So I am using CONCAT to combine 2 strings together and want to update a TEXT field in my database by adding a new string onto the end of the existing string.
// This code works great. will add "EXTRA" at end of the feed.
$insert = ("update $username set feed = CONCAT(feed, 'EXTRA')");
mysql_query($insert);
// This code doesn't work. not sure what to change in the variable area?
$extra = "EXTRA";
$insert = ("update $username set feed = CONCAT(feed, '$extra')");
mysql_query($insert);
I tried many variations of the variable declaration but can't seem to get it to work like i can when i just write in a string. any help or insight is appreciated.
thanks!
I think you mixed up your SQL here:
"update $username set feed = CONCAT(feed, 'EXTRA')"
$username = TABLE NAME ??
And looks like you probably want to update a field WHERE it equals a certain $username which would be:
"update TABLENAME set feed = CONCAT(feed, '$extra') WHERE username = '$username'"
Look example query:
UPDATE table_name SET field1 = CONCAT(field1, "new data" ) WHERE field2 = value;
and adjust to your needs.
To get the word 'EXTRA' at the end of feed I think you need to do something like this:
$insert = ("update $username set feed = CONCAT(feed, '" . $extra . "')");
Related
I have a table called pack_details with 4 columns. I'm trying to insert new data into an existing table. Can somebody tell me what's wrong with my codes and why i have a parse error?
$sql_query = "UPDATE pack_details SET $delivery_date = $_POST["delivery_date"], $delivery_time = $_POST["delivery_time"]
WHERE $delivery_building = $_POST["delivery_building"]
AND $delivery_room = $_POST["delivery_room"]";
Try any from below options:
$sql_query = "UPDATE pack_details SET $delivery_date = '{$_POST['delivery_date']}', $delivery_time = '{$_POST['delivery_time']}' WHERE $delivery_building = '{$_POST['delivery_building']}' AND $delivery_room = '{$_POST['delivery_room']}'";
or
$sql_query = "UPDATE pack_details SET delivery_date = '".$_POST["delivery_date"]."', delivery_time = '".$_POST["delivery_time"]."' WHERE delivery_building = '".$_POST["delivery_building"]."' AND delivery_room = '".$_POST["delivery_room"]."'";
Note: If field name doesn't contain $, remove $ from field name in query. For eg. "$delivery_date" should be "delivery_date"
Suggestion: Instead of using string concatenation for building, You should use bind parameters to pass value to query. It helps to prevent SQL injection as well as code look well.
I'm trying to create a function for my forum that will increment my user's "Posts" attribute by 1. For whatever reason, the following PHP does not work.
function postCountIncrease($username) {
//get the connection variable
global $con;
//change to the users database (this function works correctly)
sqlconnect_users();
//get current post number (this is also working)
$getCurrentPosts = "SELECT Posts\n"
. "FROM users\n"
. "WHERE Username='".$username."'";
$query1 = mysqli_query($con, $getCurrentPosts) or die(mysqli_error($con));
$currentPosts = mysqli_fetch_array($query1);
//here is the problematic post. Assume that $username is a valid value, and that I've already done mysqli_real_escape_string() on it
$incrementPostsQuery = "UPDATE users.users SET Posts=". $currentPosts[0]+1 ." WHERE Username='". $username ."'";
$query2 = mysqli_query($con, $incrementPostsQuery) or die(mysqli_error($con));
//return the result
$result = mysqli_fetch_array($query2);
return $result;
}
I honestly don't see what I'm doing wrong, because the SQL works fine. If I use UPDATE users.users SET Posts=1 WHERE Username='Lampitosgames' in the console, it works with no errors. Help is much appriciated. Also, here is the error it is throwing at me:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1 WHERE Username='Lampitosgames''
You can not concatenate that way "toto ".$var+1, you have to surround with brackets "toto ".($var+1)
In your case, this is declaration of var $incrementPostsQuery which fails
Look at your errors, your syntax is off
$getCurrentPosts = "SELECT Posts
FROM users
WHERE Username='$username'";
The error is in the building of your query.
