1
mysql_connect('localhost', 'root', '')
        or die(mysql_error());
mysql_select_db('shuttle_service_system') 
or die(mysql_error());

$ID_No=$_POST['ID_No'];
$CurrentBalance = $_POST['CurrentBalance'];
$AddedAmount = $_POST['AddedAmount'];
$NewBalance = $CurrentBalance + $AddedAmount;

$sql = ("UPDATE balance
        SET Balance= '$NewBalance' 
        WHERE ID_No= '$ID_No' ");
$result=mysql_query($sql);

if($result){
        echo"Transaction successful!";
} else {
        echo "&nbsp Error";
}

Hi guys I'm trying to update my certain values in my database with the use of variables. It updates when I use brute force and not variables. I know my variables are working because I printed them before queuing the update.

Gaston Velarde
  • 209
  • 1
  • 3
  • 9
  • Your code is vulnerable to SQL injections. You should read on [how to prevent them in PHP](http://stackoverflow.com/q/60174/53114). – Gumbo Mar 23 '14 at 07:22

2 Answers2

1

Remove the paranthesis outside this UPDATE Statement

$sql = ("UPDATE balance
        SET Balance= '$NewBalance' 
        WHERE ID_No= '$ID_No' ");

It should be

$sql = "UPDATE balance
        SET Balance= '$NewBalance' 
        WHERE ID_No= '$ID_No' ";

Also, add this mysql_error() to read the exact error when your query fails.

$result=mysql_query($sql) or die(mysql_error());

This(mysql_*) extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used. Switching to PreparedStatements is even more better to ward off SQL Injection attacks !

Shankar Narayana Damodaran
  • 68,075
  • 43
  • 96
  • 126
1

You forgot to add (dot) symbol.

$result = mysql_query("UPDATE balance SET Balance='".$NewBalance."' WHERE ID_No='".$ID_No."';");

This approach is bad and you might want to read this post to prevent SQL injection.

Community
  • 1
  • 1
V Setyawan
  • 76
  • 6