We Keep Coding

PHP MySql prepared statements ... How to UPDATE DB, Adding to value already stored

So just converting old sql statements into prepared statements
So how do I add to a value already stored in a database?
in old terms I did this:
$sql = "UPDATE `table` SET `PT` = PT+$PaymentGross ... ";
but how do you accomplish same in prepared statements?
like so:
$sql = "UPDATE `table` SET `PT` = PT+? ... ";
or like so:
$stmt->bind_param("i",PT+$PaymentGross ... );
couldn't find any info, or perhaps couldn't punch right keywords into google

You can try this way
$sql = "UPDATE `table` SET `PT`=SUM(`PT`+?) WHERE id=?";
$stmt = $db->prepare($sql);
// This assumes the PT is int `d` and id is int `d`
$stmt->bind_param('dd', $PaymentGross, $id);
$stmt->execute();
if ($stmt->errno) {
echo "FAILURE!!! " . $stmt->error;
}
else echo "Updated {$stmt->affected_rows} rows";
$stmt->close();

PHP prepare and execute

I was using the following code to execute the queries in the database:
$sql = "SELECT * FROM cc_topchoices WHERE location='$location' ORDER BY position asc";
$result = mysqli_query($conn, $sql);
I have read that this way to make the queries is not secure so I want to use the statements prepare() and execute() in php
Now my code looks like this:
$sql = "SELECT * FROM cc_topchoices WHERE location=:location ORDER BY position asc";
$stmt = $conn->prepare($sql);
$stmt->execute(array(":location" => $location));
$result = mysqli_query($conn, $stmt);
But this give me this error:
Fatal error: Call to a member function execute() on boolean
Any idea?
EDIT
Now my code looks like this:
// Create connection
$conn = new PDO("mysql:host=$servername;dbname=$dbname", "$username", "$password");
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$conn->exec("set names utf8"); //BECAUSE I NEED TO WORK WITH CHINESE LANGUAGE
$sql = "SELECT * FROM cc_topchoices WHERE location=? ORDER BY position asc";
$stmt = $conn->prepare($sql);
$stmt->bindParam(':location', $location);
$stmt->execute(array($location));
$result = $stmt->setFetchMode(PDO::FETCH_ASSOC);
if ($result > 0) {
// output data of each row
while($row = $stmt->fetch()) {
echo "<li><div><a href='". $row["rest_url"] ."'><img src='images/top_choices/". $row["image"] ."' alt='". $row["alt_desc"]. "' /></a></div></li>";
}
} else {
echo "0 results";
}
is working :) just need to know if this is a good and secure practice

PDO supports named parameters. MySQLi does not. $stmt is false to show you that the SQL you tried to prepare is syntactically malformed. Use ? instead of :location. Check the MySQLi manual for the correct way to use MySQLi. Or, alternately, switch to PDO.

Use below code to fetch records instead of mysqli_query when using pdo statements if your query returns single row.
$result = $stmt->fetch(PDO::FETCH_ASSOC);
echo $result['db_column'];
And if return multiple rows:
$stmt->setFetchMode(PDO::FETCH_ASSOC);
while ($result = $stmt->fetch()) {
echo $result['db_column'];
}
And one more thing, always put your prepared statement in try{}..catch{} block.
It will work for you.

Insert Data in Oracle DB using PHP

Inserting data in oracle DB using oci_8. Sample query to insert string with special characters or quotes
update TABLENAME set COMMENTS = 'As per Mark's email dated 28-Feb-2015 - Bill Gates & Team's effort' where ID = 99;
To insert/update
$query = 'update TABLENAME set COMMENTS = '$_POST[comments]';
$result = customexecute($new_query);
public function customexecute($query)
{
$resutlt = parent::customquery($query);
return $resutlt;
}
public static function customquery($query)
{
try{
$stmt = oci_parse($conn, $query);
oci_execute($stmt,OCI_COMMIT_ON_SUCCESS);
oci_commit(db_singleton::getInstance());
oci_free_statement($stmt);
}catch (Exception $e)
{
print_r($e);
}
}
Executing it on ORACLE DB it says SQl command not properly ended. Looked into Parameterized queries mentioned here but not able to integrate it succesfully.
$query = 'UPDATE tablename SET field = :field WHERE id = :id';
$stmt = oci_parse($oracleConnection, $query);
oci_bind_by_name($stmt, ':field', "The field value with 'apostrophes' and so");
oci_bind_by_name($stmt, ':id', '125');
$result = oci_execute($stmt);
I can pass :bind_comments in my query which is in my controller. But $stmt resides in my db_singleton file (general for all DB queries) and can not pass seperately for a individual query.
How can I sanitize user input or do not allow data to be used in creating SQL code

