I wrote this code
if(isset($_POST['update'])) {
$webname = $_POST['webname'];
$webmeta = $_POST['webmeta'];
$webdesc = $_POST['webdesc'];
$sql=("UPDATE settings (name, meta, description) VALUES ('$webname', '$webmeta', '$webdesc')");
}
but the problem is that it doesn't update my database, and I cannot find anything wrong in the code ...
I have name "update" on submit button, and all my fields are the same as in code
That's insert! Not update!
$sql=("UPDATE `settings` SET `name` = '$webname',
`meta` = '$webmeta',
`description` = '$webdesc')
WHERE [some condition]");
And replace the [some condition] with a valid condition.
Your code is heavily vulnerable to SQL Injection.
Consider escaping the input by replacing these:
$webname = $_POST['webname'];
$webmeta = $_POST['webmeta'];
$webdesc = $_POST['webdesc'];
With:
$webname = mysql_real_escape_string($_POST['webname']);
$webmeta = mysql_real_escape_string($_POST['webmeta']);
$webdesc = mysql_real_escape_string($_POST['webdesc']);
Or something equivalent like PDO or MySQLi.
mysql_select_db("my_db", $con);
mysql_query("UPDATE Persons SET Age=36
WHERE FirstName='Peter' AND LastName='Griffin'");
u need to first formulate query ans then run/ execute that
$query = "UPDATE table_name
SET column1=value, column2=value2,...
WHERE some_column=some_value";
// Perform Query
$result = mysql_query($query);
You need to run
$connection = mysql_connect($server, $serv_Username, $serv_Password);
mysql_select_db($dbase_name, $connection);
mysql_query($update_query, $connection));
I don't know if this is your problem (don't know how much you know about PHP so just saying).
Also your syntax is wrong. Should be:
UPDATE tablename SET column_name='some_value' WHERE column_name ='some_value'
note that this is diffrent from mentioned above without the thingys covering the column_name parameters.
better is to use PDO as mentioned above, mysql_ can be used "safely" on < PHP 5.5.
Try The code shown below
Just replace the field names and values with your information on your database
$editid=$_POST['editid'];
$username=callback($_POST['username']);
$password=callback($_POST['password']);
$name=callback($_POST['name']);
$age=callback($_POST['age']);
$phone=callback($_POST['phone']);
$emailaddress=callback($_POST['emailaddress']);
$gender=callback($_POST['gender']);
$description=callback($_POST['description']);
$update=update("users","username='".$username."',password='".$password."',name='".$name."',age='".$age."',phone='".$phone."',emailaddress='".$emailaddress."',gender='".$gender."',description='".$description."' ","ID='".$editid."' " );
Related
The code below is part of a simple password manager. I get an error saying the Query is empty yet the query works just fine in MySQL. (The 1 and the test value were originally variables I just changed them to values as part of my troubleshooting). I am also aware that the column names user and password may be problematic, but I added ` around them. What else could be wrong with that code?
$change_pass_query = "UPDATE `user` SET `password` = PASSWORD('test') WHERE id = 1";
$change_pass_result = mysql_query($change_pass_query) or die('Error. Change Password Query failed: '. mysql_error());
Try formatting your SQL like this:
UPDATE `user` SET `password` = 'test' WHERE `id` = 1
http://php.net/manual/en/function.mysql-query.php
Notice the warning at the top of that page. Nobody uses mysql_query or any plain mysql functions. Research mysqli/mysqli_query, and PDO.
Here's how you could do this with PDO:
$pdo = new PDO("mysql:host=localhost;dbname=mydb","username","password");
$stmt = $pdo->prepare("UPDATE `user` SET `password` = PASSWORD(:password) WHERE id = :id");
$result = $stmt->execute(array(':password' => "test",':id' => 1));
if (!$result) die('Error. Change Password Query failed: '. mysql_error());
Here's some documentation on PDO: http://php.net/manual/en/book.pdo.php
I ended up renaming all tables and fields so that I didn't use any reserved words, as I thought that the issue might be that. The problem still happened. I then copied my code to a different PHP box, et voila, the code works just fine. I'll have to put it down to an issue with the PHP version/installation on the older box and move on. There is nothing wrong with the code.
I'm having trouble getting this to update when needed. This is an optout script intended to updated the selected email row with the value of 1 in the removed column. I can't seem to get it to update and I'm thinking its an issue with my sql. Any help in understanding this is much appreciated.
As a note:
I'm making it to Sorry there seems to be an issue with.........
Here is the script.
