' " ) or die(mysql_error());
}
}
Please use PDO so you won't have to escape strings and so your code gets simpler to read. Your query has too many quotes used and this alone can make it easy to fail. Please use following examples and this should help you succeed.
Basic PDO update:
https://www.w3schools.com/php/php_mysql_update.asp
Bind Params:
https://www.w3schools.com/php/php_mysql_prepared_statements.asp
In your query you are using $_POST['mid'] instead of that you should use $mid which you are already reading as
$mid=$_REQUEST['mid'][$i];
As per my understanding UPDATE query is used to update a limited number of records if using the where condition. So the only way that I can think of is using an INSERT query with ON DUPLICATE KEY UPDATE clause. Try the below code:
for($i=0;$i<count($_REQUEST['mid']);$i++) {
$mid[] = $_REQUEST['mid'][$i];
$slno1[] = mysql_real_escape_string(stripslashes($_REQUEST["slno1"][$i]));
$name1[] = mysql_real_escape_string(stripslashes($_REQUEST["name1"][$i]));
$rhof1[] = mysql_real_escape_string(stripslashes($_REQUEST["rhof1"][$i]));
$dob1[] = mysql_real_escape_string(stripslashes($_REQUEST["dob1"][$i]));
$dobapt1[] = mysql_real_escape_string(stripslashes($_REQUEST["dobapt1"][$i]));
$doc1[] = mysql_real_escape_string(stripslashes($_REQUEST["doc1"][$i]));
$doconf1[] = mysql_real_escape_string(stripslashes($_REQUEST["doconf1"][$i]));
$qualification1[] = mysql_real_escape_string(stripslashes($_REQUEST["qualification1"][$i]));
$school1[] = mysql_real_escape_string(stripslashes($_REQUEST["school1"][$i]));
$occupation1[] = mysql_real_escape_string(stripslashes($_REQUEST["occupation1"][$i]));
}
$query = "INSERT INTO `member` (`mid`,`slno1`,`name1`,`rhof1`,`dob1`,`dobapt1`,`doc1`,`doconf1`,`qualification1`) VALUES ";
for ($i = 0; $i < count($mid); $i++) {
$query .= "('".$mid[$i]."','".$slno1[$i]."','".$name1[$i]."','".$rhof1[$i]."','".$dob1[$i]."','".$dobapt1[$i]."','".$doc1[$i]."','".$doconf1[$i]."','".$qualification1[$i]."')";
if ($i != (count($mid) - 1)) {
$query .= ',';
}
}
$query .= ' ON DUPLICATE KEY UPDATE `slno1` = VALUES(`slno1`), `name1` = VALUES(`name1`), `rhof1` = VALUES(`rhof1`), `dob1` = VALUES(`dob1`), `dobapt1` = VALUES(`dobapt1`), `doc1` = VALUES(`doc1`), `doconf1` = VALUES(`doconf1`), `qualification1` = VALUES(`qualification1`);';
$run=mysql_query($query) or die(mysql_error());
Hope This Helps.
I am trying to make a search box using select option tag such that if I select 'all' in select option tag then each data of that column should be fetched.
Given below is my php code. Thanks
if(isset($_POST['submit'])) {
$area = $_POST['city'];
if(isset($_POST['work']!== 'all'))
{$work = $_POST['work']; }
else {$work = '*';} ;
$sel2 = "SELECT * FROM `userdata` WHERE `area`='".$area."' AND `work`='".$work."'" ;
$res2 = mysqli_query($con,$sel2);
Since you're would like to fetch any and all work related data when work is equal to all, you don't have to mention that explicitly in the SQL query. Mention that only when you want to fetch specific work related data. So your code should be like this:
if(isset($_POST['submit'])) {
$area = $_POST['city'];
$sel2 = "SELECT * FROM `userdata` WHERE `area`='".$area."'";
if(isset($_POST['work']) && $_POST['work'] !== 'all')
$sel2 .= " AND `work`='".$_POST['work']."'";
$res2 = mysqli_query($con,$sel2);
Sidenote: Learn about prepared statement because right now your query is susceptible to SQL injection attack. Also see how you can prevent SQL injection in PHP.
Set up the variables like this
if(isset($_POST['submit'])) {
$area = $_POST['city'];
if(isset($_POST['work']!== 'all'))
$data=addslashes($_POST['work']);
{$work = "AND `work`='".$data."'";
}
else {$work = "";
}
///your query should be like this
$sel2 = "SELECT * FROM `userdata` WHERE `area`='".$area."' ".$work."";
//////so if work is not specified then you don't need to select column WORK in the query. So it works as select * from userdata where area='".$area."';";
$res2 = mysqli_query($con,$sel2);
I need a little help to update mysql. I don't want blank/empty input fields to update but when i keep them blank or empty it automatically updates the fields
here is my code
$sql="UPDATE `tblsitesetup` SET
`site_name` = '".mysqli_real_escape_string($conn,$sitename_new)."',
`site_hometitle` = '".mysqli_real_escape_string($conn,$sitetitle_new)."',
`site_homedescrp` = '".mysqli_real_escape_string($conn,$final_description)."',
`site_homekeywords` = '".mysqli_real_escape_string($conn,$final_keywords)."',
`site_analytics` = '".mysqli_real_escape_string($conn,$final_analytics)."',
`site_ad1` = '".mysqli_real_escape_string($conn,$final_ad1)."',
`site_ad2` = '".mysqli_real_escape_string($conn,$final_ad2)."',
`site_ad3` = '".mysqli_real_escape_string($conn,$final_ad3)."'
