php error insert data with value including addition sign (+) to database

Question

There is an error while i insert "3 + 1 room" or update description area with "3 + 1 room" in MySQL database.

I saw there is no addition sign "+" in MySQL log (data inserted in database)

UPDATE testtable set status='0',title='3   1 room',
description='3 1 Daire. 1 Balkon kapalı.' WHERE id='60';

create table testtable ( id int(11), status tinyint(4), title varchar(20), 
description text) ENGINE=InnoDB DEFAULT CHARSET=utf8

php file

$baglanti=new PDO("mysql:host="localhost";dbname="test";charset=utf8",$us
ername,$passwd) or die("error");
$val=$baglanti->exec("UPDATE testtable set status='0',title='$title',
    description='$dest' WHERE ad_no='$ad_no' ");
return $val;

What should I do?

EDIT

update.php

<?php
        include("database.php");

        $fields = array();
        $values=array();
        $fvalue=$_POST['id'];

        $table=$_POST['table'];
        foreach ($_POST as $key => $value) {

                if( $key!='table' && $key!='id' && $key!='alan'){
                        if( strpos($key,"date")){
                                $datet=new DateTime($value);
                                $value=$datet->format('Y-m-d');
                        }
                        array_push($fields,$key);
                        array_push($values,$value);
                }
        }
        $alan=$_POST['alan'];

$ID=Updt($table,$fields,$values,$alan,$fvalue);

        if($ID!=0){

                echo $ID;
        }
?>

database.php

<?php 
     $baglanti=new PDO("mysql:host="localhost";dbname="test";charset=utf8",$us
ername,$passwd) or die("error"); 
#UPDATE
function Updt($table,$set,$value,$field,$fvalue){
        $bag=$GLOBALS['baglanti'];
        $sts='';
        if(is_array($set)){
                for ($i=0; $i < count($set); $i++) {
                        $sts.=$set[$i]."='".$value[$i]."',";
                }
                $sts=rtrim($sts,",");
        }else{
                $sts=$set."='".$value."'";
        }
        $val=$bag->exec("UPDATE $table set $sts WHERE $field='$fvalue'");

        return $val;
}

?>

this one, programmers wrote code. I try to take question parts from all code. There were lots of codes in file.

Does your `pdo new......` really have a line break in the middle of the `$username` variable? — RiggsFolly, Apr 18 '16 at 13:38
Do you see the message `error` on the screen or in the mysql error log — RiggsFolly, Apr 18 '16 at 13:42
Actually your connection string is a complete mess, you must be seeing `error` either on the screen or in the `mysql error log` — RiggsFolly, Apr 18 '16 at 13:47
@RiggsFolly I can'T see any error log in mysql. and I see only "3 1 room" in mysql.log.. I can manually add `Update ..... set description = "3 + 1 room" succesfully. — Ahmet Melih Başbuğ, Apr 18 '16 at 13:47
replace your connection code with this `$baglanti = new PDO("mysql:host=localhost;dbname=test;charset=utf8", $username, $passwd) or die("error");` — RiggsFolly, Apr 18 '16 at 13:49
Then you are not showing use the real code. Show us the real code — RiggsFolly, Apr 18 '16 at 13:50
@RiggsFolly I can update `UPDATE testtable set status='0',title='$title', description='3 - 1' WHERE ad_no='$ad_no'` in php code. — Ahmet Melih Başbuğ, Apr 18 '16 at 13:51
Is there any rule in PDO about special characters? I'm not programmer. database administrator . — Ahmet Melih Başbuğ, Apr 18 '16 at 13:52
As @MarkBaker said earlier `+` and `-` in a text/varchar column **are not special characters** They are just like any A-z 0-9 etc If you dont trust me truct him, he knows what he is talking about — RiggsFolly, Apr 18 '16 at 13:57
I edited. I can update using mysql command line with "+" . but In php part, it can't — Ahmet Melih Başbuğ, Apr 18 '16 at 14:07
@Álvaro González Not really very helpful towards a solution — RiggsFolly, Apr 18 '16 at 14:18
@RiggsFolly It's alright, I'll retract the close as dupe. But every time I read "special characters" and "SQL" in the same question there's someone injecting raw input into SQL code. Almost every char is special when you treat data as code. — Álvaro González, Apr 18 '16 at 14:50
@ÁlvaroGonzález Thanks I have attempted to put him on course for solving his own issue — RiggsFolly, Apr 18 '16 at 15:54

score 0 · Answer 1 · edited May 23 '17 at 11:59

My guess is that you are not generating the query you think you are.

This should allow you to see the query.

I have also added some error checking, that really should be used in this code.

I have amended the connection line as I am sure a newline in the middle of the $username variable will cause an error.

database.php

<?php 
    try {
        $baglanti = new PDO("mysql:host=localhost;dbname=test;charset=utf8",
                             $username,$passwd);
    } catch (PDOException $e) {
        echo 'Connection failed: ' . $e->getMessage();
        exit;
    }

#UPDATE
function Updt($table,$set,$value,$field,$fvalue){
    $bag = $GLOBALS['baglanti'];
    $sts='';
    if(is_array($set)){
        for ($i=0; $i < count($set); $i++) {
            $sts.=$set[$i]."='".$value[$i]."',";
        }
        $sts=rtrim($sts,",");
    }else{
        $sts=$set."='".$value."'";
    }

    $sql = "UPDATE $table set $sts WHERE $field='$fvalue'";
    echo $sql;      // you can comment this line out when you are sure the SQL is good

    $val = $bag->exec($sql);

    return $val;
}
?>

update.php

Small amendment here just so you know whats actually being returned from the function is a count and not a row ID. It could also be FALSE, indicating an error occured in the Updt() function in the query.

<?php
    include("database.php");

    $fields = array();
    $values=array();
    $fvalue=$_POST['id'];

    $table=$_POST['table'];
    foreach ($_POST as $key => $value) {

            if( $key!='table' && $key!='id' && $key!='alan'){
                    if( strpos($key,"date")){
                            $datet=new DateTime($value);
                            $value=$datet->format('Y-m-d');
                    }
                    array_push($fields,$key);
                    array_push($values,$value);
            }
    }
    $alan=$_POST['alan'];

    //$ID=Updt($table,$fields,$values,$alan,$fvalue);
    // this is not an ID it is a coumt of the number or rows
    // updated by the Updt() function

    $cnt = Updt($table,$fields,$values,$alan,$fvalue);

    if ( $cnt === FALSE ) {
        // then we had an error in Updt()
        print_r($baglanti->errorInfo(), true);
        exit;
    }

    if($cnt != 0){
        echo 'Rows updated = ' . $cnt;
    }
?>

I have to mention this as others will if I dont. Your code is open to SQL Injection you should really be using prepared statements. Maybe you should mention this to the Programmers you mentioned. Maybe you should also not assume everything they wrote was done correctly.

php error insert data with value including addition sign (+) to database

1 Answers1