The function is supposed to update the values in the database.
Here is the code:
//Functions
//Function to Update users networth
function update_net($name)
{
//Get worth & balance at the time
$sql_to_get_worth_balance = "SELECT * FROM user WHERE username = '$name'";
$sql_query = mysql_query($sql_to_get_worth_balance);
while ($rows = mysql_fetch_assoc($sql_query))
{
$worth = $rows['worth'];
$balance_ = $rows['cash_balance'];
}
//Get net_worth now
$new_net_worth = $worth + $balance;
//Update net_worth
$sql_for_new_worth = "UPDATE user SET net_worth = '$new_net_worth'";
$sql_worth_query = mysql_query($sql_worth);
}
It is used here:
//Get username
$username = $_SESSION['username'];
if (isset($username))
{
//Update networth
$update_worth = update_net($username);
You probably want a WHERE clause on the end of this query:-
$sql_for_new_worth = "UPDATE user SET net_worth = '$new_net_worth'";
e.g.
$sql_for_new_worth = "UPDATE user SET net_worth = '$new_net_worth' WHERE username = '$name';
You're forgetting the where name=$name part in the update query (which will update the entire table!)
I hope your $name can never hold user entered data because your sql is vulnarable to injection.
Maybe:
//Update net_worth
$sql_for_new_worth = "UPDATE user SET net_worth = '$new_net_worth'";
$sql_worth_query = mysql_query($sql_worth);
Should Read:
//Update net_worth
$sql_for_new_worth = "UPDATE user SET net_worth = '$new_net_worth'";
$sql_worth_query = mysql_query($sql_for_new_worth);
May be you should commit transaction?
Related
I am working on a project that takes students attendance in class and I want to update the database data through PHP whilst running a SQL function of UPDATE, but I want to be able to update it base on the id of the data.
This is the code that I am working with at the moment.
<?php
require_once './dba.php';
$status = "";
if(isset($_POST['time_in'])) {
$query = "INSERT INTO nameOfTable (datetime) VALUES (NOW())";
$d = $conn->prepare($query);
$d->execute();
} elseif(isset($_POST['time_out'])) {
$query = "UPDATE nameOfTable SET datetime = NOW() WHERE id = ? ";
$d = $conn->prepare($query);
$d->execute();
} else {
$status = "Can't time in!";
}
Use $conn->lastInsertId() to get the ID that was assigned when they clocked in. Save that in a session variable and use it when they clock out.
<?php
require_once './dba.php';
$status = "";
if(isset($_POST['time_in'])) {
$query = "INSERT INTO nameOfTable (datetime) VALUES (NOW())";
$d = $conn->prepare($query);
$d->execute();
$_SESSION['clock_id'] = $conn->lastInsertId();
} elseif(isset($_POST['time_out'])) {
if (!isset($_SESSION['clock_id'])) {
$status = "You need to clock in first!";
} else {
$query = "UPDATE nameOfTable SET datetime = NOW() WHERE id = :id ";
$d = $conn->prepare($query);
$d->execute(['id' => $_SESSION['clock_id']]);
}
} else {
$status = "Can't time in!";
}
You must remember to prepare the query and bind the parameters onto it.
Use the $id variable to prepare the query with the appropriate ID.
Make sure you authenticate the session before passing the ID to the query, otherwise an attacker can manipulate this data to pull anyone's data they wish.
// Its helpful to create elements within the code to bind onto. :id is ours.
$query = "UPDATE nameOfTable SET datetime = NOW() WHERE id = :id ";
$d = $conn->prepare($query);
// Run the query & bind id to :id
$d->execute(['id' => $id]);
You try update
$query = "UPDATE nameOfTable SET datetime = NOW() WHERE id = :id ";
$d = $conn->prepare($query);
$d->execute(['id' => $id ]);
if (isset($_POST['submitid'])) {
$itemid = $_POST['itemID'];
$cartno = mysqli_query($connection , "SELECT * FROM users");
while ($cartnorow = mysqli_fetch_assoc($cartno)) {
$existingcartno = $cartnorow['cartno'];
$existingtotal = $cartnorow['total'];
}
$updatecartno = $existingcartno + 1;
$updateprice = $itemlistprice+$existingcartno;
mysqli_query($connection ,
"UPDATE users SET cartno = '$updatecartno' WHERE id=1");
}
When I remove WHERE id = 1 it works fine.
I seriously need to update specific id thats why I need that WHERE id = 1.
I'm trying to make an last activity function for an website. but i can't get it to work. I hope you guys can help me out here.
this is my query:
$last_activity_query = "UPDATE users_table SET user_name = '$user_name' WHERE 'date_last_inlog' = NOW()";
$result_update = mysql_query($last_activity_query);
$last_activity_update = mysql_fetch_array($result_update);
this is an print screen of my database table:
I want to store this update in the last row.
Thanks in advance!
i've changed my script now but its still not changing anything in my database table.
this is the change:
if (isset($_REQUEST['inlog_submit'])){//checks if form is submitted
$user_name = $_REQUEST['username_input'];//request username from inlog_form
$password = $crypt;//gets enqrypted pass
//$tbl_name="user_table"; // Table name
$query = "SELECT * FROM users_table WHERE user_name= '$user_name' AND password='$password'";//query stored in var
$last_activity_query = "UPDATE users_table SET 'date_last_inlog' = NOW() WHERE user_name = '$user_name'";
$result = mysql_query($query);//var with result of query
$result_update = mysql_query($last_activity_query);
if ($user_name = mysql_fetch_array($result)){//checks inlog data from form with the $result query
$_SESSION['user_name'] = $user_name[user_name];//creates session with username
$_SESSION['password'] = $password[password];//creates session with password
$last_activity_update = mysql_fetch_array($result_update);
header ('Location: admin.php');//when login is correct redirect to specified page
}else{
$error_inlog = 10;//when inlog data is incorrect this error will show
}
}
?>
Your SQL query is in the wrong order.
