-1

It wont update a row in the db Its just a language changing system and when i thoughts its because of the escape post string, then i used no string passed to the query and it still wont work So here is the code

$whatlanguage = $_GET['languageoption'];
$sql = "UPDATE people SET language=bosanski WHERE id='$user_id'";
$_POST['settingsuccess'] = 1;
if (!mysqli_query($con, $sql))
{
    echo "Error: " . mysqli_error($con);
}

The error

Error: Unknown column 'bosanski' in 'field list'

Machavity
  • 30,841
  • 27
  • 92
  • 100
Champa
  • 85
  • 7
  • `language=bosanski` that's a string; treat it as such. – Funk Forty Niner Feb 06 '15 at 17:24
  • 1
    what is `$whatlanguage` in there for? You don't use it anywhere, and `$user_id` never gets defined... plus, setting `settingsuccess` to true unconditionally is rather pointless. you should only do that AFTER you've confirmed success. – Marc B Feb 06 '15 at 17:26
  • **Building SQL statements with outside variables makes your code vulnerable to SQL injection attacks.** Also, any input data with single quotes in it, like "O'Malley", will blow up your query. Learn about parametrized queries, preferably with the PDO module, to protect your web app. [This question](http://stackoverflow.com/questions/60174) has many detailed examples. See also http://bobby-tables.com/php for alternatives & explanation of the danger. Running SQL code built with outside data is like eating soup made from ingredients found on your doorstep. – Andy Lester Feb 06 '15 at 17:28
  • Use everything just posted a bit of the code and the settingsuccess is for cacheing the success so when it gets back to the settings page it displays a message – Champa Feb 06 '15 at 17:29
  • i know how to prepare the string and know a lot about the mysql just im tired and didnt see i misscoded there and tryed every possible solution i could think of, – Champa Feb 06 '15 at 17:32
  • 1
    http://php.net/manual/en/function.error-reporting.php use that. – Funk Forty Niner Feb 06 '15 at 17:34

1 Answers1

3

You have to quote your strings, otherwise MySQL thinks you're asking it to look at another column in the same table

$sql = "UPDATE people SET language='bosanski' WHERE id='$user_id'";

I also hope that $user_id isn't a raw post variable because, you know, SQL Injection

Machavity
  • 30,841
  • 27
  • 92
  • 100