<?php
if (isset($_GET['e'])) {
include_once "../storescripts/connect_to_mysql.php";
$email = $_GET['e'];
$sql_delete = mysql_query("UPDATE test WHERE email='$email' SET removed = '1'");
if (!$sql_delete) {
echo "Sorry there seems to be and issue when trying to remove your listing. Please email Admin directly using this email address: chris#.com";
} else {
echo "Sorry to see you go! You will not receive our newsletter ever again unless you relist. To gain access to our newsletter again simply let us know by email at chris#.com";
}
}
?>
Try:
$sql_delete = mysql_query("UPDATE test SET removed = '1' WHERE email='$email'");
The problem is your syntax, have a look at the mysql update syntax, where the where clause should go and where set should go http://dev.mysql.com/doc/refman/5.0/en/update.html.
You would have seen this problem had you used proper error handling, like follows:
$sql_delete = mysql_query("UPDATE test SET removed = '1' WHERE email='$email'") or die(mysql_error());
Have a look at mysql_real_escape_string http://www.php.net/manual/en/function.mysql-real-escape-string.php, to prevent SQL injection. Example:
$email = mysql_real_escape_string($email);
$sql_delete = mysql_query("UPDATE test SET removed = '1' WHERE email='$email'") or die(mysql_error());
Also note that mysql_ extension are deprecated, you want to start using mysqli or PDO.
Use SET before your WHERE clause.
UPDATE test
SET removed = '1'
WHERE email = '$email'
The update syntax is
UPDATE
table
SET
column = value
WHERE
condition = met
On another note, I see you're using a very unsafe method of dynamic entries ($_GET) and Mysql_* function are deprecated in new version of php >= 5.5. I'd highly recommend researching PDO for the use of bind variables otherwise you can easily get "hacked" if
$_GET['e'] = "fake' OR '1'='1" // known as sql injection
Good Read
How to prevent SQL injection in PHP?
Why shouldn't I use mysql_* functions in PHP?
You are right, your UPDATE syntax is incorrect. This is the correct form:
UPDATE test
SET removed = '1'
WHERE email = '$email'
Your query should be
mysql_query("UPDATE test SET removed = '1' WHERE email='$email'");
But please notice that this extension is deprecated.
Use MySQLi or PDO_MySQ instead.
the solution in both extensions are as follows.
MySQLi:
$mysqli = new mysqli(GDB_HOST, GDB_USERNAME, GDB_PASSWORD, GDB_NAME);
$cmd = $mysqli->prepare("UPDATE test SET removed = '1' WHERE email= ? ");
$cmd->bind_param('s', $email);
$cmd->execute();
PDO
$dbh = Database::connect();
$query = "UPDATE test SET removed = '1' WHERE email= ? ";
$sth = $dbh->prepare($query);
$sth->execute(array($email));
One of the big importances of using one of these 2 extensions is the fact that you avoid any attempt of SQL injection
My update form script works only, if I use numbers but, if I try use any words it won't work. I need help, thanks!
<?php
if(isset($_POST['teams'])){
$home_team = $_POST['home_team'];
$visitor_team = $_POST['visitor_team'];
$sql = mysql_query("UPDATE table1
SET home_team = $home_team, visitor_team = $visitor_team
WHERE active = 1") ;
$retval = mysql_query( $sql, $conn );
if(! $retval ){
die("<p>Error! Could not update team names. Click return button.</p>");
}
echo "<p>Team names set successfully!</p>";
mysql_close($conn);
}
?>
try with use of '' into your query,
$sql = mysql_query("UPDATE table1 SET
home_team = '".mysql_real_escape_string($home_team)."',
visitor_team = '".mysql_real_escape_string($visitor_team)."'
WHERE active = '1'") ;
also add mysql_real_escape_string() to prevent from SQL Enjection..
Every string passed to a SQL statement must be enclosed within a ''; if they are not, it will result in an error.