$last_activity_query = "UPDATE users_table SET 'date_last_inlog' = NOW() WHERE user_name = '$user_name'";
Your logic is incorrect. Use this:-
"UPDATE users_table SET 'date_last_inlog' = NOW() WHERE user_name = '$user_name'";
You are using this :-
UPDATE users_table SET user_name = '$user_name' WHERE 'date_last_inlog' = NOW()
You are trying to update user_name column where the date_last_inlog column value is equal to the current time which is logically incorrect.
I have the following code: its purpose is very clear => at login update db with +1 logins for totallogins and record the time of the very last login. The only downside is that it wont work.
<?php
date_default_timezone_set('Europe/Amsterdam');
if (isset($_POST['formsubmitted'])) {
$Timesloggedin = "SELECT * FROM members.Timesloggedin WHERE Email='$email'";
$time = date("Y-m-d H:i:s");
$query1 = "UPDATE members SET Timesloggedin = $Timesloggedin + 1, Lastloggedin = $time WHERE Email ='$email'";
$result_insert_loggedins = mysql_query($query1);
if (!$result_insert_loggedins) {
echo 'Query failed';
}
if (mysql_affected_rows($dbc) == 1)
{
//If the Insert Query was successfull.
}
?>
$query1 = "UPDATE members SET Timesloggedin = Timesloggedin + 1, Lastloggedin = '$time' WHERE Email ='$email'";
Remember that $time is a string and needs the quotes. Also, $Timesloggedin would be an object (if you actually ran the query which you don't) so just remove the $ and it will just increment the field.
Also, you don't even need the first query. Nor do you need the date calculation. Just use mysql's NOW()...
$query1 = "UPDATE members SET Timesloggedin = Timesloggedin + 1, Lastloggedin = NOW() WHERE Email ='$email'";
you can just use
Timesloggedin = Timesloggedin + 1
Instead of the variable.
Been tinkering with my website, it is a seat booking website. Still in alpha testing really so not live to the public yet for obvious reasons.
However, I'm having a few problems with updating the values in my database.
I'll post the code and then explain the problem..
else {
$seatID = $_POST['form_submitted'];
$query1 = "SELECT seatTaken FROM SEATS WHERE seatNo = '$seatID'";
$result = mysql_query($query1);
while($row = mysql_fetch_array($result))
{
$taken = $row['seatTaken'];
}
$query2 = "SELECT passNo FROM PASSENGER WHERE username = '$loggedinuser'";
$result = mysql_query($query2);
while($row = mysql_fetch_array($result))
{
$passno = $row['passNo'];
}
$query3 = "SELECT groupID FROM PASSENGER WHERE username = '$loggedinuser'";
$result = mysql_query($query3);
while($row = mysql_fetch_array($result))
{
$groupno = $row['groupID'];
}
$query4 = "SELECT flightNo FROM PASSENGER WHERE username = '$loggedinuser'";
$result = mysql_query($query3);
while($row = mysql_fetch_array($result))
{
$flightno = $row['flightNo'];
}
// if ($taken = 0) {
$update = mysql_query("UPDATE PASSENGER SET seatNo = $seatID WHERE username = '$loggedinuser'");
$update2 = mysql_query("UPDATE SEATS SET seatTaken = 1, passNo = '$passNo', groupID = '$groupid' WHERE seatNo = '$seatID'");
// AND flightNo = '$flightno'"
echo '<meta http-equiv="refresh" content="5;url=http://www.mywebsite.com/">';
echo mysql_error();
//}
}
?>
Now the user will have selected their seat in the previous form hence the:
$seatID = $_POST['form_submitted'];
However, at the bottom in my queries, the only value that actually changes in the database when this PHP code is run is the boolean value of 'seatTaken', in that it does change from 0 (not occupied) to 1 (occupied).
The field passNo and groupID in my database DO NOT UPDATE as referenced here in these queries:-
$update = mysql_query("UPDATE PASSENGER SET seatNo = $seatID WHERE username = '$loggedinuser'");
$update2 = mysql_query("UPDATE SEATS SET seatTaken = 1, passNo = '$passNo', groupID = '$groupid' WHERE seatNo = '$seatID'");
Is anyone able to help? Many thanks!
Tom
Watch your variable naming and string quotation
When your looking for values in mysql, they usually need to be a string literal (add quotes).
And your other problem is your variable names:
$update = mysql_query("UPDATE PASSENGER SET seatNo = '$seatID' WHERE username = '$loggedinuser'");
$update2 = mysql_query("UPDATE SEATS SET seatTaken = 1, passNo = '$passno', groupID = '$groupno' WHERE seatNo = '$seatID'");
$passno vs $passNo
$groupid vs $groupno
You should also make sure you properly escape any input coming from the user http://php.net/manual/en/function.mysql-real-escape-string.php
One can't see in your code how do you generate the values of $groupid, $passNo, $seatID. Are those varaibles set when you do your update? (just echo the SQL code to see what query is being sent to your database)
Maybe you should try getting the variables from your post request, like $_POST['groupid'], if groupid is the name of the field in the form.