I'm trying to update a database entry but it won't change anything. I'm getting no errors which confuses me...
Code:
if(isset($_GET['edit']))
{
$idn = $_GET['id'];
$namn = $_POST['namn'];
$adress = $_POST['adress'];
$postnummer = $_POST['postnummer'];
$postort = $_POST['postort'];
$email = $_POST['email'];
$status = 0;
echo $namn;
$sql="UPDATE ordrar SET namn = '$namn' AND adress = '$adress' AND postnummer = '$postnummer'
AND postort = '$postort' AND email = '$email' AND status = '$status' WHERE id = '$idn'";
if (!mysql_query($sql))
{
die('Error: ' . mysql_error());
}
//$referer = $_SERVER['HTTP_REFERER'];
//header('Location:'. $referer);
}
Thanks for answers
/Victor
Your immediate problem is SQL syntax. Read the documentation on UPDATES and replace the ANDs with commas.
Your secondary, but possibly larger problem is that you're building a query out of untrusted user input. That's a recipe for a SQL injection attack. Use bind variables instead.
Ref this
Syntax for Update
UPDATE table_name SET field1=new-value1, field2=new-value2 [WHERE Clause]
Your query should
$sql="UPDATE ordrar SET namn = '$namn' , adress = '$adress' ,
postnummer = '$postnummer' , postort = '$postort' , email = '$email' ,
status = '$status' WHERE id = '$idn'";
if you get no errors it does mean that no records matched WHERE condition
or you're probably don't have $_GET['edit'] varibale set
Related
I need help with the query, no errors or such but it is not proceeding to the next page, see query below:
<?php
$connect=mysqli_connect('localhost','root','','lawadmission');
session_start();
$reference_number = $_SESSION['reference_number'];
$citizenship = $_POST['citizenship'];
$region = $_POST['region'];
$spouse_name = $_POST['spouse_name'];
$place_of_birth = $_POST['place_of_birth'];
$civil_status = $_POST['civil_status'];
$no_of_children = $_POST['no_of_children'];
$weight = $_POST['weight'];
$height = $_POST['height'];
$degree = $_POST['degree'];
$school = $_POST['school'];
$yearGraduated = $_POST['yearGraduated'];
$elementary = $_POST['elementary'];
$elementaryDegreeObtained = $_POST['elementaryDegreeObtained'];
$elementaryPeriodOfAttendance = $_POST['elementaryPeriodOfAttendance'];
$highschool = $_POST['highschool'];
$highschoolDegreeObtained = $_POST['highschoolDegreeObtained'];
$highschoolPeriodOfAttendance = $_POST['highschoolPeriodOfAttendance'];
$college = $_POST['college'];
$collegeDegreeObtained = $_POST['collegeDegreeObtained'];
$collegePeriodOfAttendance = $_POST['collegePeriodOfAttendance'];
$postCollege = $_POST['postCollege'];
$postcollegeDegreeObtained = $_POST['postcollegeDegreeObtained'];
$postcollegePeriodOfAttendance = $_POST['postcollegePeriodOfAttendance'];
$other = $_POST['other'];
$otherDegreeObtained = $_POST['otherDegreeObtained'];
$otherPeriodOfAttendance = $_POST['otherPeriodOfAttendance'];
$query = "UPDATE applicants SET
citizenship = '$citizenship',
region = '$region',
spouseName = '$spouse_name',
placeOfBirth = '$place_of_birth',
civilStatus = '$civil_status',
childNo = '$no_of_children',
weight = '$weight',
height = '$height',
degree = '$degree',
school = '$school',
yearGraduated = '$yearGraduated',
elementary = '$elementary',
elementaryDegreeObtained = '$elementaryDegreeObtained',
elementaryPeriodOfAttendance = '$elementaryPeriodOfAttendance',
highschool = '$highschool',
highschoolDegreeObtained = '$highschoolDegreeObtained',
highschoolPeriodOfAttendance = '$highschoolPeriodOfAttendance',
college = '$college',
collegeDegreeObtained = '$collegeDegreeObtained',
collegePeriodOfAttendance = '$collegePeriodOfAttendance',
postCollege = '$postCollege',
postcollegeDegreeObtained = '$postcollegeDegreeObtained',
postcollegePeriodOfAttendance = '$postcollegePeriodOfAttendance',
other = '$other',
otherDegreeObtained = '$otherDegreeObtained' and
otherPeriodOfAttendance = '$otherPeriodOfAttendance'
WHERE referenceNo = '$reference_number'";
if(mysqli_query($connect, $query)){
header( "Location: registered.php" ); die;
echo "<script>window.open('registered.php','_self')</script>";
}
if(mysqli_connect_errno($connect))
{
echo 'Failed to connect';
}
?>
Your error is right here:
UPDATE applicants SET
...
other = '".$other."',
otherDegreeObtained = '".$otherDegreeObtained."' and <--- and
otherPeriodOfAttendance = '$otherPeriodOfAttendance'
This and should be a ,.
