I'm using the following query
$mysqli->query("UPDATE `edit_users` SET `password` = \"" . hash('sha512', $_POST['change_pw_password']) . "\", `single_login_pw` = NULL WHERE `id` = \"" . $userinfo['id'] . "\"");
As result this changes the password for the user with the specific id, but sets single_login_pw for all users to NULL.
Any idea why all single_login_pws are set to NULL and how to solve the problem?
Edit: I also tried to use mysql_query()...it's the same thing.
Try using LIMIT
"UPDATE `edit_users` SET `password` = '" . hash('sha512', $_POST['change_pw_password']) . "', `single_login_pw` = NULL WHERE `id` = '" . $userinfo['id'] . "' LIMIT 1"
I also changed your double quotes to single quotes around your strings.
Try this
$hash = hash('sha512', $_POST['change_pw_password']);
$uid = $userinfo['id'];
$mysqli->query("UPDATE edit_users SET password = $hash, single_login_pw = NULL WHERE id = $uid");
Related
I have this php script:
$query = "UPDATE event_rsvp SET event_note = '" . $_POST[note] . "', event_rsvp_type_id = '" . $_POST[rsvpId] . "' WHERE user_id = '" . $_POST[userId] . "' AND event_id = '" . $_POST[eventId] . "'";
$result = $mysqli->$query;
echo $query;
that echo gives me this:
UPDATE event_rsvp SET event_note = 'test',
event_rsvp_type_id = '4'
WHERE user_id = '1' AND event_id = '1'
Problem is that only the event_rsvp_type_id is updated in database, event_note isn't.
However, if I copy this echo-ed query and paste it directly into adminer or phpmyadmin, it works fine and updates the note as expected.
Any help? Thanks!
Try the following code:
$query = $mysqli->prepare("UPDATE event_rsvp SET `event_note`=?, `event_rsvp_type_id`=? WHERE `user_id`=? AND `event_id`=?");
$query->bind_param("siii", $_POST['note'], $_POST['rsvpId'], $_POST['userId'], $_POST['eventId']);
$query->execute();
Your real problem is that you were missing the singlequotes on your variables, and also, $mysqli->$query doesn't make any sense, the $query part isn't a variable, it should just be query. I converted your code to use prepared statements as well, hopefully this will allow you to see how easy they are to use, while giving you way more security.
I am looking to insert a single selection into a field for multiple users. I have the following code, when the selection is made and submit is entered. I do not get an error, I get the next page with the message posted 5 times, which is how many users are not it the weekpicks table. But nothing is inserted into the DB.
<?
// This code is to use to place info into the MySQL
$sTeam1 = $_POST['sTeam1'];
// (WHERE username FROM authorize WHERE username not in ( SELECT username FROM weekpicks WHERE whatweek='$totalnoOfWeek' )" .
//$nMemberID = (integer) Query
$sql_events = mysql_query("SELECT username FROM authorize WHERE username not in ( SELECT username FROM weekpicks WHERE whatweek='$totalnoOfWeek' )") or die(mysql_error());
while ($row = mysql_fetch_array($sql_events)) {
$username = $row["username"];
("INSERT INTO weekpicks SET " . "username = '" . ($username) . "'," . "date_create = NOW(), " . "whatweek = '" . ($totalnoOfWeek) . "'," . "team = '" . addslashes($sTeam1) . "'" . 'INSERT');
echo "<HTML>
<BODY>
<h2>Your pick of " . ($sTeam1) . ", for week " . ($totalnoOfWeek) . ", has been added.</h2>
<P align=left>Return to main page</p>
</BODY>
</HTML>";
}
?>
You are creating the string for insert but you are not running it.
Fixing your code it'd be:
while ($row = mysql_fetch_array($sql_events)) {
$username = $row["username"];
mysql_query("INSERT INTO weekpicks SET " . "username = '" . ($username) . "'," . "date_create = NOW(), " . "whatweek = '" . ($totalnoOfWeek) . "'," . "team = '" . addslashes($sTeam1) . "'");
//echo ...
}
Fixing the string syntax you could do this, which looks nicer. Also using mysql_real_escape_string() instead of addslashes(), since addslashes is not as safe as mysql's native function for php.
