I am using php to update a mysql DB within a function. I am able to echo my variable names and was able to return the variables on the php page. This proves to me that my variables are working correctly.
Now when I use the update command, my DB does not respond. Yes, I have connected to the DB and it all works.
This is what I am using to update:
mysql_query("UPDATE `table_name`
SET `int_field` = '$int_value'
WHERE `username` = $username");
The value for $username should be wrap with single quotes.
mysql_query(" UPDATE table_name
SET int_field = '$int_value'
WHERE username = '$username'");
SideNote: your code is vulnerable with SQL Injection. Please read the article below to know how to secure your code,
Best way to prevent SQL injection in PHP?
You need to quote all of your input to the query. This prevents SQL injection, but also simple syntax errors that would occur if your user innocently inputs a special character that would break your query.
mysql_query('UPDATE table_name '.
'SET int_field = "'.mysql_real_escape_string($int_value).'" '.
'WHERE username = "'.mysql_real_escape_string($username).'"');
This is the correct STRUCTURE of how to update with a variable in php
mysql_query("UPDATE tablename SET password='". $NPass ."' WHERE custID='$num'");
Try this :
mysql_query("UPDATE `table_name`
SET `int_field` = '$int_value'
WHERE `username` = '$username'");
I had the same problem and found that the SET value doesn't need single quotes and that the WHERE clause does ...
mysql_query("UPDATE table_name SET int_field=$int_value
WHERE username='$username'");
.. seemed to work for me.
Related
I'm currently developing a simple php/mysql website as an assignment.
I need to update a char column in a table by passing a php variable. Issue is I don't know how to pass the variable as a string.
$verify = $_POST['verification'];
"UPDATE Users SET account_status=1 WHERE verification_code= . $verify . ";
Above query is not working for me. Running the query manually on mysql does work;
UPDATE Users SET account_status=1 WHERE verification_code="XYz12"
so I think the problem is passing the variable as a string. I tried a couple of different things but couldn't manage it...
the field verification_code is a string, this must be between simple quote like:
$query = "UPDATE Users SET account_status=1 WHERE verification_code='$verify'";
"UPDATE Users SET account_status=1 WHERE verification_code='" . $verify . "'";
But of course this is very poor form. You need to ensure your variable has been properly escaped. I recommend using PDO prepared statements:
$stmt = $db->prepare("UPDATE Users SET account_status=1 WHERE verification_code=?");
$stmt->execute(array($verify));
The correct string for the query is as follows:
$query = "UPDATE Users SET account_status=1 WHERE verification_code=\"" . $verify . "\"";
With the \ char you scape the quotes char. Anyways this can be quite confusing so you can use simple quotes.
$query = "UPDATE Users SET account_status=1 WHERE verification_code='$verify'";
Note that you can make a reference to a php variable within quotes like above.
BTW. Your error is that you are using the concatenation characters inside a string. It should be used like my first example. Anyways you need to quote the value of the SQL if it is a string. You don't have to do it if the field is NOT a string.
If you are worried about SQL-Injection you can use Prepared Statements instead of plain queries. I recommend to you the PDO Class of PHP. You can give a try to MySQLi too.
Why do I see in several examples of mysql queries via php the syntax:
$q = "CREATE TABLE '$tablename' ('$t_id_name')";
or things similar to that? I'm asking about the single quotes around the variable names. Is this required in MySQL strings? If I echo the string, it seems to expand the variables whether the quotes are there or not.
And would this pose a problem if this were done for something that was intended to be an integer?
To answer your question, the quotes are necessary, but not to expand the variable. A typical SQL query would look like this:
$q = "SELECT * FROM `table` WHERE `first_name` = 'user3475234'";
Now, consider the following example:
<?php
$tablename = "users";
$user = "user3475234";
$q = "SELECT * FROM `$tablename` WHERE `first_name` = '$user'";
echo $q;
This will display: SELECT * FROM `users` WHERE `first_name` = 'user3475234'. Note that the quotes weren't necessary to output the string, but they were a necessary part of the query.
That being said, code like this opens your script to SQL injection. I won't explain too much about it, since there are plenty of resources discussing it, but consider the example where someone's username is user3475234' OR 1==1--. This username will effectively return all users in the table.
You must use backticks (`) for field or table name especially if the field or table name are same with mysql command. And you need to use single-quote (') for value.
I am lost here please help
my data base table will not update when I use this code
$sqlpassword = "UPDATE login SET password='$hashedP' WHERE id='$id' LIMIT 1";
$querypass = mysqli_query($db_x, $sqlpassword);
I have tried to look around maybe i'm not seeing it but im sure its right
password is a reserved word in MySQL. You have to wrap fieldnames in backticks so that MySQL doesn't see it as a SQL command.
$sqlpassword = "UPDATE `login` SET `password`='$hashedP' WHERE `id`='$id' LIMIT 1";
$querypass = mysqli_query($db_x, $sqlpassword);
Don't use the LIMIT keyword on UPDATE Statement.
Just use
$sqlpassword = "UPDATE `login` SET `password`='$hashedP' WHERE `id`='$id'";
Disclaimer: Make use of Prepared Statements to avoid SQL Injection Attacks.
