-1

This is my first table query which is running in PHP PersonID is primary key of table employee and it is foreign key of experience.

$query = mysqli_query($conn,"UPDATE employee SET Firstname = $fname, Lastname =$lname, email_id =$email, Mobile_no =$mobile, city=$city  WHERE PersonID = $userid");

my second table query

$query = mysqli_query($conn,"UPDATE experience SET Company_name = $com, Location =$local, Year_Of_Experience =$year, Description =$description  WHERE id = $userid");

Any one have any idea how to update two table with common ID with multiple columns?

knight007
  • 55
  • 7
  • You can execute the queries one by one – jophab Sep 06 '17 at 13:11
  • but query is not exceuting – knight007 Sep 06 '17 at 13:15
  • try giving single quotes around character columns – jophab Sep 06 '17 at 13:16
  • PersonID is primary key of table employee and it is foreign key of experience. – knight007 Sep 06 '17 at 13:18
  • Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Sep 06 '17 at 13:33

1 Answers1

0

add quotes for values.

$query = mysqli_query($conn,"UPDATE employee SET Firstname = '$fname', Lastname ='$lname', email_id ='$email', Mobile_no ='$mobile', city='$city'  WHERE PersonID = '$userid'");

This method is prone to security vulnerabilities. I recommend to use prepared statement instead for better security. You can learn how to do it here http://php.net/manual/en/mysqli.prepare.php and https://www.w3schools.com/php/php_mysql_prepared_statements.asp

Anandhu Nadesh
  • 672
  • 2
  • 11
  • 20
  • 1
    This is poor advice, use of this technique will lead to security vulnerabilities. Please use [prepared statements](http://php.net/manual/en/mysqli.prepare.php) instead. – Alex Howansky Sep 06 '17 at 13:37
  • do the same for the second query. add single quotes for the values – Anandhu Nadesh Sep 06 '17 at 13:39
  • @AlexHowansky Ha haa...I was just trying to help him by pointing out what he was missing. He is happy with that. Its just simple as that. and it works. Please provide a prepared statement if u r too worried about the vulnerabilities. – Anandhu Nadesh Sep 06 '17 at 13:45
  • Yes, I understand, and appreciate your efforts, but there are two problems with this approach. The main one is that @knight007 has now learned a bad habit. But also, other future SO users will see that this answer is accepted and thus base their own code off it, further propagating the issue. There are plenty of examples of prepared statements in the links I have posted. – Alex Howansky Sep 06 '17 at 13:51