this script is simply not working... can anyone tell me what I'm doing wrong?
$id = $_POST['id'];
$name = $_POST['name'];
$date = $_POST['date'];
$shortdesc = $_POST['shortdesc'];
$link = $_POST['link'];
$target = $_POST['target'];
$sort = $_POST['sort'];
$html = $_POST['html'];
include('appvars.php');
$query = "UPDATE insight SET name='".$name."' AND SET date='". $date . "' AND SET html='" . $html . "' AND SET shortdesc='" . $shortdesc . "' AND SET link='" . $link . "' AND SET target='" . $target . "' AND SET sort='" . $sort . "' WHERE id='" . $id . "'";
mysqli_query($dbc, $query);
You aren't escaping your values so you are vulnerable to SQL injection and also construction of invalid statements. For example, if any of your input strings contain an apostrophe then it could cause your code to fail.
Have a look at prepared statements that will make it much easier to construct your queries with parameters.
In your query you will also need to use commas instead of AND SET.
$query = "UPDATE insight SET name='foo', date='2012-12-10' WHERE id=42";
The syntax for UPDATE is described in the MySQL documentation:
UPDATE syntax
Use it like this,
$query = "UPDATE insight SET name='".$name."' ,date='". $date . "' ,html='" . $html . "' ,shortdesc='" . $shortdesc . "' ,link='" . $link . "' ,target='" . $target . "' ,sort='" . $sort . "' WHERE id='" . $id . "'";
Its working ... check now
$id = $_POST['id'];
$name = $_POST['name'];
$date = $_POST['date'];
$shortdesc = $_POST['shortdesc'];
$link = $_POST['link'];
$target = $_POST['target'];
$sort = $_POST['sort'];
$html = $_POST['html'];
include('appvars.php');
$query = "UPDATE insight SET name='".$name."' ,date='". $date . "' ,html='" . $html . "' ,shortdesc='" . $shortdesc . "' ,link='" . $link . "' ,target='" . $target . "' ,sort='" . $sort . "' WHERE id='" . $id . "'";
mysqli_query($dbc, $query);
I aint a pro at mysql, but a try.
I guess id is an integer. So, dont quote it.
Try this,
$query = "UPDATE insight SET name='".$name."' , date='". $date . "' , html='" . $html . "' , shortdesc='" . $shortdesc . "' , link='" . $link . "' , target='" . $target . "' , sort='" . $sort . "' WHERE id=". $id ;
I think the SQL syntax is not correct, you can use it like this: UPDATE tablename SET rowname = value , ....
Related
i have two update queries to update mysql db of the system.problem is my second update query works but my first one doesn't execute at all.
cant figure out whats going on...any help would be great
here is my php code.
$dob = $_POST["dob"];
$name = $_POST["name"];
$mob = $_POST["mobileNo"];
$home = $_POST["homeNO"];
$files = $_FILES["filep"]["name"];
echo $files;
$folder = "images/";
$uid = $_SESSION["Uid"];
if($_FILES["filep"]["error"] == 4) {
echo "no file selected";
}
move_uploaded_file($_FILES["filep"]["tmp_name"] , "$folder".$_FILES["filep"]["name"]);
$result = mysqli_query($con,"UPDATE User SET DOB = '" . $uid . "', MOBNO = '" . $mob . "', HOMENO = '" . $home . "',DOB = '" . $dob . "',IMAGE_URL = '" . $files . "' WHERE UID='" . $uid . "'");
$result = mysqli_query($con,"UPDATE User_Credentials SET NAME = '" . $name . "' WHERE CID='" . $uid . "'");
i have checked all the $name,$mob etc variables and value are passing without any problem..
I have the following SQL.
$sql_shells = "UPDATE `shells` SET `situation` = 'sold' WHERE `id` = '" . $id . "'";
$conn->query($sql_shells);
I updated the rows with column named buytime and another one called buyer so it would be like this:
$sql_shells = "UPDATE `shells` SET `buyer`= " . $buyer . ", `buytime`= " . $trn_date . " , `situation` = 'sold' WHERE `id` = '" . $id . "'";
$conn->query($sql_shells);
It's not updating.
