What is wrong with this query? It appears to be correct to me:
mysql_query("UPDATE culture SET cult_desc=$culture WHERE cult_id is $UID");
Modified it, NetBeans is still giving me an error. Here's my total code for the page:
$culture = $_POST["culture"];
if (isset($_POST["id"]))
$UID = $_POST["id"];
mysql_query("UPDATE culture SET cult_desc='$culture' WHERE cult_id=$UID");
else
mysql_query("INSERT INTO culture
VALUES(cult_desc='$culture')");
what's the value of $culture?
If it's a string, you'll need to encapsulate it with quotes.
Same thing for $UID.
Also, The 'is' in the where-condition should be '='
Also: watch our with this code. Make sure that $culture and $UID can not contain any malicious values (e.g. malicious input from users)
cult_desc probably string so need to wrap with ' '
mysql_query("UPDATE culture SET cult_desc='$culture' WHERE cult_id = $UID");
Seeing the newly edited code, your update-statement is now correct, but your insert statement now is wrong.
Try:
mysql_query("INSERT INTO culture (culture_desc)
VALUES ('$culture')");
if SET cult_desc is a string then
mysql_query("UPDATE culture SET cult_desc='$culture' WHERE cult_id = $UID");
or
mysql_query("UPDATE culture SET cult_desc=$culture WHERE cult_id = $UID")
your problem in the { and } of if else statement
$culture = $_POST["culture"];
if (isset($_POST["id"])){
$UID = $_POST["id"];
mysql_query("UPDATE culture SET cult_desc='$culture' WHERE cult_id=$UID");
}else{
mysql_query("INSERT INTO culture
VALUES(cult_desc='$culture')");
}
$sql = "UPDATE 'culture' SET `cult_desc` = '$culture' WHERE `cult_id` = '$UID'";
Basically, you're using is instead of =
Depending on the data type of $culture and $UID you might be missing quotes. Cult_desc sounds like a string and thus $culture should be enclosed in quotes.
You should always check the output of mysql_error.http://php.net/manual/en/function.mysql-error.
I also usually use = instead of 'is' and also wrap all of my input data in quotation marks. eg
$sql = "UPDATE 'culture' SET cult_desc = '".$culture."' WHERE cult_id = '".$UID."'";
Related
I can update my database using the following code:
$id = 1;
$client = 3456;
$sql = "UPDATE production SET client=$client WHERE id=$id";
However, if the $client variable is a text string (instead of numeric), it won't work.
$id = 1;
$client = "some text";
$sql = "UPDATE production SET client=$client WHERE id=$id";
The client field in my database is VARCHAR with a limit of 50 characters. Is there anything obvious I'm overlooking?
Add single or double quotes at start and end of string to make is string in mysql query.
Replace
$sql = "UPDATE production SET client=$client WHERE id=$id";
With
$sql = "UPDATE production SET client='$client' WHERE id=$id";
The above can break if there is single quote in string so you can use addslashes to value.
Try
$sql = "UPDATE production SET client='".addslashes($client)."' WHERE id=$id";
Note:
There are SQL injection possibilities in above query. Please try to use prepare query to prevent SQL injections
add single quotes in query while you pass the string like this,
$sql = "UPDATE production SET client='$client' WHERE id=$id";
I'm having a problem with updating a table where the id matches the post-id. My code looks like this at the moment.
$id = $_POST['id'];
$vote =$_POST['vote'];
$sql = "UPDATE images SET votes=votes+1, value=value+$vote, WHERE 'id'='$id'";
$result = mysqli_query($conn, $sql) or die(mysqli_error($conn));
echo "hej då";
Try this
$sql = "UPDATE images SET votes=votes+1, value=value+'$vote' WHERE id='$id'";
The syntax of your query appears a bit off. Try removing the single quotes around $id in the WHERE clause, and also get rid of that trailing comma after the SET list.
$sql = "UPDATE images SET votes=votes+1, value=value+$vote WHERE id=$id";
$sql = "UPDATE images SET votes=votes+1, value=value+$vote, WHERE 'id'='".$id."'";
So I am using CONCAT to combine 2 strings together and want to update a TEXT field in my database by adding a new string onto the end of the existing string.
// This code works great. will add "EXTRA" at end of the feed.
$insert = ("update $username set feed = CONCAT(feed, 'EXTRA')");
mysql_query($insert);
// This code doesn't work. not sure what to change in the variable area?
$extra = "EXTRA";
$insert = ("update $username set feed = CONCAT(feed, '$extra')");
mysql_query($insert);
I tried many variations of the variable declaration but can't seem to get it to work like i can when i just write in a string. any help or insight is appreciated.
thanks!
I think you mixed up your SQL here:
"update $username set feed = CONCAT(feed, 'EXTRA')"
$username = TABLE NAME ??
And looks like you probably want to update a field WHERE it equals a certain $username which would be:
"update TABLENAME set feed = CONCAT(feed, '$extra') WHERE username = '$username'"
Look example query:
UPDATE table_name SET field1 = CONCAT(field1, "new data" ) WHERE field2 = value;
and adjust to your needs.
To get the word 'EXTRA' at the end of feed I think you need to do something like this:
$insert = ("update $username set feed = CONCAT(feed, '" . $extra . "')");
This is simple one i am using the following insert query
mysql_query(insert into table1 set saltval = 'Y'Z' where uid ='1');
but i does not work becaues the value for the field saltval is Y'Z . my question is how to considered this value is as a string .
You need to escape any single quotes with a backslash.
mysql_query("insert into table1 set saltval = 'Y\'Z' where uid ='1'");
However your SQL is invalid as well... Did you mean to do an update? Insert statements don't have a where.
As mentioned in other answers, if the input is from a user then you should use mysql_real_escape_string()
http://www.php.net/manual/en/function.mysql-real-escape-string.php
$string = mysql_real_escape_string("Y'Z");
mysql_query("insert into table1 set saltval = '{$string}' where uid ='1'");
Always use mysql_real_escape_string() function for this if values come from user input
$query="insert into table1 set saltval = '".mysql_real_escape_string($InputVal)."' where uid ='1'";
See http://php.net/manual/en/function.mysql-real-escape-string.php
You have to add a backslash to certain characters to make your string fit into SQL syntax rules.
Assuming you're creating your query dynamically, PHP has special escaping function for this and you should use it for the every quoted string in the query, no exceptions.
So, write your code like this:
$salt = "Y'Z";
$id = 1;
$salt = mysql_real_escape_string($salt);
$id = mysql_real_escape_string($id);
$sql = "update table1 set saltval = '$salt' where uid ='$id'";
mysql_query($sql) or trigger_error(mysql_error()." ".$sql);
to make it safe and fault-tolerant
I have an array with strings with international characters.
When I save this in the database I loose the backslashes? Why?
$descr_arr = array("héééllo","world");
$js_encoded = json_encode($descr_arr);
print $js_encoded; // "[\"h\u00e9\u00e9\u00e9llo\",\"world\"]"
$sql_query = "UPDATE test_table SET description = '$js_encoded' WHERE id = 0";
$sql_res = mysql_query($sql_query);
// in the description field in the database I find:
// ["hu00e9u00e9u00e9llo","world"]
You didn't escape your database inputs. Always escape!
Here's one way
$sql_query = "UPDATE test_table SET description = '".
mysql_real_escape_string($js_encoded).
"' WHERE id = 0";
Better yet, use a database wrapper like PDO or ADODb, which would take care of the escaping for you. It would look something like this:
$db->Execute("UPDATE test_table SET description =? where id=?",
array($js_encoded, $id));