Valid SQL syntax?

Question

I have a select box with three option values. When a user selects one I want to automatically update that value in the database using ajax. Is this SQL valid for what I want to achieve?

UPDATE 
  Orders 
SET 
  status='".$_POST[order_status]['.$i.']."' 
WHERE 
  ID='".$_POST[order_no]      ['.$i.']."';

Many Thanks.

Don't build SQL by smashing together strings. You've just made a big security hole. — Quentin, Sep 12 '12 at 10:36
Use [bound arguments](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) — Quentin, Sep 12 '12 at 10:36
1. As said before, don't build queries like this as its a big security threat. 2. You could have print your query and checked it with http://www.dpriver.com/pp/sqlformat.htm — shkschneider, Sep 12 '12 at 10:38

Justin John · Accepted Answer · 2012-09-12T10:52:34.570

1

Try like this

$sql ="UPDATE Orders SET
status='".$_POST['order_status'][$i]."' 
WHERE ID='".$_POST['order_no'][$i]."' ";

edited Sep 12 '12 at 10:52

answered Sep 12 '12 at 10:40

Justin John

9,223
14
70
129

Fluffeh · Answer 2 · 2012-09-12T10:41:25.740

You are using the concats inside the string incorrectly:

UPDATE Orders 
    SET status='".$_POST['order_status'][$i]."' 
    WHERE ID='".$_POST['order_no'][$i]."';

The reason being you are already splitting the string and you want to use the value of inside the array.

What you have is a string:

UPDATE Orders SET status='

and you are concat'ing a variable to it:

$_POST['order_status'][$i]

and so on...

You use the concat between strings, and don't need to use it inside the array you are including.

On that note, using $_POST data inside a query is dangerous. You really should use a prepared statement - which means you can them bind the variable safetly.

Probably because you teach him how to concat sql. That is bad. — idstam, Sep 12 '12 at 11:03

Valid SQL syntax?

2 Answers2