I worked it out sorry for wasting your time
<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>
was not putting in
edit.php?c=<?php echo $log_company ?>
so form was going to edit.php not edit.php?c=truestory
Check the following:
You are making commit after this update statement.
Check why you need the limit keyword, else remove it.
Check if the id is a number in your table structure or string, since in this update you are dealing with it as string.
Why does this PHP code (mysql_query to delete a row where user name is $phpVar) do nothing?
mysql_query("DELETE FROM xraydeath WHERE user = $user");
Probably because you forgot to quote the $user parameter also, please escape variables goes into sql query strings. If that parameter is connected directly to user input someone might submit ' or 1=1 -- and your whole table gone. This idea know as sql injection.
note: the old mysql_* functions are now deprecated, you should avoid using them, see the alternatives.
You need to put quotes around strings like this:
mysql_query("DELETE FROM xraydeath WHERE user = '$user'");
you forgot the quotes around the user:
mysql_query("DELETE FROM xraydeath WHERE user = '$user'");
What are you expecting? How it fails? Mysql_query is not suppose to do anything in the form that you are using it, except sending the query to the server.
$result = mysql_query (...);
// use the result if any.
if (!$result) {
die('Invalid query: ' . mysql_error());
}
// check the error that you might have
you need to put $user into quotes
mysql_query("DELETE FROM xraydeath WHERE user = '".$user."';");
also DELETE will succeed if even no rows where deleted, so to get how many rows where actually deleted use mysql_affected_rows()
$x = mysql_query("..");
echo "There were ".mysql_affected_rows()." rows affected";
**Try not to use mysql_* switch to PDO instead.
Assuming xraydeath.user is a character type, the value needs to be enclosed in quotes. If $user does not already contain the quotes, try:
mysql_query("DELETE FROM xraydeath WHERE user = '$user'");
And for kicks, try setting $user = "' OR '1'='1";! (Read up on SQL injection attacks and you should really switch to mysqli!)
It's also possible the table does not have a matching row, and therefore nothing will be deleted. Without knowing what you have assigned to $user and your data there is no way to know.
try this one:
mysql_query("DELETE FROM xraydeath WHERE user = '".$user."'");
or
mysql_query("DELETE FROM xraydeath WHERE user = '".$user."';");
every php variables that used in mysql, put them into '".$variable."'
First : mysql is deprecated. you should use mysqli.
Second : What kind of type is user?
if is int :
(object oriented style)
mysqli::query("DELETE (what you want) FROM xraydeath WHERE `user` = '".$user."'");
if is varchar (string) :
mysqli::query("DELETE (what you want) FROM xraydeath WHERE `user` LIKE '".$user."'");
or
(procedurel syle)
mysqli_query((your mysqli link), "DELETE (what you want) FROM xraydeath WHERE `user` LIKE/= '".$user."'");
Hope it helps
I have this query to submit data into the database:
$sql = "UPDATE table SET user='$user', name='$name' where id ='$id'";
the id will be obtained via url EX localhost/index.php?id=123
$id=$_GET['id']
The query will not work correctly; the data will not update.
If I write :
$sql = "UPDATE table SET user='$user', name='$name' where id ='123'";
It works fine.
If I echo the ID it will show the correct result, 123.
Where is the problem?
run ALL your queries the way you can get the error message along with erroneous query.
so, at least this way
$sql = "UPDATE table SET user='$user', name='$name' where id ='$id'";
$res = mysql_query($sql) or trigger_error(mysql_error()." in ".$sql);
and it will tell you where is the problem.
It is WAY more convenient, precise and faster than asking questions here.
I'm guessing your problem is mal-formed SQL due to unescaped data interpolation - an SQL injection hole.
What does your actual generated query look like? Not the code that creates the sql (which you've got above), but the actual SQL after the variables are inserted?
I'm guessing it'll look something like this:
UPDATE table SET user='fred', name='O'Brien' where id='123';
^--unescaped quote
causing a syntax error.
If you're running the query like this:
$result = mysql_query($sql);
then change it to be
$result = mysql_query($sql) or die(mysql_error());
so you'll immediately get feedback if the query fails for any reason.
And then read up about SQL injection holes
$id = $_GET['id']
<form action="#.php" method="POST">
<input type="hidden" name="id" value="<?php echo $id?>">
</form>
then, inside PHP block,
$id = $_POST['id'];
$sql = "UPDATE table SET user='$user', name='$name' where id ='$id'"
Without getting into the issue of how bad it is to pull data right from the GET array, I'd start by suggesting you properly escape your variables. I assume ID is an integer, so there's no need for singlequotes around it.
$sql = "UPDATE table SET user='".$user."', name='".$name."' where id=".$id;
See if that works.
TableName should be there ....you have not used table name in your query..Echo the $sql and then try executing in phpmyadmin.
First of all, you're wide open to SQL Injection attacks if you do it like this. Anyone can just alter the part after id= to anything they like and modify your database with that.
Secondly, I see you pass an id to the script, but where does it determine the $user and $name values? Seems like your code posted is incomplete.