I am trying to update a record in my database with values pulled from an exploded array
$arr2 = explode(",",$_POST['hidden-tags']);
//echo $arr2[0];
//insert new rows into blog post
mysql_select_db($db, $db);
$insertq = mysql_query("UPDATE blog SET tags1 = $arr2[0],tags2 = $arr2[1],tags3 = $arr2[2], tags4 = $arr2[3], tags5 = $arr2[4] WHERE idblog = '$id' ",$dbconnet);
If I echo the values from my array one at a time it works great. Once I try to put them in the db the row turns up empty. Whats more the user may not of entered 5 items they may only have entered 1 but I dont think thats really the problem. To be honest I cant see why its currently failing at all.
I know I can save all values in one field but it will be easier as separate fieldsfor when I pull back and query later on.
if the data types of the columns are string, values must be wrap with single quotes as they are string literals. eg,
$insertq = mysql_query("UPDATE blog SET tags1 = '". $arr2[0] . "',....");
As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.
How to prevent SQL injection in PHP?
$insertq = mysql_query("UPDATE blog SET tags1 = $arr2[0],tags2 = $arr2[1],tags3 = $arr2[2], tags4 = $arr2[3], tags5 = $arr2[4] WHERE idblog = '$id' ",$dbconnet);
should be:
$insertq = mysql_query("UPDATE blog SET tags1 = '".$arr2[0]."',tags2 = '".$arr2[1]."',tags3 = '".$arr2[2]."', tags4 = '".$arr2[3]."', tags5 = '".$arr2[4]."' WHERE idblog = '".$id."' ,$dbconnet);
or the whole query is going to consider the variables names as part of the string
EDITED: i had the quotes inverted.
It should be like this :
$insertq = mysql_query("UPDATE blog SET tags1 = "'.$arr2[0].'",tags2 = "'.$arr2[1].'",tags3 = "'.$arr2[2].'", tags4 = "'.$arr2[3].'", tags5 = "'.$arr2[4].'" WHERE idblog = "'.$id.'" ",$dbconnet);
I think you might need to look at the datatypes of your table. If you are using varchar or text as data-types then single colon will be necessary.
$insertq = mysql_query("UPDATE blog SET tags1 =' $arr2[0]',tags2 = '$arr2[1]',tags3 = '$arr2[2]', tags4 = '$arr2[3]', tags5 = '$arr2[4]' WHERE idblog = '$id' ",$dbconnet);
Also if the idblog is integer then donot use single quotes.
hope this helps
Related
I've been successful with duplicating joined tables. Yay!
Now, after a number of tests, I've found that single apostrophe (escaped items) aren't being accepted. When originally creating new tables rows in the form, everything was run through the following:
$unit_id = mysqli_real_escape_string($dbc, trim($_POST['ajax_unit_id']));
Now, as I am duplicating these rows to create new records, I don't seem to know where/how to escape_string again in order to allow for single apostrophes again, such as a title called Don's Supah-Dupah App.
Duplication php:
$sql1 = "CREATE TEMPORARY TABLE tmp
SELECT *
FROM ".ID_TABLE."
WHERE `unit_id` = " . $id . "";
$result = mysqli_query($dbc,$sql1) or die(mysqli_error($dbc));
$sql2 = "ALTER TABLE tmp
DROP COLUMN `unit_id`";
$result = mysqli_query($dbc,$sql2) or die(mysqli_error($dbc));
$sql3 = "UPDATE tmp
SET `title` = '" . $titleStamp . "'";
# ************************************************************ #
# ****** This is where I believe the issue is occurring ****** #
# ************************************************************ #
$result = mysqli_query($dbc,$sql3) or die(mysqli_error($dbc));
$sql4 = "INSERT INTO ".ID_TABLE."
SELECT 0,tmp.*
FROM tmp";
$result = mysqli_query($dbc,$sql4) or die(mysqli_error($dbc));
$unit_id1 = $dbc->insert_id; //mysqli_insert_id($dbc); // Store new unit_id as var
$sql5 = "DROP TABLE tmp;";
$result = mysqli_query($dbc,$sql5) or die(mysqli_error($dbc));
After combing through the coding again, I found that the error actually had nothing to do with the duplication...sort of.
Note: I am providing this answer in case it helps someone out there to step back, look at there own issue from 5000m meters...instead of from 5 inches. Hopefully this helps someone to pull themselves out of the rabbit hole to get a better perspective.
Earlier before the duplication, I'd set up a variable $title that was generated by an initial sql select
$row = mysqli_fetch_array($rdata);
$title = $row['title'];
...then concatenate the title and a datetimestamp.
date_default_timezone_set(DEFAULT_TZ); // Default timezone set as Australia/Melbourne
$timestamp = date('Y/m/d h:i:s:a');
$titleStamp = $title." COPY ".$timestamp;
This $title variable is where the issue was occurring. The new string had to be escaped before the content could be inserted back into the new row.
