0

Ok so I am wondering if there is a simple way to make Addonetothis in my code to add it's current INT + 1 whenever this code is ran? 

<?php
$server = "localhost";
$user = "**********";
$pass = "**********";
$dbname = "**********";

//Creating connection for mysqli

$conn = new mysqli($server, $user, $pass, $dbname);

//Checking connection

if ($conn->connect_error) {
    die("Connection failed:" . $conn->connect_error);
}

$article_id = $_GET['id'];

if ( ! is_numeric($article_id))
    die("Looks like you are lost!  <a href='#'>Back to Home</a> ");

$sql = "UPDATE Example SET addonetothis='+ 1' WHERE `ID` =$article_id";

if ($conn->query($sql) === TRUE) {
    header("Refresh:1; url=example.php?id=$article_id");
    echo "Thank you!";
} else {
    echo "Error" . $sql . "<br/>" . $conn->error;
}
$conn->close();
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Sheldon C
  • 63
  • 9
  • Is the badly styled name Addonetothis an int or a varchar? – TimBrownlaw Nov 13 '17 at 01:25
  • That's just a quick example I changed all the names from original code due to personal reasons. (It is a INT) – Sheldon C Nov 13 '17 at 01:27
  • 1
    Your code is vulnerable to [SQL Injection](http://bobby-tables.com/) If you are using mysqli then try using `parameter binding` and `prepared statements`. – EhsanT Nov 13 '17 at 01:31
  • I rolled the question back to a previous revision. What you edited https://stackoverflow.com/revisions/47255827/5 after the question was solved wasn't required. You can't do what you did, it doesn't work that way here. Accepting the answer is all you needed to do. – Funk Forty Niner Nov 13 '17 at 01:38

1 Answers1

0

So you would have seen that...

$sql = "UPDATE Example SET Addonetothis='+ 1' WHERE `ID` =$article_id";

will blow up if Addonetothis is defined as an integer in your Database table as you are setting it to a string.

What you are looking for is something like...

$sql = "UPDATE Example SET AddOneToThis = AddOneToThis + 1 WHERE `ID` =$article_id";
TimBrownlaw
  • 5,457
  • 3
  • 24
  • 28
  • That worked perfect, thank you! Looking now I see what you mean, I completely overlooked that I was setting a string with ' '... – Sheldon C Nov 13 '17 at 01:33
  • Yes, I've not delved into the possible SQL Injection issues and other traps as others have been commenting... So please read the other comments regarding this. – TimBrownlaw Nov 13 '17 at 01:33