WHERE `site_id` = '1'";
$result=mysqli_query($conn,$sql);
The correct way to do it is not to put those items in the query at
all:
$updates = array();
if (!empty($sitename_new))
$updates[] = 'sitename_new="'.mysql_real_escape_string($sitename_new).'"';
if (!empty($sitetitle_new))
$updates[] = 'sitetitle_new="'.mysql_real_escape_string($sitetitle_new).'"';
// .......
// ....... fill all cases here
$updates = implode(', ', $updates);
$sql = "UPDATE tblsitesetup` SET $updates WHERE `site_id` = '1'";
Obviously it would be cleaner to put the changes in an associative array or object, and then loop through them.
Reference: mysql update - skip blank fields?
$update=array('site_name'=>$sitename_new
'site_hometitle' => $sitetitle_new
/* etc ... */
'site_ad3' => $final_ad3 );
$sets=array();
foreach($update as $field => $value )
if( "$value" != "" )
$sets[]="`$field` = ". mysqli_real_escape_string($conn,$field);
if($sets)
{
$sql="UPDATE `tblsitesetup` SET \n".implode(",\n",$sets)."
WHERE `site_id` = '1'";
$result=mysqli_query($conn,$sql);
}
else
{
$result=NULL;
}
Build your SQL string using if statements:
$sql = 'UPDATE TABLE SET ';
If (trim($field)!='') $sql.=' FIELD=$field ';
And so on...
Be sure to have a valid SQL statement at the end.
$newCity = $_POST['city'];
$set = mysqli_query($con, "UPDATE users SET city = '$newCity' WHERE username = '$theUser'");
I'm trying to update mySql column through UPDATE using a value of a variable.
But when I check the value, it updates, but once I refresh the execute, it changes the value to NULL
Edit: $theUser = a working session username
Try:
if(isset($_POST['city'])){
$newCity = $_POST['city'];
$set = mysqli_query($con, "UPDATE users SET city = '$newCity' WHERE username = '$theUser'");
}
Also please try to filter your user input before passing it to query.
if(isset($_POST['city'])){
$newCity = mysqli_real_escape_string($_POST['city']);
$theUser = mysqli_real_escape_string($userUser); // assuming you haven't escaped it already.
$query = "UPDATE users SET city = '$newCity' WHERE username = '$theUser'";
$set = mysqli_query($con, $query);
}
I have been trying to do this for hours now, and I can't quite get my head round it. I have a table called "requests" that has the columns "deletekey" and "deleted". "deletekey" is a random unique number (data-type text), and "deleted" is by default set to 0 (data-type boolean), and when the user inputs the deletekey, it changes "deleted" to 1.
But I can't get it to work.
Here is the code I have, and I have no idea what I'm doing wrong:
$key = $_GET["delkey"];
$link = mysqli_connect("localhost","username","password","dbname");
$query = 'UPDATE requests SET deleted = True WHERE deletekey = "$key"';
$result = $link->query($query);
This should help, and will also provide protection against SQL injection:
$link = mysqli_connect("localhost","username","password","dbname");
$key = $link->real_escape_string($_GET["delkey"]);
$query = sprintf("UPDATE requests SET deleted = 1 WHERE deletekey = '%s'", $key);
$result = $link->query($query);
Shouldn't it be WHERE deletekey = '$key', then? The deleted field could NEVER equal whatever's in $key, since deleted is a simple boolean, and $key is probably an int/char/varchar-type thing.
Note that you are vulnerable to SQL injection attacks. Stop working on this sort of code until you've learned about the problem and how to avoid it.
Its deletedkey = "$key" right ? and not deleted = "$key" :
$key = $_GET["delkey"];
$link = mysqli_connect("localhost","username","password","dbname");
$query = 'UPDATE requests SET deleted = true WHERE deletedkey = "$key"';
$result = $link->query($query);
Try this?
$link = mysqli_connect("localhost","username","password","dbname");
$key = $link->real_escape_string($_GET["delkey"]);
$query = "UPDATE `requests` SET `deleted` = true WHERE `deletedkey` = $key";
$result = $link->query($query);
$query = 'UPDATE requests SET deleted = 1 WHERE deletekey = "$key"';
the query is a string. And to add a variable to a string you need to type
$query = 'UPDATE requests SET deleted = True WHERE deleted = '".$key."';
the difference is how to make a variable put into the string. You have to do like this in php.
$query = "randomtext ". $randomvar ." ";
where the important point is to ". $var ." inside the string. This i similar to javas "+ var +"