sql update not working dont know how to fix - php

I am lost here please help
my data base table will not update when I use this code
$sqlpassword = "UPDATE login SET password='$hashedP' WHERE id='$id' LIMIT 1";
$querypass = mysqli_query($db_x, $sqlpassword);
I have tried to look around maybe i'm not seeing it but im sure its right

password is a reserved word in MySQL. You have to wrap fieldnames in backticks so that MySQL doesn't see it as a SQL command.
$sqlpassword = "UPDATE `login` SET `password`='$hashedP' WHERE `id`='$id' LIMIT 1";
$querypass = mysqli_query($db_x, $sqlpassword);

Don't use the LIMIT keyword on UPDATE Statement.
Just use
$sqlpassword = "UPDATE `login` SET `password`='$hashedP' WHERE `id`='$id'";
Disclaimer: Make use of Prepared Statements to avoid SQL Injection Attacks.

I worked it out sorry for wasting your time
<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>
was not putting in
edit.php?c=<?php echo $log_company ?>
so form was going to edit.php not edit.php?c=truestory

Check the following:
You are making commit after this update statement.
Check why you need the limit keyword, else remove it.
Check if the id is a number in your table structure or string, since in this update you are dealing with it as string.

Related

php - single quotes around variables in mysql queries

Why do I see in several examples of mysql queries via php the syntax:
$q = "CREATE TABLE '$tablename' ('$t_id_name')";
or things similar to that? I'm asking about the single quotes around the variable names. Is this required in MySQL strings? If I echo the string, it seems to expand the variables whether the quotes are there or not.
And would this pose a problem if this were done for something that was intended to be an integer?
To answer your question, the quotes are necessary, but not to expand the variable. A typical SQL query would look like this:
$q = "SELECT * FROM `table` WHERE `first_name` = 'user3475234'";
Now, consider the following example:
<?php
$tablename = "users";
$user = "user3475234";
$q = "SELECT * FROM `$tablename` WHERE `first_name` = '$user'";
echo $q;
This will display: SELECT * FROM `users` WHERE `first_name` = 'user3475234'. Note that the quotes weren't necessary to output the string, but they were a necessary part of the query.
That being said, code like this opens your script to SQL injection. I won't explain too much about it, since there are plenty of resources discussing it, but consider the example where someone's username is user3475234' OR 1==1--. This username will effectively return all users in the table.
You must use backticks (`) for field or table name especially if the field or table name are same with mysql command. And you need to use single-quote (') for value.

PHP - using update with variables

I am using php to update a mysql DB within a function. I am able to echo my variable names and was able to return the variables on the php page. This proves to me that my variables are working correctly.
Now when I use the update command, my DB does not respond. Yes, I have connected to the DB and it all works.
This is what I am using to update:
mysql_query("UPDATE `table_name`
SET `int_field` = '$int_value'
WHERE `username` = $username");
The value for $username should be wrap with single quotes.
mysql_query(" UPDATE table_name
SET int_field = '$int_value'
WHERE username = '$username'");
SideNote: your code is vulnerable with SQL Injection. Please read the article below to know how to secure your code,
Best way to prevent SQL injection in PHP?
You need to quote all of your input to the query. This prevents SQL injection, but also simple syntax errors that would occur if your user innocently inputs a special character that would break your query.
mysql_query('UPDATE table_name '.
'SET int_field = "'.mysql_real_escape_string($int_value).'" '.
'WHERE username = "'.mysql_real_escape_string($username).'"');
This is the correct STRUCTURE of how to update with a variable in php
mysql_query("UPDATE tablename SET password='". $NPass ."' WHERE custID='$num'");
Try this :
mysql_query("UPDATE `table_name`
SET `int_field` = '$int_value'
WHERE `username` = '$username'");
I had the same problem and found that the SET value doesn't need single quotes and that the WHERE clause does ...
mysql_query("UPDATE table_name SET int_field=$int_value
WHERE username='$username'");
.. seemed to work for me.

Why executing PHP mysql_query fails

Why does this PHP code (mysql_query to delete a row where user name is $phpVar) do nothing?
mysql_query("DELETE FROM xraydeath WHERE user = $user");
Probably because you forgot to quote the $user parameter also, please escape variables goes into sql query strings. If that parameter is connected directly to user input someone might submit ' or 1=1 -- and your whole table gone. This idea know as sql injection.
note: the old mysql_* functions are now deprecated, you should avoid using them, see the alternatives.
You need to put quotes around strings like this:
mysql_query("DELETE FROM xraydeath WHERE user = '$user'");
you forgot the quotes around the user:
mysql_query("DELETE FROM xraydeath WHERE user = '$user'");
What are you expecting? How it fails? Mysql_query is not suppose to do anything in the form that you are using it, except sending the query to the server.
$result = mysql_query (...);
// use the result if any.
if (!$result) {
die('Invalid query: ' . mysql_error());
}
// check the error that you might have
you need to put $user into quotes
mysql_query("DELETE FROM xraydeath WHERE user = '".$user."';");
also DELETE will succeed if even no rows where deleted, so to get how many rows where actually deleted use mysql_affected_rows()
$x = mysql_query("..");
echo "There were ".mysql_affected_rows()." rows affected";
**Try not to use mysql_* switch to PDO instead.
Assuming xraydeath.user is a character type, the value needs to be enclosed in quotes. If $user does not already contain the quotes, try:
mysql_query("DELETE FROM xraydeath WHERE user = '$user'");
And for kicks, try setting $user = "' OR '1'='1";! (Read up on SQL injection attacks and you should really switch to mysqli!)
It's also possible the table does not have a matching row, and therefore nothing will be deleted. Without knowing what you have assigned to $user and your data there is no way to know.
try this one:
mysql_query("DELETE FROM xraydeath WHERE user = '".$user."'");
or
mysql_query("DELETE FROM xraydeath WHERE user = '".$user."';");
every php variables that used in mysql, put them into '".$variable."'
First : mysql is deprecated. you should use mysqli.
Second : What kind of type is user?
if is int :
(object oriented style)
mysqli::query("DELETE (what you want) FROM xraydeath WHERE `user` = '".$user."'");
if is varchar (string) :
mysqli::query("DELETE (what you want) FROM xraydeath WHERE `user` LIKE '".$user."'");
or
(procedurel syle)
mysqli_query((your mysqli link), "DELETE (what you want) FROM xraydeath WHERE `user` LIKE/= '".$user."'");
Hope it helps

