I am currently using the following function:
if(isset($_REQUEST["function"]) && ($_REQUEST["function"] == "setnm")){
$value = $_REQUEST["value"]; //field to edit
$con=mysqli_connect("localhost", "root", "", "hike_buddy");
//Check Connection
if(mysqli_connect_errno())
{
echo "failed to connect:".mysqli_connect_error();
}
mysqli_query($con, "INSERT INTO user_com (name) VALUES ('$value')");
mysqli_close($con);
}
How can I alter this code so it will change the value of two fields?
For instance I have a comment and a name column and I want to update them both (different values) with one function.
Never use un-escaped strings specified by the user in your database queries.
So, if you're using mysqli:
$value1 = $con->real_escape_string($_REQUEST['value_1']);
$value2 = $con->real_escape_string($_REQUEST['value_2']);
$query = "INSERT INTO my_table (column_1, column_2) VALUES ('$value1', '$value2')";
$con->query($query);
Are you trying to INSERT new data in the database or UPDATE existing data?
If you want to update data, you should use the UPDATE statement:
$query = "UPDATE my_table SET column_1 = '$value1', column_2 = '$value2' WHERE my_table_key = '$key'";
Also, you need to escape these variables like har-wradim suggested.
You can do the following:
if(isset($_REQUEST["function"]) && ($_REQUEST["function"] == "setnm")){
$value = $_REQUEST["value"]; //field to edit
$comment = $_REQUEST["comment"]; //This is your comment
$con=mysqli_connect("localhost", "root", "", "hike_buddy");
//Check Connection
if(mysqli_connect_errno())
{
echo "failed to connect:".mysqli_connect_error();
}
//Edit the query like so to update insert the comment along with the name.
mysqli_query($con, "INSERT INTO user_com (name, comment) VALUES ('$value', '$comment')");
mysqli_close($con);
}
Related
I need to insert values into multiple table. Please correct my code because it just double the inserted value on table_attendace
if(isset($_POST['text']))
{
$text =$_POST['text'];
// insert query
$sql = "INSERT INTO table_attendance(NAME,TIMEIN) VALUES('$text',NOW())";
$query =mysqli_query($conn,$sql) or die(mysqli_error($conn));
if($query==1)
{
$ins="INSERT INTO table_attendancebackup(NAME,TIMEIN) VALUES('$text',NOW())";
$quey=mysqli_query($conn,$sql) or die(mysqli_error($conn));
if ($quey==1) {
$_SESSION['success'] = 'Action Done';
}else{
$_SESSION['error'] = $conn->error;
}
}
}
In the second query, you reused the first query $sql again, instead of using $ins.
It should be
$quey=mysqli_query($conn,$ins) or die(mysqli_error($conn));
you can write two queries in single variable with semicolon then you can save the same data in both table.
And
$quey=mysqli_query($conn,$sql) or die(mysqli_error($conn)); -> in this line you placed the $ins variable wrongly instead of $ins.
$sql = "INSERT INTO table_attendance(NAME,TIMEIN) VALUES('$text',NOW()); INSERT INTO table_ttendancebackup(NAME,TIMEIN) VALUES('$text',NOW())";
$query = mysqli_query($conn, $sql) or die(mysqli_error($conn));
The users enter their name and number in the textfields. The this information is passed then sent to the data.php file where I am trying to get it to write to my database. The data base name is called hello.
<!-- connect to database -->
<?php
$servername = "localhost";
$username = "root";
$password = "root";
$dbname = "hello";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
} else {
echo "wooo connected";
}
//<!-- post added information to database -->
if ($_POST['name']) {
if ($_POST['number']) {
$sql = "INSERT INTO hello (id, name, number)
VALUES ('', '$_POST['name']', '$_POST['number'')";
if(mysqli_query($conn, $sql)){
echo "Records inserted successfully.";
} else{
echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}
}
} ?>
From looking at my code I believe the issue is with this line.
$sql = "INSERT INTO hello (id, name, number)
VALUES ('', '$_POST['name']', '$_POST['number']')";
There is a blank left at the star for the auto incremented id that I have set in phpmyadmin.
I can hard code an entry such as:
$sql = "INSERT INTO hello (id, name, number)
VALUES ('', 'john', '12345)";
These hard coded entries are put into the database but i can't get the user entered data to go in.
Create variables for the $_POST values and add the vars for ease of code understanding:
$name = $_POST['name'];
$number = $_POST['number'];
$sql = "INSERT INTO hello (id, name, number) VALUES ('', $name, $number)";
One reason your code may not be working because you have the single quotes around the $_POST values, then you can also do what Jasbeer Rawal recommended.
UPDATE
Based on the kind comments... I would personally take a different approach to adding the data to your database, instead use prepared statements. I use MySQLi, but you can also use PDO.
Start by creating your connection:
<?php
define("HOST", "localhost");
define("USER", "");
define("PASSWORD", "");
define("DATABASE", "");
$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
if ($mysqli->connect_error) {
echo "There was a slight problem, please contact your webmaster before continuing.";
exit();
}
Then when the user submits the form handle it:
if(isset($_POST['submit']
{
$name = $_POST['name'];
$number = $_POST['number'];
if ($stmt = $mysqli->prepare("INSERT hello (name, number) VALUES (?, ?)"))
{
$stmt->bind_param("ss", $name, $number);
$stmt->execute();
$stmt->close();
}
else
{
echo "ERROR: Could not prepare SQL statement.";
}
}
This will add $name and $number and your ID role has to be a primary role and set to auto_increment. IDs will be automatically generated.
