update table in database with ajax

Question

i want to insert selected texts in my page in table with clicking on button in my page but my problem is it doenst insert . select text is correct i tested it. response that i receive is my selected texts

This is my index page and i passed my texts into variable text

    <script src="jquery-3.2.1.min.js"></script>
    <script>
        $(document).ready(function () {
            var text = $("span:not([dir=rtl])").text();
            $("#btn").click(function () {
                $.ajax({
                    type:'post',
                    url:'process.php',
                    data:{'text':text},
                    success:(function (response) {
                        alert(response);
                    })
                })
            })
        })
    </script>

this is my process.php that connects to database and perform query but runs else statement

$servername = "localhost";
$username = "root";
$password = "";
$dbname = "sahifeDB";
$conn = new mysqli($servername, $username, $password, $dbname);
$sql = 'update sahife_tbl set english ='. $_POST['text'].' where id=1 ';
$result = $conn->query($conn,$sql);
if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();
?>

[Turn on your PHP error reporting.](https://stackoverflow.com/a/5438125/1022914) — Mikey, Sep 01 '17 at 13:15
You do NOT want to directly concatenate POST variables into your SQL. This makes you vulnerable to SQL injection attacks - see here for how to better solve this: https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — Bananaapple, Sep 01 '17 at 13:15
Possible duplicate of [When to use single quotes, double quotes, and backticks in MySQL](https://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks-in-mysql) — Raymond Nijland, Sep 01 '17 at 13:19
@sepher Then you need to use quotes as shown in the answers below. Or BETTER prepared statements :O — Mikey, Sep 01 '17 at 13:21
@sepehr Why are you also running the query twice? Remove `$conn->query($conn,$sql);`. I've never used mysqli but that doesn't look right. — Mikey, Sep 01 '17 at 13:22

score 0 · Answer 1 · answered Sep 01 '17 at 13:17

0

You need to put " in update statement as datatype is text for field

change your query to:

$sql = 'update sahife_tbl set english ="'. $_POST['text'].'" where id=1 ';

Also use Prepared statement to prevent from sql injection

answered Sep 01 '17 at 13:17

B. Desai

16,414
5
26
47

score 0 · Answer 2 · answered Sep 01 '17 at 13:19

You need to put quotes around your string value in the query otherwise your DB will try to parse the text as part of the syntax and fall over.

$sql = "update sahife_tbl set english ='". $_POST['text']."' where id=1 ";

But again as mentioned in my comment on your question, this is super insecure, you want to use parameterisation instead - https://stackoverflow.com/a/60496/635522

update table in database with ajax

2 Answers2