0

Here is my php code. This update query is not working. I'm naïve in php, can anyone help??

    <?php
    include "connect.php";

    $table_name="CO208#";
    $date = "3-11-2017";
    $faculty = "15PEB203";
    $value = "0";

    $sql = "UPDATE $table_name SET $faculty = '$value' WHERE Date = '$date.'";
    $result = mysqli_query($con,$sql);

    ?>
Tauheed Ahmad
  • 13
  • 6
  • 1
    **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST`, `$_GET` or **any** user data directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman Nov 03 '17 at 16:20
  • Note: The object-oriented interface to `mysqli` is significantly less verbose, making code easier to read and audit, and is not easily confused with the obsolete `mysql_query` interface. Before you get too invested in the procedural style it’s worth switching over. Example: `$db = new mysqli(…)` and `$db->prepare("…")` The procedural interface is an artifact from the PHP 4 era when `mysqli` API was introduced and should not be used in new code. – tadman Nov 03 '17 at 16:20
  • A lot of problems can be detected and resolved by [enabling exceptions in `mysqli`](https://stackoverflow.com/questions/14578243/turning-query-errors-to-exceptions-in-mysqli) so mistakes aren't easily ignored. – tadman Nov 03 '17 at 16:20
  • You are not concatenating your string (building) correctly .. `"UPDATE " . $table_name . " SET " . $faculty . " = '" . $value . "' WHERE Date = '" . $date . "'"` – Zak Nov 03 '17 at 16:20
  • Like i have commented before.. Debug mysqli_error($con) Side note: That's not how you prevent SQL injection attacks. – Raymond Nijland Nov 03 '17 at 16:20
  • @zak PHP is perfectly capable of interpolating strings. Why do people insist that this is a problem? – tadman Nov 03 '17 at 16:20
  • 3
    The dot within `'$date.'` looks suspicious. – Martin Backasch Nov 03 '17 at 16:22
  • @Martin I removed dot in `$date.` but it still does not works. – Tauheed Ahmad Nov 03 '17 at 17:17
  • @Zak Thanks it worked... – Tauheed Ahmad Nov 03 '17 at 17:19
  • it works with this statement: $sql = "UPDATE ``" .$table_name. "`` SET ``" .$faculty. "`` = '" .$value. "' WHERE Date = '" .$date. "' "; – Tauheed Ahmad Nov 03 '17 at 17:20
  • Is it really updating? Because i'd believe that date should be in YYYY-mm-dd format... –  Nov 03 '17 at 17:43

0 Answers0