You're about to go down a slippery slope using mysqli. I'd recommend trying to learn to use PDO for making queries. Right now, someone could easily put SQL into the name POST data and actually do damage to your database.
Anyways, your problem at hand, you have a missing bracket and one issue:
VALUES ('', '$_POST['name']', '$_POST['number'')";
It won't work as intended with nested single quotes.
VALUES ('', '$_POST[name]', '$_POST[number]')";
Remove single quotes from $_POST['name'] and $_POST['number'] as below
$sql = "INSERT INTO hello (id, name, number)
VALUES ('', $_POST['name'], $_POST['number'])";
Your insert code be like this
$sql = "INSERT INTO hello (id, name, number)
VALUES ('','{$_POST['name']}', '{$_POST['number']}')";
Then your value will be in database
If field id is primary key and auto increment then your insert statement should be like
Try this:
$sql = "INSERT INTO hello ( name, number)
VALUES ('{$_POST['name']}', '{$_POST['number']}')";
I need to insert the details (name, id , number )of many documents into database if they are not already existing and if they exist i just need to do a update for any changed information. I have arrived at the following code but it doesn't work. I am new to this and need help on this.
foreach($A->Documents -> Document as $Document)
{
$query = "SELECT * from table where id = '".$Document->id."'";
$outcome = mysql_query($query) or die(mysql_error());
if(($outcome)&&(mysql_num_rows($result)>0)){
echo "Document already available" ;
while($row = mysql_fetch_object($outcome)){
if(!($outcome->name == $document->name)){
$update= "UPDATE table SET name= '.$Document->Name.'";
mysql_query($update) or die(mysql_error());
}
else
{
$insert= "INSERT table SET name= '.$Document->Name.'";
mysql_query($update) or die(mysql_error());
}
}
}
}
Use $row->name instead of $outcome->name. and your INSERT statement is wrong.
while($row = mysql_fetch_object($outcome)){
if(!($row->name == $document->name)){
$update = "UPDATE table SET name ='".$Document->Name."' WHERE id = ".$Document->id;
mysql_query($update) or die(mysql_error());
}
else {
$insert = "INSERT INTO table (name) VALUES('".$Document->Name."')";
mysql_query($insert) or die(mysql_error()); // $insert not $update
}
}
Note: Stop using mysql_* functions! Use PDO or mysqli_* instead. And use prepared statements
Change the
mysql_query($update) or die(mysql_error());
To:
$insert = INSERT into table_name values(" values");
mysql_query($insert) or die(mysql_error());
in the else condition
Issue is with $result variable with in if statement
( if(($outcome)&&(mysql_num_rows($result)>0)){)
It should be $outcome because you initialized query output to $outcome variable
First of, dont yse mysql_ functions. Read the docs (read the warning).
use mysqli or PDO instead.
Then, your INSERT statement is wrong.
INSERT INTO table (col1) VALUES (value_for_col1);
what's wrong with my code? I'm sure $_POST['item'] has valid value
<?php
$data = $_POST['item'];
$conn = mysqli_connect("localhost","root","");
mysqli_select_db($conn, "ajaxexample");
$q = INSERT INTO user (userList) VALUES ('$data');
if(mysqli_query($conn, $q)){
echo 1;
}
?>
put INSERT INTO user (userList) VALUES ('$data'); in double quotes.
eg:
$q = "INSERT INTO user (userList) VALUES ('$data')";
PHP string literals need to be in quotes.
To fix this by changing just one line:
$q = "INSERT INTO user (userList) VALUES ('" . mysqli_real_escape_string($data . "')";
<?php
$data = $_POST['item'];
$conn = mysqli_connect("localhost","root","", "ajaxexample");
$q = INSERT INTO user (userList) VALUES ('$data');
if(mysqli_query($conn, $q)){
echo 1;
}
?>
Not mysqli_select_db
I have a simple mysql table
This is the code to connect to database and insert into testtable:
$mysqli = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname);
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
} else {
$sql = "INSERT INTO testtable
VALUES (NULL, $forename)";
$res = mysqli_query($mysqli, $sql);
if($res === TRUE) {
echo "data successfully inserted.";
} else {
printf("Could not insert data: %s\n", mysqli_error($mysqli));
}
mysqli_close($mysqli);
}
In this case I try to insert $forename into my table. If I use a string literal like 'Jim' or '123' it gets inserted. If $forename is given the value 123 or any other number it gets inserted. If $forename = 'Jim' I get an error telling me there is no column 'Jim' as though I were specifying a column in the table.
It has happened to me before, you are missing quotes in the query. Try:
$sql = "INSERT INTO testtable VALUES ('{$forename}')";
When forename is 'Jim', the query expands to ".... VALUES(NULL, Jim)", but you want "... VALUES(NULL, 'Jim')". Your query should read "...VALUES(NULL, 'Jim')".
use a prepared statement
$db= mysqli_connect($dbhost, $dbuser, $dbpass, $dbname);
$sql = "INSERT INTO testtable (testfield) VALUES (?)";
if ($statement =$db->prepare($sql)){
$statement->bind_param("s",$forename);
msqi_stmt_execute($statement);
};
Since your id field is an autonumber, you don't need to insert anything. You should also really get in the habit of specifying the columns to insert into:
Instead of :
INSERT INTO testtable VALUES (NULL, $forename)
use:
INSERT INTO testtable
(
`testfield`
)
VALUES
(
'$forename'
)
Note that the "quotes" around the field name are back-ticks, not single quotes.
Of course, using string insertion like this is a security risk, so you really should be using prepared statements, as case1352 demonstrates in his answer.