0

I'm trying to update row in mysql table with php, but for some reason it doesnt work.

I have validation and some checks on the variables and all of them works great, when I var_dump the variable in the php statement everything is great, so I guess the problem is in the query code to mysql. I will be really happy if you can help me!

This is the php part:

if (isset($_POST['editIdea'])) {
    $editIdea = trim($_POST['editIdea']);
    $editIdea = preg_replace('/[^А–Яа-яА-ЯA-Za-z0-9\. -!?,.@]/u', '', $editIdea);
    $editMoney = trim($_POST['editMoney']);
    $editMoney = preg_replace('/[^0-9\.]/', '', $editMoney);
    $editLong = trim($_POST['editLong']);
    $editLong = preg_replace('/[^А–Яа-яА-ЯA-Za-z0-9\. -!?,.@]/u', '', $editLong);
    $idnow = $_SESSION['id'];
    $error = false;

    if(mb_strlen($editIdea)<3 || mb_strlen($editIdea)>40) {
    echo '<b><p id="wrongname"> *blabla1 </b></p>';
    $error=true;
    }    

    if(mb_strlen($editLong)<9 || mb_strlen($editLong)>400) {
    echo '<b><p id="wronglongtext">*blabla2</b></p>';
    $error=true;
    }

    if($editMoney == false) {
    echo '<b><p id="wrongmoney"> *blabla3 </p> </b>';
    $error=true;
    }              

    if (!$error){
        var_dump($editIdea);
        var_dump($editMoney);
        var_dump($editLong);
       $sql = "UPDATE `Registration` SET `nameidea` = '$editIdea' , `moneyidea` = '$editMoney' , `explainidea`= '$editLong' WHERE `id` = '$idnow' ";
    }
else { 
       echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
    }
}

So to say again my progress till now:

All var_dumps near the query statement are working great, variables have the information that I want to send. There are no errors in the php log. The statement doesn't go in the else, so I can't see any error or more information.

Also, i was trying with and without the "`" near the rows and database names.

Where is my mystake in the query syntax?

Thanks in advance again!

**All the names of the database and rows are correct and double checked.

Schemer
  • 1
  • 1
    [Little Bobby](http://bobby-tables.com/) says **[you may be at risk for SQL Injection Attacks](https://stackoverflow.com/q/60174/)**. Learn about [Prepared Statements](https://en.wikipedia.org/wiki/Prepared_statement) with [parameterized queries](https://stackoverflow.com/a/4712113/5827005). I recommend `PDO`, which I [wrote a class for](https://github.com/GrumpyCrouton/GrumpyPDO) to make it extremely easy, clean, and more secure than using non-parameterized queries. Also, [This article](https://phpdelusions.net/pdo/mysqli_comparison) may help you choose between `MySQLi` and `PDO` – GrumpyCrouton Dec 04 '17 at 19:47
  • 4
    `$sql = "..."` defines a variable. It doesn't run a query. – FirstOne Dec 04 '17 at 19:47
  • 1
    You'll need to execute the query. – AbraCadaver Dec 04 '17 at 19:48
  • To answer your "answer", http://php.net/manual/en/mysqli.query.php. But you really should use http://php.net/manual/en/mysqli.quickstart.prepared-statements.php. – chris85 Dec 04 '17 at 19:56

1 Answers1

0

Add this code after $sql = ....

$link = mysqli_connect("localhost", "my_user", "my_password", "db_name");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

if (!mysqli_query($link, $sql)) {
    printf("Error message: %s\n", mysqli_error($link));
}

/* close connection */
mysqli_close($link);
Stanislav Potapenko
  • 397
  • 4
  • 7