I have a query (insecure for the minute) that attempts to set a value of a column to NULL. Basically just revert it to being empty. 'Allow NULL' is checked in the Database design. Its an MSSQL Database. First of all I tried:
$query = "UPDATE Table_Name SET Image = '', Thumb = '' WHERE PageID = 5";
Then:
$query = "UPDATE Table_Name SET Image = NULL, Thumb = NULL WHERE PageID = 5";
The second one produces no errors, but does not set the database value to NULL. From what I can see though (website research) 'NULL' is correct? Sorry, new to PHP.
EDIT
The query is called by an if statement. That checks to see if a GET value is equal to. I am aware that this isn't very secure. I am just trying to test/play a little with techniques. The full call and query are as follows.
<?php
if (isset($_GET['change']) && $_GET['change'] == "image1") {
$query = "UPDATE Table_Name SET Image = NULL, Thumb = NULL WHERE NewsID = ".$_GET['id']." ";
}
?>
This if statement is triggered a delete 'button'. The code looks like:
delete</td>
I now believe, the query isn't getting called? However the button does change and set the values it is meant to do, so all I can assume, is that the if statement doesn't pick up on this. Update.php is the page the queries are currently on so it almost just acts as a refresh.
I haven't used PHP in a very long time, but does NULL need to be enclosed in quotes?
Try this:
$query = "UPDATE Table_Name SET Image = 'NULL', Thumb = 'NULL' WHERE PageID = 5";
Hope this helps.
Related
how should i update my attempt's using variable ? it wont work
mycode
$db_attempts = 'MAX_ATTEMPTS';
//here
$attemtps_pdo = 'UPDATE `attempts` SET `MAX_ATTEMPTS`= ? +1 WHERE `IP` = ?';
$results = $ALIST->update($attemtps_pdo,$db_attempts,$user_ip);
public function update($sql,$values1,$values2){
try{
$results = $this->connection->prepare($sql);
$results->bindValue(1, $values1);
$results->bindValue(2, $values2);
$results->execute();
return $results;
}
how do i make my MAX_ATTEMPTS +1 to variable , if i do it with my code , the update only update once , once is == 1 it wont update anymore why?
but if i using
$attemtps_pdo = 'UPDATE `attempts` SET `MAX_ATTEMPTS`= `MAX_ATTEMPTS` +1 WHERE `IP` = ?';
it work perfectly.
Because you are not referencing the MAX_ATTEMPTS column when you BIND the variable $db_attempts into your SQL query. Binding prevents stuff like this, because it could potentially lead to SQL injection.
In other words, your second example IS the correct way of doing this. If you want this to be dynamic (eg. if $db_attempts can change), then you have to build the query using string concatenation.
Alternative solutions:
Assuming it will always update by 1 every time the sql gets executed and assuming $value1 is the value currently in the database for MAX_ATTEMPTS.
What I would suggest is to it when you bind the parameters:
$results->bindValue(2, (int)$values1 + 1);
Your sql will be:
$attemtps_pdo = 'UPDATE `attempts` SET `MAX_ATTEMPTS`= ? WHERE `IP` = ?';
OR
Add a database query to find the latest value of MAX_ATTEMPTS and pass it as $value1 which realizes the assumption made in the previous solution.
Just try the incrementation :
UPDATE attempts SET MAX_ATTEMPTS++ WHERE IP = ?
Basically I have a form with checkboxes of all rows in my database.
The user is supposed to select the one he/she wants visible and submit that form.
So in the database I want to set all rows "visible" column to false but the one that is selected to true.
I thought this should work:
$sql = "UPDATE `questions`
SET `visible` = false;
SET `visible` = true WHERE ID={$radio}" ;
but I can apparently not run multiple SETs like this. Also there isn't a if-else-like statement in php, right?
What would be a good way to deal with this?
You can use conditional statements:
UPDATE `questions`
SET `visible` =
CASE
WHEN ID = '$radio' THEN true
ELSE false
END
Also, make sure to sanitize the user input before pasting it into a query.
I would do it that way:
UPDATE `questions`
SET `visible` = (ID = {$radio})
When ID = $radio equals to true, then visible is set to true, and visible is set to false in all other cases.
I have a mysql question here. What I'm trying to do is create a button ('Add to Wishlist') that, when pressed, executes a MYSQL update query that enters a number, say 6, into multiple fields, however I'm trying to get is so that it only enters in one field that is not null. So in essence, the update query will look to see if field one (saved_courses) is empty, and if it is then insert value, but if it isn't then insert into the second field (saved_courses2).
I've looked into this and as a result of my research I have this:
mysqli_query($con, "UPDATE user_accounts SET saved_courses3 = case when saved_courses3 is null then saved_courses3 = $urlid else saved_courses4 = $urlid end WHERE id = 1; ") or die(mysql_error());
Try something like this:
UPDATE user_accounts SET
saved_courses4 = case when saved_courses3 is null then saved_courses4 else $urlid end,
saved_courses3 = case when saved_courses3 is null then $urlid else saved_courses3 end
WHERE id = 1
You can see it in action at:
http://sqlfiddle.com/#!2/c5553/1
I am trying to update a column for a certain user with PHP/MySQL. What is the proper way for me to set that equal to a variable?
$style is equal to a value that is from a form (post).
When setting 'style' equal to a string value that is also in single quotes, I do not get an error. I only get an error when setting 'style' equal to a variable.
$query = "UPDATE `users`
SET `style` = $style
WHERE `id` = $userid;";
Thank you very much.
You still have to put quotes around the variable as they are needed to tell MySQL that is a string. Remember, the variables are interpolated before the query is sent to the MySQL server. So $style is replaced by it's value before the query is run.
$query = "UPDATE `users`
SET `style` = '$style'
WHERE `id` = $userid;";
How can I increment an int in a cell of a MySQL database? I know that auto-increment is no use because I never want to add a new row, just update an existing one. I'm currently using this (POST var used for clarify, is verified in the real code):
$columnToUpdate = 'type'.$_POST['voteid'];
$query = "UPDATE myTable $columnToUpdate = $columnToUpdate+1 WHERE id=1;";
if(!mysql_query($query)) {
echo json_encode(array('success' => false, 'message' => 'Update failed: '.mysql_error()));
exit;
}
In the database I have 6 fields, id, type1, type2, type3, type4, type5, and a single row with id set to 1. The intention is to recieve a number (1-5), and build a reference to the correct column before updating the field. That results in Update failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '=type4+1 WHERE id=1' at line 1, so I guess it's not getting the field value out properly before it increments.
Once this is working I'm also going to need to decrement a field in the same way, unless its value is 0. So for bonus points, can I do all this in one query or would it be better to split it up?
I think you've missed the keyword 'SET' from your query - try
$query = "UPDATE myTable SET $columnToUpdate = $columnToUpdate+1 WHERE id=1;";
Edit:
To do the "decrement unless it's zero" you could use something like:
UPDATE myTable SET $columnToUpdate =
CASE $columnToUpdate
WHEN 0 THEN 0
ELSE $columnToUpdate - 1
END CASE
WHERE id=1;`
For bonus points, to decrement:
$query = "UPDATE myTable SET '$columnToUpdate' = '$columnToUpdate'-1 WHERE id=1 AND '$columnToUpdate' > 0";
Besides the injection issues, it seems as if your workflow may need some work. Are you sure you want to choose the column that will be updated based on POST variable? It seems like you would specify the column and use the variable to find the record that needs to be updated:
IE:
"UPDATE myTable SET votes=votes+1 WHERE id=$post_variable;"
Again you should send the variable as a parameterized query to protect yourself from SQL injection.