$incrementPostsQuery = "UPDATE users.users SET Posts=". $currentPosts[0]+1 ." WHERE Username='". $username ."'";
I'll suggest you some tips to create query like this:
"update table set field = value"; // you can write the value directly
"update table set field = ". $value; // easy
"update table set field = ". ($a+$b); // ...
"update table set field = {$value}"; // you can add a variable with curly braces
"update table set field = {$va[3]}"; // more compless way
"update table set field = {$a->b}"; // an object field
I wrote this code
if(isset($_POST['update'])) {
$webname = $_POST['webname'];
$webmeta = $_POST['webmeta'];
$webdesc = $_POST['webdesc'];
$sql=("UPDATE settings (name, meta, description) VALUES ('$webname', '$webmeta', '$webdesc')");
}
but the problem is that it doesn't update my database, and I cannot find anything wrong in the code ...
I have name "update" on submit button, and all my fields are the same as in code
That's insert! Not update!
$sql=("UPDATE `settings` SET `name` = '$webname',
`meta` = '$webmeta',
`description` = '$webdesc')
WHERE [some condition]");
And replace the [some condition] with a valid condition.
Your code is heavily vulnerable to SQL Injection.
Consider escaping the input by replacing these:
$webname = $_POST['webname'];
$webmeta = $_POST['webmeta'];
$webdesc = $_POST['webdesc'];
With:
$webname = mysql_real_escape_string($_POST['webname']);
$webmeta = mysql_real_escape_string($_POST['webmeta']);
$webdesc = mysql_real_escape_string($_POST['webdesc']);
Or something equivalent like PDO or MySQLi.
mysql_select_db("my_db", $con);
mysql_query("UPDATE Persons SET Age=36
WHERE FirstName='Peter' AND LastName='Griffin'");
u need to first formulate query ans then run/ execute that
$query = "UPDATE table_name
SET column1=value, column2=value2,...
WHERE some_column=some_value";
// Perform Query
$result = mysql_query($query);
You need to run
$connection = mysql_connect($server, $serv_Username, $serv_Password);
mysql_select_db($dbase_name, $connection);
mysql_query($update_query, $connection));
I don't know if this is your problem (don't know how much you know about PHP so just saying).
Also your syntax is wrong. Should be:
UPDATE tablename SET column_name='some_value' WHERE column_name ='some_value'
note that this is diffrent from mentioned above without the thingys covering the column_name parameters.
better is to use PDO as mentioned above, mysql_ can be used "safely" on < PHP 5.5.
Try The code shown below
Just replace the field names and values with your information on your database
$editid=$_POST['editid'];
$username=callback($_POST['username']);
$password=callback($_POST['password']);
$name=callback($_POST['name']);
$age=callback($_POST['age']);
$phone=callback($_POST['phone']);
$emailaddress=callback($_POST['emailaddress']);
$gender=callback($_POST['gender']);
$description=callback($_POST['description']);
$update=update("users","username='".$username."',password='".$password."',name='".$name."',age='".$age."',phone='".$phone."',emailaddress='".$emailaddress."',gender='".$gender."',description='".$description."' ","ID='".$editid."' " );
I have a number of textareas, each with a unique assigned name (name="adcode$ID", for example). When I try to pass those names to the code below, it doesn't work because of the dynamic part.
if (isset($_POST['editadapp'])) { // Edit AD
$newadcode = mysql_real_escape_string($_POST['.adcode$ID.']);
$doedit = "UPDATE ads SET adcode = '".$newadcode."') WHERE ads_ID=$ID" or die(mysql_error());
$updatead = mysql_query($doedit) or die(mysql_error());
header("Location: " . $_SERVER['PHP_SELF']);
How can I resolve this?
There is so much wrong with this that it's frightening.