`$trn_date = $trn_date = date("Y-m-d H:i:s");
and
$buyer = $_SESSION['username'];
Error log is empty.
Another SQL update doesn't have constant values and works fine
$sql_users = "UPDATE `users` SET `amount`= " . $newAmount . ", `gain`= " . $newgain . " WHERE `username` = '" . $buyer . "'";
I tried echoing the SQL query that's not working, this is what I get when I run it.
try to remove ` caracter and i think buytime and buyer should add ' caracter and remove it from id if is int type:
$sql_shells = "UPDATE shells SET buyer= '" . $buyer . "', buytime= '" . $trn_date . "' , situation = 'sold' WHERE id = " . $id ;
$conn->query($sql_shells);
Here is my code, it works and no errors pop up and the correct data for the variables are there.
When it's all done it shows Done for the last echo.
However, when I go into heidisql to view the database table, nothing has changed, even when I run the query in heidisql, still same results.
// Make connection to database
$connection = mysqli_connect($host,$user,$pass,$dbnm);
// Make query
$myQuery = "
UPDATE Ekhaya_Inventory SET
ekhaya_inventory_stock_item = '" . $stockItemPost . "',
ekhaya_inventory_stock_left = '" . $stockLeftPost . "',
ekhaya_inventory_stock_out = '" . $stockOutPost . "',
ekhaya_inventory_stock_minimum = '" . $stockMinimumPost . "',
ekhaya_inventory_stock_price_per_item = '" . $stockPricePIPost . "',
ekhaya_inventory_value_of_stock_left = '" . $stockValueOfStockLeftPost . "'
WHERE
ekhaya_inventory_stock_code = '" . $stockCodePost . "'
AND
ekhaya_inventory_stock_code = '" . $stockLocationPost . "'
";
mysqli_query($connection,$myQuery)or die("Error: ".mysqli_error($connection));
mysqli_close($connection)or die("Error: ".mysqli_error($connection));
echo "<br>Done";
WHERE
ekhaya_inventory_stock_code = '" . $stockCodePost . "'
AND
ekhaya_inventory_stock_code = '" . $stockLocationPost . "'
it is wrong because one field can`t contain two different values in the same time
I have jtable working perfectly fine with adding/editing/removing records however I cant insert/update a record that contains an apostrophe ! Someone please help!
Below is a snapshot fo my code
Blockquote //Updating a record (updateAction)
$result = mysql_query("UPDATE teg_priority SET CustomerName = '" . $_POST["CustomerName"] . "', Service_Manager = '" . $_POST["Service_Manager"]. "', NGM = '" . $_POST["NGM"] . "', Tag = '" . $_POST["Tag"] . "', CBS = '" . $_POST["CBS"]. "' WHERE CIDN = " . $_POST["CIDN"] . ";");
//Return result to jTable
$jTableResult = array();
$jTableResult['Result'] = "OK";
print json_encode($jTableResult);
}
Blockquote
You can use addslashes on the variables before putting them in the query.
$result = mysql_query("UPDATE teg_priority SET CustomerName = '" . addslashes($_POST["CustomerName"]) . "', Service_Manager = '" . addslashes($_POST["Service_Manager"]). "', NGM = '" . addslashes($_POST["NGM"]) . "', Tag = '" . addslashes($_POST["Tag"]) . "', CBS = '" . addslashes($_POST["CBS"]). "' WHERE CIDN = " .addslashes( $_POST["CIDN"]) . ";");
The query isn't updating, not sure what I've done wrong.
$q_result = mysql_query("UPDATE
users
SET
recovery_answer = '".$_POST['answer']."',
recovery_question = '".$_POST['question']."',
date_question_set = '" . mysql_real_escape_string($register_date) . "'
WHERE
username='" . mysql_real_escape_string($_SESSION['username']) . "'");
Can you echo "UPDATE
users
SET
recovery_answer = '".$_POST['answer']."',
recovery_question = '".$_POST['question']."',
date_question_set = '" . mysql_real_escape_string($register_date) . "'
WHERE
username='" . mysql_real_escape_string($_SESSION['username']) . "'" and post?