Updating SQL with PHP variables but not updating

Question

I've been experimenting using PHP and SQL to access a database to then be able to read and append to it.

My problem is that, however I set it out when I compared different ways to structure it. It doesn't update.

$sql = "UPDATE Test SET '$updateGet' = '$appendGet' WHERE id = '$idGet'" ;

What is the correct way without worrying about SQL injection? Also, any documentation on other ways to do this would be appreciated.

<?php
$servername = "localhost";
$username = "jenk3194";
$password = "wlFfn1";
$dbname = "jenk3194";

// Create connection
$conn = mysqli_connect($servername, $username, $password, $dbname);

$appendGet = ($_GET["appendSend"]); # WHAT TO APPEND
$idGet = ($_GET["idSend"]); # ID TO APPEND
$updateGet = ($_GET["updateSend"]); # WHAT TO UPDATE
#$sql = "UPDATE Test SET Projection = 999 WHERE id = 1";
$sql = "UPDATE Test SET '.$updateGet.' = '.$appendGet.' WHERE id = '.$idGet.'" ;
#$sql= sprintf("UPDATE Test SET %s = %d WHERE id = %d", $updateGet, $appendGet, $idGet);
echo $sql;
?>

@MrDarkLynx It wont allow me as it says some code is formatted incorrectly but even when I did that, still the same error — Paragon Jenko, Mar 01 '17 at 11:59
You never execute the query. Have a look at `mysqli_query`. Also your code is open to **SQL injection**. Please use _prepared statements_. — MrDarkLynx, Mar 01 '17 at 12:02
@MrDarkLynx To begin with Id like to correctly update it without SQL injection being my main worry just a functioning code. So simply using the query($conn, $sql) would work? — Paragon Jenko, Mar 01 '17 at 12:07
`mysqli_query($conn, $sql);` I included this after I realised I removed it when checking my code — Paragon Jenko, Mar 01 '17 at 12:09

Toxide82 · Answer 1 · 2017-03-01T12:00:09.243

1

Your SQL should look like this:

$sql = "UPDATE Test SET '".$updateGet."' = '".$appendGet."' WHERE id = '".$idGet."';

You need to add the dots before and after php variable. If it the variable contains a string you also need to add the quotation marks.

edited Mar 01 '17 at 12:00

answered Mar 01 '17 at 11:58

Toxide82

277
1
7

Wouldn't that include the dots in the actual variable? – Paragon Jenko Mar 01 '17 at 11:59
i edit the answer should now be correct. But MrDarkLynx is also correct as your not running the SQL either. – Toxide82 Mar 01 '17 at 12:04

score 0 · Answer 2 · edited May 23 '17 at 12:25

0

You wrote something about injection so first of all you can use pdo statements as 1st security, but read up on this post Are PDO prepared statements sufficient to prevent SQL injection?.

Be safe and always check user input, it's not that if you're doing let's say email validation with your JS you can skip it in your PHP code. Security comes in layers.

edited May 23 '17 at 12:25

Community

1
1

answered Mar 01 '17 at 12:03

Tom St

908
8
15

motherhood and apple pies ... not even attempting to help OP. That would have been a fine comment. – YvesLeBorg Mar 01 '17 at 12:07
It does state that I am not worrying about SQL Injection as I'd like a working code. – Paragon Jenko Mar 01 '17 at 12:11
@AlexJenkinson so that next you gonna post the same question, on how to prevent sql injections on t? – Masivuye Cokile Mar 01 '17 at 12:13
@MasivuyeCokile Possibly, as a forum full of experts in there fields is the best way – Paragon Jenko Mar 01 '17 at 12:14
@YvesLeBorg well, your introduced much more content, didn't it? ; ) back to basics – Tom St Mar 02 '17 at 13:32

Updating SQL with PHP variables but not updating

2 Answers2