Update where id=$id

I have this query to submit data into the database:
$sql = "UPDATE table SET user='$user', name='$name' where id ='$id'";
the id will be obtained via url EX localhost/index.php?id=123
$id=$_GET['id']
The query will not work correctly; the data will not update.
If I write :
$sql = "UPDATE table SET user='$user', name='$name' where id ='123'";
It works fine.
If I echo the ID it will show the correct result, 123.
Where is the problem?
run ALL your queries the way you can get the error message along with erroneous query.
so, at least this way
$sql = "UPDATE table SET user='$user', name='$name' where id ='$id'";
$res = mysql_query($sql) or trigger_error(mysql_error()." in ".$sql);
and it will tell you where is the problem.
It is WAY more convenient, precise and faster than asking questions here.
I'm guessing your problem is mal-formed SQL due to unescaped data interpolation - an SQL injection hole.
What does your actual generated query look like? Not the code that creates the sql (which you've got above), but the actual SQL after the variables are inserted?
I'm guessing it'll look something like this:
UPDATE table SET user='fred', name='O'Brien' where id='123';
^--unescaped quote
causing a syntax error.
If you're running the query like this:
$result = mysql_query($sql);
then change it to be
$result = mysql_query($sql) or die(mysql_error());
so you'll immediately get feedback if the query fails for any reason.
And then read up about SQL injection holes
$id = $_GET['id']
<form action="#.php" method="POST">
<input type="hidden" name="id" value="<?php echo $id?>">
</form>
then, inside PHP block,
$id = $_POST['id'];
$sql = "UPDATE table SET user='$user', name='$name' where id ='$id'"
Without getting into the issue of how bad it is to pull data right from the GET array, I'd start by suggesting you properly escape your variables. I assume ID is an integer, so there's no need for singlequotes around it.
$sql = "UPDATE table SET user='".$user."', name='".$name."' where id=".$id;
See if that works.
TableName should be there ....you have not used table name in your query..Echo the $sql and then try executing in phpmyadmin.
First of all, you're wide open to SQL Injection attacks if you do it like this. Anyone can just alter the part after id= to anything they like and modify your database with that.
Secondly, I see you pass an id to the script, but where does it determine the $user and $name values? Seems like your code posted is incomplete.

Sql query problem

I have the below sql query that will update the the values from a form to the database
$sql=
"update leads set
category='$Category',
type='$stype',
contactName='$ContactName',
email='$Email',
phone='$Phone',
altphone='$PhoneAlt', mobile='$Mobile',
fax='$Fax',
address='$Address',
city='$City',
country='$Country',
DateEdited='$today',
printed='$Printed',
remarks='$Remarks'
where id='$id'";
$result=mysql_query($sql) or die(mysql_error());
echo '<h1>Successfully Updated!!.</h1>';
when i submit I dont get any errors and the success message is displayed but the database isnt updated . When i echo the $sql, all the values are set properly. and when i ech the $result i get the value 1.
can someone please tell me what am i doing wrong here??
Have you tried running the echo of $sql directly using some DB tool? It may provide a more informative error. Alternatively, if that works you may have an issue where the transaction isn't being committed. Often a connection is set to automatically commit transactions, but that may not be the case here. Try adding a commit.
And have you ever heard of SQL injection attacks?
If you have a query that is not giving the expected result or receiving an error, and the problem isn't obvious, you should generally take a look at the final query just before it's run. Try using this right before running the query:
echo $sql;
exit;
Viewing the actual query often makes it obvious what the problem is, especially when the query includes variables. If the problem still isn't obvious, you can paste the query as is into a query browser to get feedback directly from the database engine.
Interestingly, using parametrized queries, you won't get to see the parameter values, as the parameters get replaced by MySQL, not PHP, however, you'll still get to see the entire prepared query.
Also, you can see the number of affected rows from your UPDATE statement with the mysql_affected_rows() function. You could put this immediately after the query is run:
echo ("Updated records:", mysql_affected_rows());
Spaces are often forgotten when concatenating queries.
$sql = "SELECT * FROM ducks";
$sql .= "WHERE duck = 'goose'";
When echoing the above query, we see:
SELECT * FROM ducksWHERE duck <> 'goose'
I'm guessing that the WHERE clause in your UPDATE statement isn't matching an "id = '$id'".
Also, is the id column really a string? You've put single quotes around the value. MySQL will cast the string to an integer if needed, but if it's an integer, save the database some work and remove the single quotes.
try to echo $sql and run it directly in any database console, may be there is no record with id = $id
SQL Injection can be the answer. Not an intentional attack (at this moment), but if your parameters have some unexpected information like quotes or other reserved characters you can have strange results. So, try to run this SQL directly in your database administration utility.
Try doing this
"""update leads set
category="$Category",
type="$stype", etc...; """
See if that works

Categories