$sTeam1 = mysql_real_escape_string($sTeam1);
mysql_query("INSERT INTO weekpicks SET username = '$username', date_create = NOW(), whatweek = '$totalnoOfWeek', team = '$sTeam1');
Another thing I must tell you:
Stop using mysql_*, use mysqli_* instead.
mysql_ was removed from PHP7 and deprecated after PHP 5.5
It's not as safe as mysqli_, so consider improving your code to the new model.
Follow this guide in order to change your code properly.
Really stuck on something. I'm trying to update a database and the code looks write - and if I echo it out and paste it directly into phpMyAdmin it works perfectly - but the code itself doesn't work... I have spend a day so far trying to figure out why it's not working and I'm completely out of ideas...
function restoreSession()
{
mysql_connect("theHost", "root", "rootPWD") or die(mysql_error());
mysql_select_db("myDatabase") or die(mysql_error());
$restore_cmd = 'UPDATE wp_dor_cart66_sessions SET user_data = (SELECT user_data FROM wp_dor_cart66_stored_sessions WHERE ip_address = "' . $_SERVER['REMOTE_ADDR'] . '")';
$clean_up = "DELETE FROM `wp_dor_cart66_sessions` WHERE `ip_address` = \"" . $_SERVER['REMOTE_ADDR'] . "\" AND id NOT IN (SELECT id FROM ( SELECT id FROM `wp_dor_cart66_sessions` ORDER BY id DESC LIMIT 1 ) user_data )";
mysql_query($clean_up) or die('Query failed: ' . mysql_error());
$result = mysql_query($restore_cmd) or die('Query failed: ' . mysql_error());
echo "<br/>";
echo $restore_cmd;
echo "<br/>";
var_dump($result);
echo "<br/>";
print_r($result);
}
The resulting output looks like:
UPDATE wp_dor_cart66_sessions SET user_data =
(SELECT user_data FROM wp_dor_cart66_stored_sessions
WHERE ip_address = "196.54.110.24");
bool(true)
1
It doesn't appear to have any errors - but I just can't get it to update. If it didn't work in phpMyAdmin - I'd know there was something wrong with the SQL - but it seems right... I'm just really out of ideas - any help would be greatly appreciated!
Here are the statements again with some formatting:
$restore_cmd = '
UPDATE
wp_dor_cart66_sessions
SET
user_data = (
SELECT
user_data
FROM
wp_dor_cart66_stored_sessions
WHERE
ip_address = "' . $_SERVER['REMOTE_ADDR'] . '"
)
';
$clean_up = "
DELETE FROM
`wp_dor_cart66_sessions`
WHERE
`ip_address` = \"" . $_SERVER['REMOTE_ADDR'] . "\"
AND id NOT IN (
SELECT
id
FROM
(
SELECT
id
FROM
`wp_dor_cart66_sessions`
ORDER BY
id DESC
LIMIT
1
) user_data
)
";
$restore_cmd = 'UPDATE wp_dor_cart66_sessions SET user_data = (SELECT user_data FROM wp_dor_cart66_stored_sessions WHERE ip_address = \"' . $_SERVER['REMOTE_ADDR'] . '\")';
need to escape the quotation marks
Looks like quoting error, Try this:
"UPDATE wp_dor_cart66_sessions SET user_data = (SELECT user_data FROM wp_dor_cart66_stored_sessions WHERE ip_address = '" . $_SERVER['REMOTE_ADDR'] . "')";
If could be that you have multiple results in your SELECT.
What if you do ...
$restore_cmd = 'UPDATE wp_dor_cart66_sessions SET user_data = (SELECT user_data FROM wp_dor_cart66_stored_sessions WHERE ip_address = "' . $_SERVER['REMOTE_ADDR'] . '" LIMIT 1)';
... note the LIMIT 1
Are you sure that the first query is not deleting all the matching rows?
I don't understand the "user_data" part at the end of the first query. But I would check the number of affected rows after each query to see if query is doing any affect on data and if it is, is it doing well or there's just some logical mistake.
I have written a PHP class which will update 4 fields of a certain row in a table. The row is decided by a session var 'user' (which is unique). It's not working, but i'm not sure if it is because of the query or the class itself. So i'm first gonna ask you guys if there are any errors in this query (there probaply are) and when the query is correct, i'll see if the class itself has errors as well.