That being said, throwing content straight from a form into the database is very, very, very, very (I need another very) bad. Your database can simply be wiped by anyone; it's called SQL injection
To protect your database, you can start with this good article on PDO
i wrote the following code,but its not updating the database,,its a part of a script and it cease to work..cant find a way around it .. need suggestions
<?php
$link = mysql_connect('xxxxxxxx');
if (!$link) {
die('Could not connect: ' . mysql_error());
}
mysql_select_db("xxx", $link);
$usernames='aneeshxx';
echo $usernames;
$update = "INSERT sanjana SET $name ='$usernames'";
mysql_query($update, $link);
$update1 = "INSERT INTO sanjana (name)VALUES ($usernames)";
mysql_query($update1, $link);
?>
$update = "INSERT sanjana SET $name ='$usernames'";
this probably is meant as an UPDATE statement, so for an update it should be
$update = "UPDATE sanjana set name = '$usernames'";
I put name and not $name due to your second query and not seeing $name being defined anywhere. Be aware that this will change the value in the column name of every row in the sanjana table to the value of $usernames, normally a statement such as this gets limited by conditions, e.g. WHERE userid = 33
$update1 = "INSERT INTO sanjana (name) VALUES ($usernames)";
for an INSERT statement it needs to have the values quoted so
$update1 = "INSERT INTO sanjana (name) VALUES ('$usernames')";
Be wary that this way of putting variables directly into your query string makes you vulnerable to SQL injection, to combat this please use the PDO or mysqli extensions, they both protect you from injection by providing you with prepared statements ; plain old mysql_* is not recommended for use anymore.
using pdo you'd use prepared statements like this
<?php
// we got $usernames from wherever you define it
$pdo = new PDO('mysql:dbname=mydb;host=localhost','username','password');
// to insert
$statement = $pdo->prepare('INSERT INTO `sanjana` (name) VALUES (:name)');
// the following replaces :name with $usernames in a safe manner, defeating sql injection
$statement->bindParam(':name',$usernames);
$statement->execute(); // it is done
// to update
$statement = $pdo->prepare('UPDATE `sanjan` SET `name` = :name');
$statement->bindParam(':name',$usernames);
$statement->execute(); // it is done
so as you can see protecting your code from malicious input is not hard and it even makes your SQL statements a lot easier to read. Did you notice that you didn't even need to quote your values in the SQL statement anymore? Prepared statements take care of that for you! One less way to have an error in your code.
Please do read up on it, it will save you headaches. PDO even has the advantage that it's database independent, making it easier to use another database with existing code.
The right update sql clause is like so:
UPDATE table
SET column = expression;
OR
UPDATE table
SET column = expression
WHERE predicates;
SQL: UPDATE Statement
Your query should be like this:
$update = "UPDATE sanjana SET $name ='$usernames'";
mysql_query($update, $link);
Of course you need to specify a row to update (id), other wise, the whole table will set column $name to $usernames.
UPDATE:
Because you are inserting a data in empty table, you should first execute $update1 query then execute $update query. UPDATE clause will make no change/insert on empty table.
Problem 1: use the correct "insert into" (create new record) vs. "update" (modify existing record)
Problem 2: It's good practice to create your SQL string before you call mysql_query(), so you can print it out for debugging
Problem 3: It's also good practice to detect errors
EXAMPLE:
<?php
$link = mysql_connect('xxxxxxxx')
or die('Could not connect: ' . mysql_error());
mysql_select_db("xxx", $link);
$usernames='aneeshxx';
$sql = "INSERT INTO sanjana (name) VALUES ('" . $usernames + ")";
echo "sql: " . $sql . "...<br/>\n";
mysql_query($sql, $link)
or die(mysql_error());
You have INSERT keyword for your update SQL, this should be changed to UPDATE:
$update = "UPDATE sanjana SET $name ='$usernames'";
This is simple one i am using the following insert query
mysql_query(insert into table1 set saltval = 'Y'Z' where uid ='1');
but i does not work becaues the value for the field saltval is Y'Z . my question is how to considered this value is as a string .
You need to escape any single quotes with a backslash.
mysql_query("insert into table1 set saltval = 'Y\'Z' where uid ='1'");
However your SQL is invalid as well... Did you mean to do an update? Insert statements don't have a where.
As mentioned in other answers, if the input is from a user then you should use mysql_real_escape_string()
http://www.php.net/manual/en/function.mysql-real-escape-string.php
$string = mysql_real_escape_string("Y'Z");
mysql_query("insert into table1 set saltval = '{$string}' where uid ='1'");
Always use mysql_real_escape_string() function for this if values come from user input
$query="insert into table1 set saltval = '".mysql_real_escape_string($InputVal)."' where uid ='1'";
See http://php.net/manual/en/function.mysql-real-escape-string.php
You have to add a backslash to certain characters to make your string fit into SQL syntax rules.
Assuming you're creating your query dynamically, PHP has special escaping function for this and you should use it for the every quoted string in the query, no exceptions.
So, write your code like this:
$salt = "Y'Z";
$id = 1;
$salt = mysql_real_escape_string($salt);
$id = mysql_real_escape_string($id);
$sql = "update table1 set saltval = '$salt' where uid ='$id'";
mysql_query($sql) or trigger_error(mysql_error()." ".$sql);
to make it safe and fault-tolerant