-2

I have this php script:

$query = "UPDATE event_rsvp SET event_note = '" . $_POST[note] . "', event_rsvp_type_id = '" . $_POST[rsvpId] . "' WHERE user_id = '" . $_POST[userId] . "' AND event_id = '" . $_POST[eventId] . "'";   
$result = $mysqli->$query;
echo $query;

that echo gives me this: 

UPDATE event_rsvp SET event_note = 'test', 
       event_rsvp_type_id = '4' 
WHERE user_id = '1' AND event_id = '1'

Problem is that only the event_rsvp_type_id is updated in database, event_note isn't. However, if I copy this echo-ed query and paste it directly into adminer or phpmyadmin, it works fine and updates the note as expected.

Any help? Thanks!

Jefferson
  • 794
  • 10
  • 24
orishi
  • 47
  • 3
  • 2
    I don't think that code will work _at all_. What is `$mysqli->$query` supposed to do? – ChrisGPT was on strike Aug 09 '17 at 20:54
  • 2
    [Little Bobby](http://bobby-tables.com/) says **[you are at risk for SQL Injection Attacks](https://stackoverflow.com/q/60174/)**. Learn about [Prepared Statements](https://en.wikipedia.org/wiki/Prepared_statement) for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even **[escaping the string](https://stackoverflow.com/q/5741187)** is not safe! I recommend `PDO`, which I [wrote a function for](https://stackoverflow.com/a/45514591) to make it extremely **easy**, very **clean**, and way more **secure** than using non-parameterized queries. – GrumpyCrouton Aug 09 '17 at 20:55
  • Well it certainly works in different scenarios. $mysqli = new mysqli($dbHost, $dbUsername, $dbPassword, $dbName); mysqli_set_charset($mysqli,"utf8"); – orishi Aug 09 '17 at 20:56
  • 1
    @user235937, but `$query` is a string. You can't do `$mysqli->"SELECT * FROM foo"`, and you can't do `$mysqli->$query` either. – ChrisGPT was on strike Aug 09 '17 at 20:58
  • Oh, right... thanks a lot, I kind of didn't notice that after 16 hours in front of PC... solved, working. – orishi Aug 09 '17 at 21:01
  • @user235937 I saw your post was edited, did my answer not help you? – GrumpyCrouton Aug 10 '17 at 12:46

1 Answers1

1

Try the following code:

$query = $mysqli->prepare("UPDATE event_rsvp SET `event_note`=?, `event_rsvp_type_id`=? WHERE `user_id`=? AND `event_id`=?");
$query->bind_param("siii", $_POST['note'], $_POST['rsvpId'], $_POST['userId'], $_POST['eventId']);
$query->execute();

Your real problem is that you were missing the singlequotes on your variables, and also, $mysqli->$query doesn't make any sense, the $query part isn't a variable, it should just be query. I converted your code to use prepared statements as well, hopefully this will allow you to see how easy they are to use, while giving you way more security.

GrumpyCrouton
  • 8,486
  • 7
  • 32
  • 71