-3

My sql table is not updating. I have looked through tons of documentation and I do not see why it is not working. 

if (!empty($_POST['services'])){
    $username = mysql_real_escape_string($_POST['username']);
    $service = mysql_real_escape_string($_POST['services']);
    $registerquery = mysql_query("UPDATE users SET service = '".$service."' WHERE Username = '".username."'");
}
Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
Brent Dalling
  • 1
  • 2
  • check for errors via php and on the query; you're not doing that. – Funk Forty Niner Dec 19 '16 at 03:21
  • 1
    if `'".username."'` is your real code, that's an undefined constant right there; forgot the `$` sign. Typo question. – Funk Forty Niner Dec 19 '16 at 03:22
  • @AnikIslamAbhi huh? I never wrote what you wrote. I wrote `username`, two different animals here from `service`. – Funk Forty Niner Dec 19 '16 at 03:28
  • Here is the form where I am declaring it.
     – Brent Dalling Dec 19 '16 at 03:28
  • my bad! @Fred-ii- i was also going to ask about `Username` – Anik Islam Abhi Dec 19 '16 at 03:29
  • Thats is how it is declared in the sql table – Brent Dalling Dec 19 '16 at 03:30
  • I think I wasn't explicit enough. Look `Username = '".username."'` that's wrong. It needs to have the dollar sign here `Username = '".$username."'` – Funk Forty Niner Dec 19 '16 at 03:32
  • Oh my god. I did not see that. – Brent Dalling Dec 19 '16 at 03:34
  • 5
    Just a small mention here: If he's using PHP 7+ that whole thing won't work no matter how perfectly correct the code is written. When will ppl finally learn `mysql_*` functions are deprecated for like almost 3 years now is it? Stop living in the stone age already.. – icecub Dec 19 '16 at 03:35
  • Let me try adding the symbol. – Brent Dalling Dec 19 '16 at 03:35
  • It still does not work. Should I update the problem? @icecub I am attempting to learn. Please respect that. – Brent Dalling Dec 19 '16 at 03:37
  • 2
    No, you're not attempting to learn. Any up-to-date book about PHP and MySQL won't teach you to use `mysql_*` functions. The same goes for any teacher. The functions are "out of commission" for almost 3 years. If you really are learning, find a proper resource like php.net. If you really wanted to learn, your comment would be: Can you tell me what I should use instead? Can you explain me how to do it correctly? Any decent member here, including me, would be glad to help you out with that! Because that's the proper mindset! – icecub Dec 19 '16 at 03:42
  • 1
    If you are attempting to learn, never use `mysql_*` functions. try `mysqli_*` or `PDO`. you are learning to drive a horse cart when you can only ever drive is a space ship. – bansi Dec 19 '16 at 03:43
  • I guess I worded it wrong. I'm self teaching. I am setting this up to help demonstrate to me how to sql inject. This will help as I can now update the table. – Brent Dalling Dec 19 '16 at 03:44
  • I ended up deleting my answer after seeing *"it still does not work"*. Now we're dealing with the unknown and fearing a deep rabbit hole. We've no idea which api is used to connect with or what the db schema is or what is being passed in the inputs, – Funk Forty Niner Dec 19 '16 at 03:44
  • 1
    @BrentDalling That's still no excuse to use `mysql_*` functions. Both `mysqli_*` and `pdo` are just as vulnerable to SQL injection as the old `mysql_*` is for as long as you don't use any prepared statements. – icecub Dec 19 '16 at 03:48
  • I have tried to close this twice. All I had to do was add a "s" at the end of "service" in the update command. I overlooked the fact it did not match the requested field in the table. – Brent Dalling Dec 19 '16 at 03:48
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Dec 19 '16 at 14:13
  • Please do not dump code in comments. edit your original post to add any new information (such as the form). – Jay Blanchard Dec 19 '16 at 14:16

4 Answers4

0

Please update your code to use PDO. Inserting into the database could be much easier and safer using prepared statements.

For example:

<?php
    $stmt = $db->prepare("UPDATE `users` SET `services`=:service WHERE `username`=:username");
    $stmt->execute(array(':username' => $username, ':service' => $service));
?>

Here's a good resource when learning the basics of PDO. http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers

Have a good one! - Scott

scwheele
  • 11
  • 1
0

My error was that I wrote this: $registerquery = mysql_query("UPDATE users SET service = '".$service."' WHERE Username = '".username."'"); and I was missing the $ and an s in services. To correct this: $registerquery = mysql_query("UPDATE users SET services = '".$service."' WHERE Username = '".$username."'"); Thank you all for your help. I submitted another answer last night saying I found the error.

Brent Dalling
  • 1
  • 2
-1

I have tried to close this twice. All I had to do was add a "s" at the end of "service" in the update command. I overlooked the fact it did not match the requested field in the table.

Brent Dalling
  • 1
  • 2
-1

Please replace like this and execute.

 $registerquery = mysql_query("UPDATE users SET service = '".$service."' WHERE Username = '".$username."'");
sonya krishna
  • 13
  • 3