-1

I am wondering what mistakes has been made in this pretty simple update statement using old version of PHP. If I echo the statement it says update statement is getting form submitted properly.

Here is the code:

<?php
echo $q = "UPDATE notice SET FromDate = $notice_fromdate, ToDate = $notice_todate, VacType ='$notice_vactype',NoticeDetail ='$notice_detail',Status ='$notice_status' WHERE ID=$id";

if (mysql_query($link, $q)) {
    echo "Record updated successfully";
} else {
    echo "<h3>Error updating record</h3>". mysql_error($link)."-". mysql_errno($link). "\n";
}

?>

and the output returns this 

UPDATE notice SET FromDate = 2017-01-08, ToDate = 2017-01-09, VacType ='May Day',NoticeDetail ='Testing',Status ='Enabled' WHERE ID=3
Error updating record
-0

I know its a pretty simple thing, I guess I have not made any mistake in the update statement but instead it is showing Error update record. I copied the output SQL statement and run at phpmyadmin, it has worked properly. It would be nice if you can help me. Thank in advance

Note: Clients website built on old version of PHP, I know that few functions got deprecated so it would be better if you do not discuss or criticize about the version.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
A M Ishtiaque Sarwar
  • 39
  • 5
  • 4
    **WARNING**: If you're just learning PHP, please, do not use the [`mysql_query`](http://php.net/manual/en/function.mysql-query.php) interface. It’s so awful and dangerous that it was removed in PHP 7. A replacement like [PDO is not hard to learn](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/) and a guide like [PHP The Right Way](http://www.phptherightway.com/) explains best practices. Your user data is **not** [properly escaped](http://bobby-tables.com/php.html) and there are [SQL injection bugs](http://bobby-tables.com/) and can be exploited. – tadman Jan 12 '17 at 08:00
  • I'd give you a PDO example but I feel you already know that you shouldn't be using Mysql_ judging by your statement `"pretty simple update statement using old version of php."` – Option Jan 12 '17 at 08:15
  • The problem is that you're self-inflicting SQL injection so your date becomes an arithmetic operation. – Álvaro González Jan 12 '17 at 09:17
  • If you're connect with the mysql_ API instead of mysqli_, then this failed you `mysql_query($link, $q)` - In mysql_, the connection comes second, not first as does the mysqli_ API and is unknown as to which API you are using to connect with. – Funk Forty Niner Jan 12 '17 at 13:18
  • @ÁlvaroGonzález I believe the root of the problem is ^ ^ ^ then followed by their not using quotes around string values. – Funk Forty Niner Jan 12 '17 at 13:24
  • @ÁlvaroGonzález Another thing; the duplicate you chose "might" address their error, but the real duplicate for this should have been [When to use single quotes, double quotes, and backticks in MySQL](http://stackoverflow.com/q/11321491/1415724). Look at their echo'd query; that failed on 2 counts: **1)** not quoting string values. **2)** placing the connection link first, rather than second (in mysql_). – Funk Forty Niner Jan 12 '17 at 13:36
  • 1
    @Fred-ii- Oops... Reopening. Feel free to add an answer so you can get the credit. – Álvaro González Jan 12 '17 at 15:00
  • @ÁlvaroGonzález No problemo. I feel the question shouldn't be closed with the other one I mentioned, since and for a few reasons, that the mysql API to connect with is unknown and they might have come from a mysql_ legacy code and may have forgot to include the `i` for it, since and by their syntax for the query kind of suggests it. However, if it is mysql_, then their sequence is obviously incorrect, and that the (string) values should be quoted. I was going to post an answer for it but I decided not to, since it may lead to more problems/comments etc. They have enough to fix their code. – Funk Forty Niner Jan 12 '17 at 15:04

1 Answers1

-2

Apply quotes to dates it will work 

<?php
echo $q = "UPDATE notice SET FromDate = '$notice_fromdate', ToDate = '$notice_todate', VacType ='$notice_vactype',NoticeDetail ='$notice_detail',Status ='$notice_status' WHERE ID=$id";

if (mysql_query($link, $q)) {
    echo "Record updated successfully";
} else {
    echo "<h3>Error updating record</h3>". mysql_error($link)."-". mysql_errno($link). "\n";
}

?>
NITIN PATEL
  • 460
  • 5
  • 12
  • This is a hack. The real problem is a complete lack of escaping. – tadman Jan 12 '17 at 08:01
  • @tadman Actually, the answerer made the same error as the OP: `mysql_query($link, $q)` - They're (also) putting the wagon before the horse, *as it were*; probably the root of the (real) problem. However, if the OP connected with the mysqli_ API, well we know how that will end as. – Funk Forty Niner Jan 12 '17 at 13:17