$title = mysqli_real_escape_string($dbc, trim($row['title']));
Voila!
I have 3 variables that contain a text string. I need to update them in the table, but out of the 20+ different variations of about 5 different scripts that I've tried out, it just doesn't update!
I want something like below script:
mysql_query("UPDATE $variable_1 SET $variable_2 = $q WHERE $variable_3 = $o")
or die(mysql_error());
Try this code:
mysql_query("UPDATE table_name SET field_name = '"
.$str_value."' WHERE $field_3 = '".$str_value.'")
or die(mysql_error());
Ok..I know how to get a data record from a MySql table...and I want to change data in that record and update the table.
My question is...can you actually manipulate that data from the result row, and subsequently use those in the update statement?
For example.
Let's say the table rows have 2 fields: Name, YearlyEarn.
And once a month I want to add that month's income to the YearlyEarn field for each person.
Assume we already did the Select statement for someone who's name is in $CurrentName.
And we then get their record.
$DataRow = mysql_fetch_array($result):
Can you do this:
$DataRow["YearlyEarn"] = $DataRow["YearlyEarn"] + $MonthEarn;
$query = "UPDATE EarnTable SET YearlyEarn = '$DataRow["YearlyEarn"]'
`WHERE Name = '$CurrentName'" ;
$UpdResult = mysql_query($query) or die(mysql_error());
OR.....should I put the data into intermediate fields, manipulate it..and then use those fields in the update statement?
You should use prepared statements, like PDO. The mysql_* is outdated. But if not doing so, you should consider changing your query from:
$query = "UPDATE EarnTable SET YearlyEarn = '$DataRow["YearlyEarn"]'`WHERE Name = '$CurrentName'" ;
to:
$query = "UPDATE EarnTable SET YearlyEarn = `" . $DataRow['YearlyEarn'] . "` WHERE Name = `$CurrentName`" ;
Yes, you can:
UPDATE EarnTable
SET YearlyEarn = YearlyEarn + 123
WHERE Name = 'abc'
You can use:
$query = "UPDATE EarnTable SET YearlyEarn = '$DataRow[YearlyEarn]' WHERE Name = '$CurrentName'" ;
When you're interpolating an array reference, the key is automatically quoted.
or:
$query = "UPDATE EarnTable SET YearlyEarn = '{$DataRow["YearlyEarn"]}' WHERE Name = '$CurrentName'" ;
Inside {...}, you can put any variable expression and it will be evaluated and interpolated.
<?php
require('dbconnect.php');
$indexno = $_POST['indexno'];
$cevap = $_POST['cevap'];
$cevapdate = gmdate("Y-m-d\TH:i:s\Z");
$query = "UPDATE soru
SET cevap = '$cevap',
cevapdate = '$cevapdate'
WHERE `index` = '$indexno'";
$link = mysql_query($query);
if(!$link) {
die('not worked: ' . mysql_error());
} else {
mysql_close($con);
echo 'worked';
}
?>
Outcome of this php code is "Worked." but there is no change in the database. The thing is Im trying to update the cevap and cevapdate fields on a row by index id.
You need to remove the single quotes from aroud the index. You should not put single quotes around a column name while writing a query. Write your query this way -
$query = "UPDATE soru SET cevap = '$cevap', cevapdate = '$cevapdate' WHERE index = '$indexno'";
You have to escape your rows/table with backticks, not single-quotes.
$query = "UPDATE `soru`
SET `cevap` = '$cevap', `cevapdate` = '$cevapdate'
WHERE `index` = '$indexno'";
Also, you should escape your user input to prevent SQL injections.
New to PHP/mySql and having trouble inserting and retrieving binary data. I have a mySql table called usr_pressdata. The field 'BinDat' is of type mediumblob.
$dat = $this->parseOverview($sql);
// $dat is now a binary string
$datsql = "Update usr_pressdata Set BinDat = " . $dat;
$datresult = mysql_query($datsql, $this -> conn) or die(mysql_error());
$getdat = "Select * from usr_pressdata";
$getdatresult = mysql_query($getdat, $this -> conn) or die(mysql_error());
$row = mysql_fetch_array( $getdatresult );
$retval = $row['BinDat'];
In this example my goal is that $retval == $dat but it does not. I suspect that my query string $datsql is incorrect. Can someone correct this example code? Thank you.
When inserting values in a table (or more generally, when including a value in an SQL request):
the string must be enclosed between quotes ('...')
the string must be “escaped” using mysql_real_escape_string so as to prevent SQL injection.
So you need to write something like:
$request = "UPDATE usr_pressdata SET bindat= '" . mysql_real_escape_string($dat) . "';";
I suspect you may want to add a WHERE someColumn = someCondition clause at the end, because as it is now, it would affect all the rows in the table.