This code is supposed to update an article that's already in the DB with the changes made at Edit webpage, but it does not work. It displays the current article, but when I make changes and click "save" nothing changes.
mysql_select_db("scms", $con );
$show_world="show_world";
define("IMG_URL", "http://localhost/project/show/show_home/images/");
define("ABS_PATH",dirname(__FILE__));
define("IMG_PATH",dirname(__FILE__)."/");
$id = $_GET['id'];
$sql = "select * FROM $show_world where id = $id";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if(isset($_POST['save'])) {
$id = $_POST['id'];
$topic = $_POST['topic'];
$author = $_POST['author'];
$content = $_POST['content'];
$picture = $_POST['picture'];
$date = $_POST['date'];
$sql = "UPDATE $show_world SET topic='".$topic."',author='".$author."', content='".$content."', date='".$date."' ";
Try enclosing the variable for table name like this:
$sql = "UPDATE {$show_world} SET topic='".$topic.....
One more thing: your code is vulnerable to sql injections ! Try to escape the user inputs, before updating it in the database.
Related
im busy trying to set multiple fields in my DB and it is not working for some reason. Can you take a look and let me know where i have gone wrong? Thank you
<?php
error_reporting('E_ALL');
include 'db_header.php';
$id = $_GET['ID'];
$bronzeTokens = $_GET['bronzeTokens'];
$silverTokens = $_GET['silverTokens'];
$goldTokens = $_GET['goldTokens'];
$platinumTokens = $_GET['platinumTokens'];
$sql = "UPDATE Player SET bronzeTokens = $bronzeTokens, goldTokens = $goldTokens, silverTokens = $silverTokens, platinumTokens = $platinumTokens WHERE ID = $id";
$result = $conn->query($sql);
?>
On a table that displays data from a database, I have a form that has a text area on which a user can type a receipt number and submit to save in a database for a specif row. The PHP code below is what updates the database after the form is submitted.
I want to pick the rest of the details for the specific row so I used the $_POST['id'] on which the receipt has been submitted. The id is the primary key. I'm however having a challenge since I can't fetch data from the database using $id = $_POST['id'];I created before outside the function The update statement works perfectly but the SELECT STATEMENTdoesn't . How do I go about it? Any one?
if(isset($_POST['submit'])) {
$rec = $_POST['receipt'];
$id = $_POST['id'];
//reate connection
$sql = "UPDATE customer SET `receipt` = '".$_POST['receipt']."', `date_entered` = NOW(), `receipt_lock` = 1 WHERE `id` = '".$_POST['tid']."' AND receipt_lock = 0";
if ($conn->query($sql) === TRUE) {
// echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
exit();
$conn->close();
}
function wall(){
global $recp;
global $id;
// Create con
$sql = "SELECT * FROM customer WHERE id ='$id'";
$result1 = mysqli_query($conn, $sql);
$resultarr = mysqli_fetch_assoc($result1); // fetch data
$name = $resultarr['name'];
echo "$name"; //Does not display
$amount = $resultarr['amount'];
$transaction_id = $resultarr['trans_id'];
$date = $resultarr['time_paid'];
}
else {
echo "this is not right!;
}
wall();
Ignoring all the (valid) questions about SQL security and just addressing your problem - how about passing the $id variable as a parameter to your wall function.?
wall($id);
function wall($id){
$sql = "SELECT * FROM customer WHERE id ='$id'";
// ... use prepared statements for security...
...
}
Looks like you are using $_POST['tid'] instead of $_POST['id'] or $id in your SQL-query.
What you are doing there is a big nono, in terms of security. Make sure you escape your POST parameters before adding them inside your query.
$id = $_POST['id'];
$id = mysqli_real_escape_string($conn, $id);
http://php.net/manual/ro/mysqli.real-escape-string.php
Think about sending data as parameters of a function function wall($id) instead of a global parameter.
I have this code (refer below)
$sql = "SELECT * FROM records";
$result = mysqli_query($this->db,$sql);
while($row = mysqli_fetch_assoc($result)){
$itemid = $row['id'];
$itemname = $row['itemname'];
$itemdesc = $row['itemdesc'];
$brand = $row['brand'];
$serialno = $row['serialno'];
$nostock = $row['nostock'];
$price = $row['price'];
$onsale = $row['onsale'];
$poster = $row['poster'];
$thedate = $row['thedate'];
$sql = "INSERT INTO backupp SET id='$itemid', itemname='$itemname', itemdesc='$itemdesc', brand='$brand', serialno='$serialno', nostock='$nostock', price='$price', onsale='$onsale', poster='$poster', thedate='$thedate'";
$result = mysqli_query($this->db,$sql) or die(mysqli_error($this->db));
return $result;
}
as you can see from the above codes, it will first pull all the data from db table named "records" and then put each row into there corresponding variable and then insert the stored data (those data that has been pulled from db table name "records" and stored on there corresponding variable) to db table named "backupp". Now, the problem is, it only add one record to backup (the record that has been pulled first) which supposedly it should add all the pulled record from db table named records to db table named backup. why?? any suggestions, recommendations, clues and ideas would be greatly appreciated. Thank you!
