I want to all users to be able to update their about page. Here is the string I am using in my php to query the MySQL update. I am getting an error. What am I doing wrong?
$insert_query= "UPDATE user_info SET bio= $bio_ans, residence= $residence_ans, work=
$work_ans WHERE user_id= $user_id";
mysqli_query($connect, $insert_query)
or die('error with query1');
If the update value is not an integer then you need to use quotes around the value.
$insert_query= "UPDATE user_info
SET bio= '$bio_ans',
residence= '$residence_ans',
work = '$work_ans' WHERE user_id= '$user_id'";
mysqli_query($connect, $insert_query)
or die('error with query1');
$insert_query= "UPDATE user_info SET bio= $bio_ans, residence= $residence_ans, work=$work_ans WHERE user_id= $user_id";
mysqli_query($connect, $insert_query)
or die('error: $mysqli->error');
The $mysqli->error will let you know specifically what went wrong.
$insert_query= "UPDATE user_info SET bio='" . $bio_ans. "', residence='" . $residence_ans."', work=
'".$work_ans."' WHERE user_id= '$user_id'";
mysqli_query($connect, $insert_query)
or die('error with query1');
Besides the lack of quotes (as shown by RPM), the really wrong thing you're doing is to use variable interpolation to create an SQL query.
This is only acceptable for numeric variables, and then only if you have forcibly cast it to a numeric type just before use. String escaping is supposedly safe, but very error-prone (doing it twice, forgetting to add when you add a new value, etc). The slightest slip will open a huge hole for SQL injection, which is the absolute easiest way to crack a web app.
Use prepared statements with parameter bindings and you'll be safe.
Related
I am lost here please help
my data base table will not update when I use this code
$sqlpassword = "UPDATE login SET password='$hashedP' WHERE id='$id' LIMIT 1";
$querypass = mysqli_query($db_x, $sqlpassword);
I have tried to look around maybe i'm not seeing it but im sure its right
password is a reserved word in MySQL. You have to wrap fieldnames in backticks so that MySQL doesn't see it as a SQL command.
$sqlpassword = "UPDATE `login` SET `password`='$hashedP' WHERE `id`='$id' LIMIT 1";
$querypass = mysqli_query($db_x, $sqlpassword);
Don't use the LIMIT keyword on UPDATE Statement.
Just use
$sqlpassword = "UPDATE `login` SET `password`='$hashedP' WHERE `id`='$id'";
Disclaimer: Make use of Prepared Statements to avoid SQL Injection Attacks.
I worked it out sorry for wasting your time
<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>
was not putting in
edit.php?c=<?php echo $log_company ?>
so form was going to edit.php not edit.php?c=truestory
Check the following:
You are making commit after this update statement.
Check why you need the limit keyword, else remove it.
Check if the id is a number in your table structure or string, since in this update you are dealing with it as string.
I am using php to update a mysql DB within a function. I am able to echo my variable names and was able to return the variables on the php page. This proves to me that my variables are working correctly.
Now when I use the update command, my DB does not respond. Yes, I have connected to the DB and it all works.
This is what I am using to update:
mysql_query("UPDATE `table_name`
SET `int_field` = '$int_value'
WHERE `username` = $username");
The value for $username should be wrap with single quotes.
mysql_query(" UPDATE table_name
SET int_field = '$int_value'
WHERE username = '$username'");
SideNote: your code is vulnerable with SQL Injection. Please read the article below to know how to secure your code,
Best way to prevent SQL injection in PHP?
You need to quote all of your input to the query. This prevents SQL injection, but also simple syntax errors that would occur if your user innocently inputs a special character that would break your query.
mysql_query('UPDATE table_name '.
'SET int_field = "'.mysql_real_escape_string($int_value).'" '.
'WHERE username = "'.mysql_real_escape_string($username).'"');
This is the correct STRUCTURE of how to update with a variable in php
mysql_query("UPDATE tablename SET password='". $NPass ."' WHERE custID='$num'");
Try this :
mysql_query("UPDATE `table_name`
SET `int_field` = '$int_value'
WHERE `username` = '$username'");
I had the same problem and found that the SET value doesn't need single quotes and that the WHERE clause does ...
mysql_query("UPDATE table_name SET int_field=$int_value
WHERE username='$username'");
.. seemed to work for me.
Why does this PHP code (mysql_query to delete a row where user name is $phpVar) do nothing?
mysql_query("DELETE FROM xraydeath WHERE user = $user");
Probably because you forgot to quote the $user parameter also, please escape variables goes into sql query strings. If that parameter is connected directly to user input someone might submit ' or 1=1 -- and your whole table gone. This idea know as sql injection.
note: the old mysql_* functions are now deprecated, you should avoid using them, see the alternatives.
You need to put quotes around strings like this:
mysql_query("DELETE FROM xraydeath WHERE user = '$user'");
you forgot the quotes around the user:
mysql_query("DELETE FROM xraydeath WHERE user = '$user'");
What are you expecting? How it fails? Mysql_query is not suppose to do anything in the form that you are using it, except sending the query to the server.