From the update function, pass everything needed to the execute function:
$result = customExecute(
'update xxx set comments=:COMMENTS where id=:ID',
[
':COMMENTS' => $_POST['comment'],
':ID' => 99
]
);
Then in the execute function simply iterate the array to bind all params:
public static function customExecute($sql, array $params = [])
{
$stmt = oci_parse($conn, $sql);
foreach ($params as $key => &$value) {
oci_bind_by_name($stmt, $key, $value);
}
$result = oci_execute($stmt);
...
}

No, unsurprisingly, MySQL functions won't work with Oracle DB :)
You need to parameterise things, e.g.:
$query = 'update TABLENAME set COMMENTS = :bind_comments where id = :bind_id';
$stmt = $dbh->prepare($query);
$stmt->bindParam(':bind_comments', $_POST['comments']);
$stmt->bindParam(':bind_id', $_POST['id']);
$stmt->execute();

The correct way of using the OCI8 PHP extensions is:
$query = 'UPDATE tablename SET field = :field WHERE id = :id';
$stmt = oci_parse($oracleConnection, $query);
oci_bind_by_name($stmt, ':field', "The field value with 'apostrophes' and so");
oci_bind_by_name($stmt, ':id', '125');
$result = oci_execute($stmt);
More information: http://php.net/manual/book.oci8.php

PDO prepared statement trouble

I am currently trying to run a query where the current value of a mysql table column increase itself by 1... Let me show this with mysql query example
$sql = mysql_query("UPDATE `table` SET quantity=quantity+1 WHERE id='$id'");
I am unable to do this in PDO prepared statement...
$sql = "UPDATE `table` SET quantity=:quants+1 WHERE id=:userid";
$sql_prep = $db->prepare($sql);
$sql_prep->bindParam(":quants", what will i write here??);
$sql_prep->bindParam(":userid", $id);
$sql_prep->execute();
Help needed..! Thanks

You don't need to pass that as a parameter, just do:
$sql = "UPDATE `table` SET quantity=quantity+1 WHERE id=:userid";
$sql_prep = $db->prepare($sql);
$sql_prep->bindParam(":userid", $id);
$sql_prep->execute();

You don't need the to protect quantity as you're just augmenting a value already in the db.
$sql = "UPDATE `table` SET quantity=quantity+1 WHERE id=:userid";
You can also drop the bind line for the :quants
$sql_prep = $db->prepare($sql);
// NOT NEEEDED --> $sql_prep->bindParam(":quants", what will i write here??);
$sql_prep->bindParam(":userid", $id);
$sql_prep->execute();
Prepared statements are for protecting data being inserted from the outside into your db via your query.

php mysqli update query

I have the following php script to update my db, but it doesn't work.
the two echo's show in the ui that the variables are filled with correct values.
The query doensn't seem to be executed though. I don't get any errors whatsoever.
<?
$rapportId = $_GET['variable1'];
$rapportNaam = $_GET['variable2'];
echo "rapportId = ". $rapportId;
echo "<br>rapportNaam = ".$rapportNaam;
$mysqli = new mysqli("localhost", "twrwe", "twrewtww", "trwtw");
$mysqli->query("Update Rapporten Set RapportNaam = $rapportNaam
Where RapportId = $rapportId
")or die(mysqli_error($db));
$mysqli->commit();
if ($mysqli->error) {
printf("Errormessage: %s\n", $mysqli->error);
}
mysqli_free_result();
?>

You need to use prepared statements for any data coming to the query
$stmt = $mysqli->prepare("UPDATE Rapporten SET RapportNaam = ? WHERE RapportId = ?");
$stmt->bind_param("ss", $rapportNaam, $rapportId);
$stmt->execute();

UPDATE `tbl_name` SET `column1`='$column1',`column2`='$column2' WHERE email='$email ;