0

I am trying to update my table row but can't get success.

here is error that coming.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Current_date = '2017-03-30', Content = 'This is first notification te' at line 2

here is my code 

if(!empty($_FILES) || isset($_FILES['Details_file'])){
    $filetmp = $_FILES["Details_file"]["tmp_name"];
    $filename = $_FILES["Details_file"]["name"];
    $filetype = $_FILES["Details_file"]["type"];
    $filepath = "notification/".$filename;

    move_uploaded_file($filetmp, $filepath);        

    echo $_POST['post_date'];
    $stmt = $con1->prepare("UPDATE notification SET 
        Current_date = '".$_POST['post_date']."',
        Content = '".$_POST['Content']."',
        File_name= '".$filename."',
        File_path ='".$filepath."',
        Apply_link = '".$_POST['apply_now']."',
        Last_date = '".$_POST['Last_date']."'
        WHERE id = '".$_POST['fetch_id']."'") or die(mysqli_error($con1));

    $stmt->execute(); 
    $stmt->close();     
}

any one can tell me what is problem with my code here.

miken32
  • 42,008
  • 16
  • 111
  • 154
Mahi
  • 180
  • 3
  • 15
  • 2
    Your code is vulnerable to SQL injection attacks. You should use [mysqli](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) or [PDO](http://php.net/manual/en/pdo.prepared-statements.php) prepared statements as described in [this post](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky Mar 30 '17 at 18:42
  • You should use Mysqli prepared statements, try using mysqli_real_escape if you don't want to use prepared statements because the format of of your variables is throwing it off – clearshot66 Mar 30 '17 at 18:43
  • 1
    `mysqli_real_escape_string()` is *not* insurance against SQL injection attacks @clearshot66 The OP should bind their variables. – Jay Blanchard Mar 30 '17 at 18:50
  • @JayBlanchard I'm aware. and I actually stated that they should USE PREPARED STATEMENTS, but if they aren't going to convert to them, to at least use escape strings. – clearshot66 Mar 30 '17 at 18:53
  • They used a prepared statement, they just didn't bind their variables @clearshot66 – Jay Blanchard Mar 30 '17 at 18:56

2 Answers2

2

There is no point in prepare() and execute() if you aren't using them properly. Try this instead:

$query = "UPDATE notification SET `Current_date`=?, `Content`=?, `File_name`=?, `File_path`=?, `Apply_link`=?, `Last_date`=? WHERE `id`=?";
$stmt = $con1->prepare($query);
$stmt->bind_param("ssssssi", $_POST['post_date'], $_POST['Content'], $filename, $filepath, $_POST['apply_now'], $_POST['Last_date'], $_POST['fetch_id']);
$stmt->execute(); 
$stmt->close();

You'll want to check the return values of each step (prepare, bind, execute) to ensure there are no errors being returned.

miken32
  • 42,008
  • 16
  • 111
  • 154
2

Current_date is a reserved keyword in mySQL, so in order to use it as a name of the column, you would need to enclose it in backticks.

Jirka Hrazdil
  • 3,983
  • 1
  • 14
  • 17