PS: its like export and import to other table with same structure but I have my own reason why I want to do it this way and assume I already successfully connected to a database ($this->db) called "inventory" and there is db table name there such as "records" and "backupp" with same structure.
And you can easily backup same table this way: INSERT INTO backupp SELECT * FROM records
You have a return statement inside the while loop causing it to exit after one iteration.
Remove the return $result; line and it should work.
change your code into this (see below).
$sql = "SELECT * FROM records";
$result = mysqli_query($this->db,$sql);
$x = 0;
while($row = mysqli_fetch_assoc($result)){
$itemid = $row['id'];
$itemname = $row['itemname'];
$itemdesc = $row['itemdesc'];
$brand = $row['brand'];
$serialno = $row['serialno'];
$nostock = $row['nostock'];
$price = $row['price'];
$onsale = $row['onsale'];
$poster = $row['poster'];
$thedate = $row['thedate'];
$sql = "INSERT INTO backupp SET id='$itemid', itemname='$itemname', itemdesc='$itemdesc', brand='$brand', serialno='$serialno', nostock='$nostock', price='$price', onsale='$onsale', poster='$poster', thedate='$thedate'";
$result = mysqli_query($this->db,$sql) or die(mysqli_error($this->db));
$x++;
}
$newCity = $_POST['city'];
$set = mysqli_query($con, "UPDATE users SET city = '$newCity' WHERE username = '$theUser'");
I'm trying to update mySql column through UPDATE using a value of a variable.
But when I check the value, it updates, but once I refresh the execute, it changes the value to NULL
Edit: $theUser = a working session username
Try:
if(isset($_POST['city'])){
$newCity = $_POST['city'];
$set = mysqli_query($con, "UPDATE users SET city = '$newCity' WHERE username = '$theUser'");
}
Also please try to filter your user input before passing it to query.
if(isset($_POST['city'])){
$newCity = mysqli_real_escape_string($_POST['city']);
$theUser = mysqli_real_escape_string($userUser); // assuming you haven't escaped it already.
$query = "UPDATE users SET city = '$newCity' WHERE username = '$theUser'";
$set = mysqli_query($con, $query);
}
I'm trying to set up a simple comment system and I want to create the correlation between the comment and the page landed.... so when a user arrives at blog.php?id=3 they would be presented the correct comments.
What I'm doing is creating the comments table with a pageid column. The pageid column will be filled when a user posts to the page. Maybe a hidden form field? How do I make this correlation within my MYSQLI
This is what I was thinking...
<?php
include_once("includes/check_login_status.php");
?>
<?php
// Check to see the URL variable is set and that it exists in the database
if (isset($_GET['id'])) {
// Connect to the MySQL database
include "includes/db_conx.php";
$id = preg_replace('#[^0-9]#i', '', $_GET['id']); // filter everything but numbers
// Use this var to check to see if this ID exists, if yes then get the product
// details, if no then exit this script and give message why
$sql = "UPDATE content SET views=views+1 WHERE ID=$id";
$update = mysqli_query($db_conx,$sql);
$sql = "SELECT * FROM content WHERE id=$id LIMIT 1";
$result = mysqli_query($db_conx,$sql);
$productCount = mysqli_num_rows($result);
if ($productCount > 0) {
// get all the product details
while($row = mysqli_fetch_array($result)){
$article_title = $row["article_title"];
$category = $row["category"];
$readmore = $row["readmore"];
$author = $row["author"];
$date_added = $row["date_added"];
$article_content = $row["content"];
}
} else {
echo "That item does not exist.";
exit();
}
} else {
echo "Data to render this page is missing.";
exit();
}
?>
<?php
include_once "includes/db_conx.php";
$sql = "SELECT * FROM comment WHERE pageid ="$id"ORDER BY id DESC";
$sql_comments = mysqli_query($db_conx,$sql);
while($row = mysqli_fetch_array($sql_comments)){
$name = $row["name"];
$comment = $row["comment"];
$commentlist .= 'name : '.$name.'<br />comment : '.$comment.'<hr>';
}
//////////////
?>
Is the lower half in scope of the get variable? So that I can determine what page we're on? Can this type of variable be passed thorugh a variable in the comment form?
The 3rd sql statement contains an error:
$sql = "SELECT * FROM comment WHERE pageid ="$id"ORDER BY id DESC";
to
$sql = "SELECT * FROM comment WHERE pageid =".$id."ORDER BY id DESC";
You might also want to change the pre_replace statement to intval:
$id = preg_replace('#[^0-9]#i', '', $_GET['id']);
to
$id = intval($_GET['id']);
The reason being if $_GET['id'] = 'ABC123' then preg_replace will return 123 whereas the intval will return 0.