Warning: mysqli::query(): Empty query in C:\xampp\htdocs\admin\setswim.php on line 13

Question

I tried to update datas from form in edit1.php to setswim.php but it gives an error:

Warning: mysqli::query(): Empty query in C:\xampp\htdocs\admin\setswim.php on line 9

<?php

include "includes/db.php";
$checklogin = mysqli_query($con, "SELECT * FROM `students`");

if (isset($_POST['submit'])) {
    $sql = mysqli_query($con, "UPDATE students SET student_number='" . $_POST['student_number'] . "',student_name='" . $_POST['student_name'] . "',student_last='" . $_POST['student_last'] . "',id_student='" . $_POST['id_student'] . "',student_address='" . $_POST['student_address'] . "',student_collage='" . $_POST['student_collage'] . "',student_datebirth='" . $_POST['student_datebirth'] . "',student_email='" . $_POST['student_email'] . "'");
    //   $result = mysqli_query($con,$sql);
    $result = $con->query($sql);

    if (!$result) {
        mysqli_error($con) . "[ $sql]";
    }
}

Your code is vulnerable to [**SQL injection attacks**](https://en.wikipedia.org/wiki/SQL_injection). You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). — Alex Howansky, Apr 14 '17 at 15:13
Well I guess you're doing something wrong when calling to `$con->query` cause sometimes you send a mysqli result object, and sometimes you send a string. Need to see your db.php code in order to see whats going on behind the scenes. — Andrew Larsen, Apr 14 '17 at 15:17
In setswim.php, you're passing an attempted mysqli_result into mysqli_query at `$result = $con->query($sql);`. That won't work. — aynber, Apr 14 '17 at 15:17

castis · Accepted Answer · 2017-04-14T22:45:00.357

1

The issue is here

$sql = mysqli_query($con, "UPDATE students ...");
$result = $con->query($sql);

A mysql result is stored in $sql and then used as in query(), which takes a string.

Only needs to be

$result = mysqli_query($con, "UPDATE students ...");

or

$result = $con->query("UPDATE students ...");

but not both. I would use $con->query();

edited Apr 14 '17 at 22:45

answered Apr 14 '17 at 15:19

castis

8,154
4
41
63

You likely have a problem with your update statement and will need to investigate the contents of the `$result` variable to see if anything went wrong. [this is the structure of `$result`](http://php.net/manual/en/class.mysqli-result.php) – castis Apr 14 '17 at 15:52
$result = $con->query("UPDATE students SET student_number='".$_POST['student_number']."',student_name='".$_POST['student_name']."',student_last='".$_POST['student_last']."',id_student='".$_POST['id_student']."',student_address='".$_POST['student_address']."',student_collage='".$_POST['student_collage']."',student_datebirth='".$_POST['student_datebirth']."',student_email='".$_POST['student_email']."'"); t – Amer Abo Tbk Apr 14 '17 at 15:54
I do not know. You need to check for errors after `query()`. – castis Apr 14 '17 at 15:56

Warning: mysqli::query(): Empty query in C:\xampp\htdocs\admin\setswim.php on line 13

1 Answers1