SQLInjection
Besides that you are open to SQL injection. As I said in the comments a single ' in any one of your inputs will wreck your query -via- SQLInjection.
Will take this small example
//$citizenship = $_POST['citizenship'];
UPDATE applicants SET citizenship = '{$_POST['citizenship']}'
Now if $_POST['citizenship'] is like it's or anything with a ' in it, this is what your query becomes:
UPDATE applicants SET citizenship = 'it's'
Now that s' will be unmatched and as such it will be a syntax error in your SQL, and you will be right back where you were. That's the best case. One thing that could be done is this (do not try this)
//don't do this
$_POST['otherPeriodOfAttendance'] = "' WHERE 1 --";
UPDATE applicants SET ... , otherPeriodOfAttendance='' WHERE 1 --WHERE referenceNo = ''
//OR
UPDATE applicants SET ... , otherPeriodOfAttendance='' WHERE 1
The -- is a comment in SQL, so the rest of the query is ignored after that. So what this will do is update every row in your DB, not just 1 as 1 is always true. In fact you could probably omit the WHERE all together. So just by putting in:
//don't do this either
$_POST['otherPeriodOfAttendance'] = "'--";
UPDATE applicants SET ... , otherPeriodOfAttendance=''--WHERE referenceNo = ''
//OR
UPDATE applicants SET ... , otherPeriodOfAttendance=''
I can basically wipe out that whole table, which is obviously not something we want to do.
I suggest looking up how to Prepare Queries in PHP. There are plenty of resources on this topic so I won't go into great detail here except to say beside the obvious security reasons, it also takes care of quotes.
If you can use array on your query else you edit your query that would clearly read the the values on your parameters. Also, please consider using var_dump or print_r for checking.
$query = "UPDATE applicants SET
citizenship = '".$citizenship."',
region = '".$region."',
spouseName = '".$spouse_name."',
placeOfBirth = '".$place_of_birth."',
civilStatus = '".$civil_status."',
childNo = '".$no_of_children."',
weight = '".$weight."',
height = '".$height."',
degree = '".$degree."',
school = '".$school."',
yearGraduated = '".$yearGraduated."',
elementary = '".$elementary."',
elementaryDegreeObtained = '".$elementaryDegreeObtained."',
elementaryPeriodOfAttendance = '".$elementaryPeriodOfAttendance."',
highschool = '".$highschool."',
highschoolDegreeObtained = '".$highschoolDegreeObtained."',
highschoolPeriodOfAttendance = '".$highschoolPeriodOfAttendance."',
college = '".$college."',
collegeDegreeObtained = '".$collegeDegreeObtained."',
collegePeriodOfAttendance = '".$collegePeriodOfAttendance."',
postCollege = '".$postCollege."',
postcollegeDegreeObtained = '".$postcollegeDegreeObtained."',
postcollegePeriodOfAttendance = '".$postcollegePeriodOfAttendance."',
other = '".$other."',
otherDegreeObtained = '".$otherDegreeObtained."',
otherPeriodOfAttendance = '".$otherPeriodOfAttendance."'
WHERE referenceNo = '".$reference_number."'";
my be problem is die function. remove Die function
if(mysqli_query($connect, $query))
{
header( "Location: registered.php" );
echo "<script>window.open('registered.php','_self')</script>";
}
I have the following code and it works fine when updating the score and date. But it won't update the row's name or country. Does this have something to do with the php string??? Very confused!
$userName = "John";
$userCountry = "USA";
$lowestScoreId = 99;
$userPoints = 500;
include 'config.php';
$currentTime = time();
mysql_query("UPDATE highScores SET name = $userName WHERE id='$lowestScoreId'");
mysql_query("UPDATE highScores SET score = $userPoints WHERE id='$lowestScoreId'");
mysql_query("UPDATE highScores SET country =$userCountry WHERE id='$lowestScoreId'");
mysql_query("UPDATE highScores SET date = $currentTime WHERE id='$lowestScoreId'");
You forgot the quotes around the values you set. And you can do that in 1 query.
UPDATE highScores
SET `name` = '$userName',
`score` = '$userPoints',
`country` = '$userCountry',
`date` = '$currentTime'
WHERE id='$lowestScoreId'"
You should do this in one statement.