Firstly,
$doedit = "UPDATE ads SET adcode = '".$newadcode."') WHERE ads_ID=$ID" or die(mysql_error());
That code snippet is wrong on many levels.
The sql syntax is wrong
The sql is formatted with strings from user input (see parameterization of queries here
or die() should not be used here, you're creating a string
Ideally you should have code like:
$dbh = new PDO('connectionstring to connect to your database');
$sql = 'update ads set adcode = ? where ads_id = ?';
$sth = $dbh->prepare($sql);
$sth->execute(array($_POST['adcode' . $ID], $ID));
Other topics:
Are Paramerterized queries necessary in pdo?
prepared queries with pdo
Preventing sql injection in php
You seem to be attempting string concatenation. Here's how to do that correctly:
$newadcode = mysql_real_escape_string($_POST['adcode' . $ID]);
The following line should simply create a string containing your SQL query; you don't execute it until the next line, there is no function call so the or die is out of place. You also mix concatenation with interpolation (variable names within a double quoted string) which is fine but probably not helping you understand your syntax issues, so let's be consistent:
$doedit = "UPDATE ads SET adcode = '" . $newadcode . "' WHERE ads_ID = " . $ID;
you should use array like adcode[<?php echo $ID;?>] at your page where the text area is and a hidden field name=adID[$ID]. At the page where the query executes
$adID = $_POST['adID'];
$newadcode = mysql_real_escape_string($_POST['adcode']);
$N = count($adID);
for($i=0;$N<$i;$i++){
$doedit = mysql_query("UPDATE ads SET adcode = '$newadcode[$i]' WHERE ads_ID=$adID[$i];") or die(mysql_error());
What is wrong with this query? It appears to be correct to me:
mysql_query("UPDATE culture SET cult_desc=$culture WHERE cult_id is $UID");
Modified it, NetBeans is still giving me an error. Here's my total code for the page:
$culture = $_POST["culture"];
if (isset($_POST["id"]))
$UID = $_POST["id"];
mysql_query("UPDATE culture SET cult_desc='$culture' WHERE cult_id=$UID");
else
mysql_query("INSERT INTO culture
VALUES(cult_desc='$culture')");
what's the value of $culture?
If it's a string, you'll need to encapsulate it with quotes.
Same thing for $UID.
Also, The 'is' in the where-condition should be '='
Also: watch our with this code. Make sure that $culture and $UID can not contain any malicious values (e.g. malicious input from users)
cult_desc probably string so need to wrap with ' '
mysql_query("UPDATE culture SET cult_desc='$culture' WHERE cult_id = $UID");
Seeing the newly edited code, your update-statement is now correct, but your insert statement now is wrong.
Try:
mysql_query("INSERT INTO culture (culture_desc)
VALUES ('$culture')");
if SET cult_desc is a string then
mysql_query("UPDATE culture SET cult_desc='$culture' WHERE cult_id = $UID");
or
mysql_query("UPDATE culture SET cult_desc=$culture WHERE cult_id = $UID")
your problem in the { and } of if else statement
$culture = $_POST["culture"];
if (isset($_POST["id"])){
$UID = $_POST["id"];
mysql_query("UPDATE culture SET cult_desc='$culture' WHERE cult_id=$UID");
}else{
mysql_query("INSERT INTO culture
VALUES(cult_desc='$culture')");
}
$sql = "UPDATE 'culture' SET `cult_desc` = '$culture' WHERE `cult_id` = '$UID'";
Basically, you're using is instead of =
Depending on the data type of $culture and $UID you might be missing quotes. Cult_desc sounds like a string and thus $culture should be enclosed in quotes.
You should always check the output of mysql_error.http://php.net/manual/en/function.mysql-error.
I also usually use = instead of 'is' and also wrap all of my input data in quotation marks. eg
$sql = "UPDATE 'culture' SET cult_desc = '".$culture."' WHERE cult_id = '".$UID."'";