updating sql table

Question

Whenever i tried to update the form using following code, the update goes silent with the 0 value in title field and previous value in content field. Can someone please help!!!

adminClass.php

update function

 if( $form_title && $form_content ){
       $sql = "UPDATE home_page
       SET title = '{$form_title}' AND content = '{$form_content}' WHERE id = {$id}";
       echo $sql;
       $result = $this->mysqli->query( $sql );
       if(!$result){
         echo 'Error'. mysqli_error();
         return;
       }else{
         $this->success_message = "Update Successfull";
         return;
       }
    }

admin.php view page

if( isset( $_POST['update'] ) ){
   $admin_obj->update($_POST, $id);
}

You have a SQL injection vulnerability. – SLaks Mar 24 '13 at 14:36 — SLaks, Mar 24 '13 at 14:36

score 3 · Accepted Answer · edited May 23 '17 at 12:11

MySQL silently cast your UPDATE statement and performs boolean operation. The server reads the update statement as

UPDATE home_page
SET title = ('{$form_title}' AND (content = '{$form_content}')) 
WHERE id = {$id}

What you are going to do is to replace the AND into , to make it work.

UPDATE home_page
SET title = '{$form_title}', content = '{$form_content}'
WHERE id = {$id}

As a sidenote, the query is vulnerable with SQL Injection if the value(s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

How to prevent SQL injection in PHP?

updating sql table

adminClass.php

update function

admin.php view page

1 Answers1