Variable $newvar5 not being passed in UPDATE statement

Question

I wondered if anyone could shed some light as to why $newvar5 (integer) is not being passed in the UPDATE statement but is if i explicitly declare $newvar5 = 1; for example. If I don't explicitly declare it I can still echo they type and value of $newvar5 and I get integer and 1 (respectively) where the 1 is the value returned from a select dropdown. Thanks

 <?php

    $newvar3 = $_POST["area1"];
    $newvar4 = $_POST['select1'];

    $newvar5 = current($newvar4);
    settype($newvar5, "integer");

    echo $newvar5; 

    /* 
    The above echoes $newvar5 = 1 (it's type is integer) when i select the 
    first value from the select dropdown but it doesn't work in the update 
    query shown below. However, it does work if i explicitly code $newvar5=1;  
    */


    if(isset($_POST['button'])) {

    $sql = "UPDATE tblContent SET content = '$newvar3' WHERE contentID='$newvar5'";


    if ($conn->query($sql) === TRUE) {
        echo "<br>";
        echo "Updated Successfully";
    } else {
        echo "Error updating record: " . $conn->error;
    }
    }
    ?>

`current()` is a PHP array function which returns the currently focussed array index. Are you sure you want that? Try `$newvar5 = (int) $newvar4;` — delboy1978uk, Sep 18 '17 at 13:22
[Little Bobby](http://bobby-tables.com/) says **[you may be at risk for SQL Injection Attacks](https://stackoverflow.com/q/60174/)**. Learn about [Prepared Statements](https://en.wikipedia.org/wiki/Prepared_statement) with [parameterized queries](https://stackoverflow.com/a/4712113/5827005). I recommend `PDO`, which I [wrote a function for](http://paragoncds.com/grumpy/pdoquery/#function) to make it extremely easy, clean, and more secure than using non-parameterized queries. Also, [This article](http://php.net/manual/en/mysqlinfo.api.choosing.php) may help you choose between `MySQLi` and `PDO` — GrumpyCrouton, Sep 18 '17 at 13:30
Your variables are named very poorly, this can be an issue for you in the future and it definitely harms readability of your code. Check out [these tips](http://www.makinggoodsoftware.com/2009/05/04/71-tips-for-naming-variables/) for variable naming, anyone that ever has to read your code or any future changes that you make, the person doing them will be much happier with properly named variables so you can more easily tell what's actually going on. — GrumpyCrouton, Sep 18 '17 at 13:33

score 0 · Answer 1 · answered Sep 18 '17 at 19:50

Thanks for the replies folks. Yes, I'm aware that it's open to SQL injection. That was on my to do list. For now i just want to be able to update the database. I used current() because, as you correctly inferred, the select values are in array format. I'm still no further forward as to why this isn't working. When i declare $newvar5 = 1; the update works fine yet when i set $newvar5 = current($newvar4); it doesn't (even though it echoes out the same value = 1 and type = integer.

Variable $newvar5 not being passed in UPDATE statement

1 Answers1