$userName = "John";
$userCountry = "USA";
$lowestScoreId = 99;
$userPoints = 500;
include 'config.php';
$currentTime = time();
mysql_query("UPDATE highScores SET name = '$userName', score = '$userPoints', country = '$userCountry', date = '$currentTime' WHERE id='$lowestScoreId'");
Also, you shouldn't use the PHP mysql_ functions anymore. Have a look at MySQLi which is newer, faster and has more features.
I want to update a mysql database. That has become a common practice for me, but for some reason with no error, it just doesn't work. The only thing I have never done is compare against 2 variables(in this case, ID && Name)
$name = $_POST['name'];
$duty = $_POST['duty'];
$number = $_POST['number'];
$url = $_POST['url'];
$insert = "UPDATE vendors SET name = '$_POST[name]', duty = '$_POST[duty]', number = '$_POST[number]', url = '$_POST[url]' WHERE id = '$id' && name = '$name'";
$result=mysql_query($insert) or die(mysql_error());
if ($result) {
header("location:**HIDDEN**");
Any help would be appreciated.
Instead of &&, you should use AND to add another where-condition.
Write this instead:
$name = $_POST['name'];
$duty = $_POST['duty'];
$number = $_POST['number'];
$url = $_POST['url'];
$insert = "UPDATE `vendors` SET `name` = '{$_POST['name']}', `duty` = '{$_POST['duty']}', `number` = '{$_POST['number']}', `url` = '{$_POST['url']}' WHERE (`id` = '$id' AND `name` = '$name')";
$result = #mysql_query($insert) or die(mysql_error());
header("location:**HIDDEN**");
It should now work. Notify me if there still is a problem.
replace && with AND and you should be good
Your Query is wrong. Following is the correct one.
The way you have used the variables is wrong.
You had not written any code for $id. What is that?
$insert = "UPDATE vendors SET name = '".$_POST['name']."', duty = '".$_POST['duty']."', number = '".$_POST['number']."', url = '".$_POST['url']."' WHERE id = '$id' AND name = '$name'";
Been tinkering with my website, it is a seat booking website. Still in alpha testing really so not live to the public yet for obvious reasons.
However, I'm having a few problems with updating the values in my database.
I'll post the code and then explain the problem..
else {
$seatID = $_POST['form_submitted'];
$query1 = "SELECT seatTaken FROM SEATS WHERE seatNo = '$seatID'";
$result = mysql_query($query1);
while($row = mysql_fetch_array($result))
{
$taken = $row['seatTaken'];
}
$query2 = "SELECT passNo FROM PASSENGER WHERE username = '$loggedinuser'";
$result = mysql_query($query2);
while($row = mysql_fetch_array($result))
{
$passno = $row['passNo'];
}
$query3 = "SELECT groupID FROM PASSENGER WHERE username = '$loggedinuser'";
$result = mysql_query($query3);
while($row = mysql_fetch_array($result))
{
$groupno = $row['groupID'];
}
$query4 = "SELECT flightNo FROM PASSENGER WHERE username = '$loggedinuser'";
$result = mysql_query($query3);
while($row = mysql_fetch_array($result))
{
$flightno = $row['flightNo'];
}
// if ($taken = 0) {
$update = mysql_query("UPDATE PASSENGER SET seatNo = $seatID WHERE username = '$loggedinuser'");
$update2 = mysql_query("UPDATE SEATS SET seatTaken = 1, passNo = '$passNo', groupID = '$groupid' WHERE seatNo = '$seatID'");
// AND flightNo = '$flightno'"
echo '<meta http-equiv="refresh" content="5;url=http://www.mywebsite.com/">';
echo mysql_error();
//}
}
?>
Now the user will have selected their seat in the previous form hence the:
$seatID = $_POST['form_submitted'];
However, at the bottom in my queries, the only value that actually changes in the database when this PHP code is run is the boolean value of 'seatTaken', in that it does change from 0 (not occupied) to 1 (occupied).
The field passNo and groupID in my database DO NOT UPDATE as referenced here in these queries:-
$update = mysql_query("UPDATE PASSENGER SET seatNo = $seatID WHERE username = '$loggedinuser'");
$update2 = mysql_query("UPDATE SEATS SET seatTaken = 1, passNo = '$passNo', groupID = '$groupid' WHERE seatNo = '$seatID'");
Is anyone able to help? Many thanks!
Tom
Watch your variable naming and string quotation
When your looking for values in mysql, they usually need to be a string literal (add quotes).