$result = mysql_query (...);
// use the result if any.
if (!$result) {
die('Invalid query: ' . mysql_error());
}
// check the error that you might have
you need to put $user into quotes
mysql_query("DELETE FROM xraydeath WHERE user = '".$user."';");
also DELETE will succeed if even no rows where deleted, so to get how many rows where actually deleted use mysql_affected_rows()
$x = mysql_query("..");
echo "There were ".mysql_affected_rows()." rows affected";
**Try not to use mysql_* switch to PDO instead.
Assuming xraydeath.user is a character type, the value needs to be enclosed in quotes. If $user does not already contain the quotes, try:
mysql_query("DELETE FROM xraydeath WHERE user = '$user'");
And for kicks, try setting $user = "' OR '1'='1";! (Read up on SQL injection attacks and you should really switch to mysqli!)
It's also possible the table does not have a matching row, and therefore nothing will be deleted. Without knowing what you have assigned to $user and your data there is no way to know.
try this one:
mysql_query("DELETE FROM xraydeath WHERE user = '".$user."'");
or
mysql_query("DELETE FROM xraydeath WHERE user = '".$user."';");
every php variables that used in mysql, put them into '".$variable."'
First : mysql is deprecated. you should use mysqli.
Second : What kind of type is user?
if is int :
(object oriented style)
mysqli::query("DELETE (what you want) FROM xraydeath WHERE `user` = '".$user."'");
if is varchar (string) :
mysqli::query("DELETE (what you want) FROM xraydeath WHERE `user` LIKE '".$user."'");
or
(procedurel syle)
mysqli_query((your mysqli link), "DELETE (what you want) FROM xraydeath WHERE `user` LIKE/= '".$user."'");
Hope it helps
I have the following query:
var_dump($id); // string '51' (length=2)
$sql = "SELECT * FROM table WHERE id=$id";
$result = mysql_query($sql, $db);
$myrow = mysql_fetch_array($result);
var_dump($myrow) // null (NOT OK)
When I change the $id for a hard-coded value(51) it works:
$sql = "SELECT * FROM table WHERE id=51";
$result = mysql_query($sql, $db);
$myrow = mysql_fetch_array($result);
var_dump($myrow); // array 0 => string '51' (length=2) (OK)
It's as if the $sql is not getting parsed correctly. It is a very old site, could it be something to do with the PHP version the site was originally created for?
$sql = "SELECT * FROM table WHERE id=".$id;
// ALSO WORKS. But I am not really looking forward to doing a FIND & REPLACE
EDIT:
The site has hundreds of these types of queries. It is an old site that was developed my somebody else. I was wondering if there was an INI setting or something that has been switched between PHP versions that I can switch back.
Thanks
PHP Version: PHP5.2
The site was build for version 4.something.
rather than writing query like this
$sql = "SELECT * FROM table WHERE id=$id";
you can use this alternative also..
$sql = "SELECT * FROM table WHERE id='".$id."'";
use this please :
SELECT * FROM table WHERE `id` = $id
insert ` in both side of id
register_globals was turned off. I know the security implications but I have it on its own virtual server and haven't got time right now to fix it.
In htaccess:
php_flag register_globals on
Apart from the fact, that queries should be escaped (in this case casting to integer will suffice) or preferably created through prepared statements, my guess would be that it is the query that fails.
PHP have parsed double quoted strings since the beginning, so try outputting the value of $sql to see what gets sent to MySQL.
I have this query to submit data into the database:
$sql = "UPDATE table SET user='$user', name='$name' where id ='$id'";
the id will be obtained via url EX localhost/index.php?id=123
$id=$_GET['id']
The query will not work correctly; the data will not update.
If I write :
$sql = "UPDATE table SET user='$user', name='$name' where id ='123'";
It works fine.
If I echo the ID it will show the correct result, 123.
Where is the problem?
run ALL your queries the way you can get the error message along with erroneous query.
so, at least this way
$sql = "UPDATE table SET user='$user', name='$name' where id ='$id'";
$res = mysql_query($sql) or trigger_error(mysql_error()." in ".$sql);
and it will tell you where is the problem.
It is WAY more convenient, precise and faster than asking questions here.
I'm guessing your problem is mal-formed SQL due to unescaped data interpolation - an SQL injection hole.
What does your actual generated query look like? Not the code that creates the sql (which you've got above), but the actual SQL after the variables are inserted?
I'm guessing it'll look something like this:
UPDATE table SET user='fred', name='O'Brien' where id='123';
^--unescaped quote
causing a syntax error.
If you're running the query like this:
$result = mysql_query($sql);
then change it to be
$result = mysql_query($sql) or die(mysql_error());
so you'll immediately get feedback if the query fails for any reason.
And then read up about SQL injection holes
$id = $_GET['id']
<form action="#.php" method="POST">
<input type="hidden" name="id" value="<?php echo $id?>">
</form>
then, inside PHP block,
$id = $_POST['id'];
$sql = "UPDATE table SET user='$user', name='$name' where id ='$id'"
Without getting into the issue of how bad it is to pull data right from the GET array, I'd start by suggesting you properly escape your variables. I assume ID is an integer, so there's no need for singlequotes around it.
$sql = "UPDATE table SET user='".$user."', name='".$name."' where id=".$id;
See if that works.
TableName should be there ....you have not used table name in your query..Echo the $sql and then try executing in phpmyadmin.
First of all, you're wide open to SQL Injection attacks if you do it like this. Anyone can just alter the part after id= to anything they like and modify your database with that.
Secondly, I see you pass an id to the script, but where does it determine the $user and $name values? Seems like your code posted is incomplete.