Php update function

Question

I wrote this code

if(isset($_POST['update'])) {
            $webname = $_POST['webname'];
            $webmeta = $_POST['webmeta'];
            $webdesc = $_POST['webdesc'];

            $sql=("UPDATE settings (name, meta, description) VALUES ('$webname', '$webmeta', '$webdesc')");
            }

but the problem is that it doesn't update my database, and I cannot find anything wrong in the code ... I have name "update" on submit button, and all my fields are the same as in code

You have confused `UPDATE` syntax with `INSERT` syntax. Which are you trying to do? [Add a new record](http://dev.mysql.com/doc/refman/5.5/en/insert.html) (looks like it), or [update an existing one](http://dev.mysql.com/doc/refman/5.5/en/update.html)? — Michael Berkowski, Dec 28 '12 at 17:49
On top of what @MichaelBerkowski states, you *really* need to read the http://stackoverflow.com/questions/7537377/how-to-include-a-php-variable-inside-a-mysql-insert-statement question/answers as your code is susceptible to SQL injection. Better still use PDO, etc. — John Parker, Dec 28 '12 at 17:51
Also please look into escaping data before putting it in SQL! — johannes, Dec 28 '12 at 17:51
Note also that this is vulnerable to SQL injection. Consider using an API supporting prepared statements, like PDO or MySQLi. — Michael Berkowski, Dec 28 '12 at 17:51

score 2 · Accepted Answer · edited Jun 20 '20 at 09:12

2

That's insert! Not update!

$sql=("UPDATE `settings` SET `name` = '$webname',
                             `meta` = '$webmeta',
                              `description` = '$webdesc')
               WHERE [some condition]");

And replace the [some condition] with a valid condition.

Your code is heavily vulnerable to SQL Injection.

Consider escaping the input by replacing these:

$webname = $_POST['webname'];
$webmeta = $_POST['webmeta'];
$webdesc = $_POST['webdesc'];

With:

$webname = mysql_real_escape_string($_POST['webname']);
$webmeta = mysql_real_escape_string($_POST['webmeta']);
$webdesc = mysql_real_escape_string($_POST['webdesc']);

Or something equivalent like PDO or MySQLi.

edited Jun 20 '20 at 09:12

Community

1
1

answered Dec 28 '12 at 17:49

Praveen Kumar Purushothaman

164,888
24
203
252

@Piggie Can you show the full code, what you have tried and connectors too? – Praveen Kumar Purushothaman Dec 28 '12 at 18:14
Posted as comment to my own post, I hope I posted all info needed – Piggie Dec 28 '12 at 18:27
Update it in the question. But where is the execution of query? – Praveen Kumar Purushothaman Dec 28 '12 at 18:29

score 0 · Answer 2 · answered Dec 28 '12 at 17:51

0

 mysql_select_db("my_db", $con);

 mysql_query("UPDATE Persons SET Age=36
    WHERE FirstName='Peter' AND LastName='Griffin'");

answered Dec 28 '12 at 17:51

DWolf

703
1
7
20

1

... Which will set _every_ name in your database to Peter Griffin, age 36. – Michael Berkowski Dec 28 '12 at 17:52
it was an example... the problem is the update syntax not the fields.. thanks for the down vote tho – DWolf Dec 28 '12 at 17:53

score 0 · Answer 3 · answered Dec 28 '12 at 17:56

0

u need to first formulate query ans then run/ execute that

$query = "UPDATE table_name
 SET column1=value, column2=value2,...
 WHERE some_column=some_value";

// Perform Query
$result = mysql_query($query);

answered Dec 28 '12 at 17:56

zafus_coder

4,451
2
12
13

score 0 · Answer 4 · answered Dec 28 '12 at 18:18

You need to run

$connection = mysql_connect($server, $serv_Username, $serv_Password);
mysql_select_db($dbase_name, $connection);
mysql_query($update_query, $connection));

I don't know if this is your problem (don't know how much you know about PHP so just saying).

Also your syntax is wrong. Should be:

UPDATE tablename SET column_name='some_value' WHERE column_name ='some_value'

note that this is diffrent from mentioned above without the thingys covering the column_name parameters.

better is to use PDO as mentioned above, mysql_ can be used "safely" on < PHP 5.5.

also make sure the user you use to login on database has update permissions and that the username and password are correct. Even if your syntax is perfect this will ruin your party. — C-TZ, Dec 28 '12 at 18:24

score 0 · Answer 5 · answered Aug 20 '15 at 06:33

   Try The code shown below
 Just replace the field names and values with your information on your database



    $editid=$_POST['editid'];
    $username=callback($_POST['username']);
    $password=callback($_POST['password']);
    $name=callback($_POST['name']);
   $age=callback($_POST['age']);
   $phone=callback($_POST['phone']);
   $emailaddress=callback($_POST['emailaddress']);
  $gender=callback($_POST['gender']);
  $description=callback($_POST['description']);

    $update=update("users","username='".$username."',password='".$password."',name='".$name."',age='".$age."',phone='".$phone."',emailaddress='".$emailaddress."',gender='".$gender."',description='".$description."' ","ID='".$editid."' " );

Php update function

5 Answers5

That's insert! Not update!

Your code is heavily vulnerable to SQL Injection.