And your other problem is your variable names:
$update = mysql_query("UPDATE PASSENGER SET seatNo = '$seatID' WHERE username = '$loggedinuser'");
$update2 = mysql_query("UPDATE SEATS SET seatTaken = 1, passNo = '$passno', groupID = '$groupno' WHERE seatNo = '$seatID'");
$passno vs $passNo
$groupid vs $groupno
You should also make sure you properly escape any input coming from the user http://php.net/manual/en/function.mysql-real-escape-string.php
One can't see in your code how do you generate the values of $groupid, $passNo, $seatID. Are those varaibles set when you do your update? (just echo the SQL code to see what query is being sent to your database)
Maybe you should try getting the variables from your post request, like $_POST['groupid'], if groupid is the name of the field in the form.
I'm trying to display info from a mysql row on this page. I'm using $_GET, because the id is included in the link to the page: www.example.com/page.php?id=1 but it returns this error:
Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '= '1'' at line 1
Does anyone know how to fix this?
code below:
<?php
$username="xxx";
$password="xxx";
$database="xxx";
mysql_connect(localhost,$username,$password);
#mysql_select_db($database) or die( "Unable to select database");
include 'library/config.php';
include 'library/opendb.php';
if(isset($_GET['id']))
{
$query = "SELECT id, title, content, contactname, contactemail, contactnumber ".
"FROM vacancies".
"WHERE id = '{$_GET['id']}'";
$result = mysql_query($query) or die('Error : ' . mysql_error());
list($id, $title, $content, $contactname, $contactemail, $contactnumber) = mysql_fetch_array($result, MYSQL_NUM);
$content = htmlspecialchars($content);
}
if(isset($_POST['update']))
{
$id = $_POST['id'];
$title = $_POST['title'];
$content = $_POST['content'];
$contactname = $_POST['contactname'];
$contactemail = $_POST['contactemail'];
$contactnumber = $_POST['contactnumber'];
if(!get_magic_quotes_gpc())
{
$title = addslashes($title);
$content = addslashes($content);
$contactname = addslashes($contactname);
$contactemail = addslashes($contactemail);
$contactnumber = addslashes($contactnumber);
}
// update the article in the database
$query = "UPDATE vacancies
SET title = '$title', content = '$content', contactname = '$contactname', contactemail = '$contactemail', contactnumber = '$contactnumber'".
"WHERE id = '$id'";
mysql_query($query) or die('Error : ' . mysql_error());
// then remove the cached file
$cacheDir = dirname(__FILE__) . '/cache/';
$cacheFile = $cacheDir . '_' . $_GET['id'] . '.html';
#unlink($cacheFile);
// and remove the index.html too because the file list
// is changed
#unlink($cacheDir . 'index.html');
echo "<b>Job Entry: '$title' updated</b>";
// now we will display $title & content
// so strip out any slashes
$title = stripslashes($title);
$content = stripslashes($content);
$contactname = stripslashes($contactname);
$contactemail = stripslashes($contactemail);
$contactnumber = stripslashes($contactnumber);
}
include 'library/closedb.php';
?>
Check out http://us2.php.net/manual/en/function.mysql-query.php
The problem is that you are using too many single quotes here:
"WHERE id = '{$_GET['id']}'";
and your query is not acting as expected. use mysql_real_escape_string() instead.
Try this:
$query = "SELECT id, title, content, contactname, contactemail, contactnumber ".
"FROM vacancies ".
"WHERE id = '".$_GET['id']."'";
I always try to leave the variables out of my strings, just add them in with periods, I find it eliminates a lot of confusion.
One problem:
$query = "UPDATE vacancies
SET title = '$title', content = '$content', contactname = '$contactname', contactemail = '$contactemail', contactnumber = '$contactnumber'".
"WHERE id = '$id'";
results in no space between the last column and the WHERE clause. Change it to:
$query = "UPDATE vacancies
SET title = '$title', content = '$content', contactname = '$contactname', contactemail = '$contactemail', contactnumber = '$contactnumber' ".
"WHERE id = '$id'";
or my preferred format:
$query = <<<END
UPDATE vacancies
SET title = '$title',
content = '$content',
contactname = '$contactname',
contactemail = '$contactemail',
contactnumber = '$contactnumber'
WHERE id = '$id'
END;
Note: You should really escape the fields using mysql_real_escape_string().
Remove the quotes around
{$_GET['id']}
and
$id
in all your queries.
Your id is of type integer I assume, which can't take a quoted version or it tries to match the integer key to the string "1"
--
Change this line
$result = mysql_query($query) or die('Error : ' . mysql_error());
to
$result = mysql_query($query) or die('Error : ' . mysql_error() . "\n\n" . $query);
Then you can see exactly what query is going into the DB. Which you can then post here for us to see.
Also please post a
describe <tablename>;