Query:
UPDATE tblRegistratie(lengte, gewicht, bmi geluk) WHERE `gebruikersnaam` = '" . $_SESSION['regain-user'] . "'
VALUES(
'".mysqli_real_escape_string($conn, $this->Lengte_update)."',
'".mysqli_real_escape_string($conn, $this->Gewicht_update)."',
'".mysqli_real_escape_string($conn, $this->BMI_update)."',
''".mysqli_real_escape_string($conn, $this->Geluk_update)."',
);
The quotes look funny here, but I think your problem is a trailing comma , after the last param:
''".mysqli_real_escape_string($conn, $this->Geluk_update)."',
^^^^^
Last line:
''".mysqli_real_escape_string($conn, $this->Geluk_update)."',
^^//fix the double qoute and make it single '
This is what an UPDATE query should look like.
UPDATE tblRegistratie
SET lengte=mysqli_real_escape_string($conn, $this->Lengte_update),
gewicht=mysql...etc
`bmi geluk`=...etc
WHERE `gebruikersnaam` = '" . $_SESSION['regain-user'] . "'
Yours looks nothing like that.
The correct syntax for UPDATE in MySQL would be something like::
$sql = "UPDATE tblRegistratie SET
lengte = '".mysqli_real_escape_string($conn, $this->Lengte_update)."',
gewicht = '".mysql_real_escape_string($conn, $this->Gewicht_update)."',
bmi = '".mysql_real_escape_string($conn, $this->BMI_update)."',
geluk = '".mysqli_real_escape_string($conn, $this->Geluk_update)."'
WHERE gebruikersnaam = '". $_SESSION['regain-user'];
You need to have your where clause after the values you're setting. Also, it sounds like you have some punctuation issues.
Consider the following rewrite for general easier-to-read goodness:
$query = 'UPDATE tblRegistratie
SET `lengte` = "' . mysqli_real_escape_string($conn, $this->Lengte_update) . '",
`gewicht` = "' . mysqli_real_escape_string($conn, $this->Gewicht_update) . '",
`bmi` = "' . mysqli_real_escape_string($conn, $this->BMI_update) . '",
`geluk` = "' . mysqli_real_escape_string($conn, $this->Geluk_update) . '"
WHERE `gebruikersnaam` = "' . $_SESSION['regain-user'] . '"
';
Also, functions like sprintf() can be your friend. :)
$query = sprintf('UPDATE `tblRegistratie`
SET `lengte` = "%s",
`gewicht` = "%s",
`bmi` = "%s",
`geluk` = "%s"
WHERE `gebruikersnaam` = "%s";',
mysqli_real_escape_string($conn, $this->Lengte_update),
mysqli_real_escape_string($conn, $this->Gewicht_update),
mysqli_real_escape_string($conn, $this->BMI_update),
mysqli_real_escape_string($conn, $this->Geluk_update),
$_SESSION['regain-user']
);
PHP
On the last line you have two initial single quotes.
Fix:
''".mysqli_real_escape_string($conn, $this->Geluk_update)."',
becomes
'".mysqli_real_escape_string($conn, $this->Geluk_update)."',
MySQL
Additionally, your UPDATE syntax appears to be completely invalid. Have a read through the documentation.
Ok, I am querying my DB for a file. And I want to use a PHP global variable and stick it somewhere in that output using say a '$dir' in my table. Any possible way to do so?
Just use it in a string for the query like you would in any other string. eg:
$sql = "UPDATE TABLE x SET dir=" . $dir . " WHERE id=" . $id;
Though if you do this and your variables use user input it's VERY IMPORTANT to sanitize them against SQL injection and such. The function mysql_real_escape_string() is provided for just such instances.
$sql = "UPDATE TABLE x SET dir=" . mysql_real_escape_string($dir) . " WHERE id=" . mysql_real_escape_string($id);
$query = "SELECT '" . $dir . "' as myVariable, userName, userpassword from users where userName = ...."
The first reply was missing some quotes:
$sql = "UPDATE TABLE x SET dir=" . $dir . " WHERE id=" . $i
->
$sql = "UPDATE TABLE x SET dir='" . mysql_real_escape_string($dir) . "' WHERE id=" . $i
and
$sql = "UPDATE TABLE x SET dir=" . mysql_real_escape_string($dir) . " WHERE id=" . mysql_real_escape_string($id);
->
$sql = "UPDATE TABLE x SET dir='" . mysql_real_escape_string($dir) . "' WHERE id=" . mysql_real_escape_string($id);