include variable in mysql function UPDATE

Question

Why work only $txt4 and $textfinal not working?

$txt = $_GET['value'];
$txt2 = $_GET['value2'];
$txt3 = $_GET['value3'];
$txt4 = $_GET['value4'];

$txtfinal = $txt . $txt2 . $txt3;

$conn->query("UPDATE '".$txtfinal."' SET quantita = quantita + '".$txt4."'");

Possible duplicate of [When to use single quotes, double quotes, and backticks in MySQL](https://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks-in-mysql) — Paul Spiegel, Jan 20 '18 at 18:29

score 0 · Accepted Answer · answered Jan 20 '18 at 17:54

0

Remove the quotes around the table name

$conn->query("UPDATE  ".$txtfinal."  SET quantita = quantita + '".$txt4."'");
                     ^-------------^---- here

But beware - your code is wide open to SQL injections! You should use Prepared Statements and stop patching your queries together. There is almost never a reason to make the table name variable.

answered Jan 20 '18 at 17:54

juergen d

201,996
37
293
362

Yes, the quotes was the problem.Thanks i will check for injections – provva wowstore Jan 20 '18 at 17:57

score 0 · Answer 2 · answered Jan 20 '18 at 17:56

0

Try

$txtfinal = "'".$txt."',"."'".$txt2."',"."'".$txt3."'";

answered Jan 20 '18 at 17:56

Kuba Zabielski

146
2
10

1

Thank you for this code snippet, which might provide some limited, immediate help. A [proper explanation would greatly improve its long-term value](//meta.stackexchange.com/q/114762/350567) by showing *why* this is a good solution to the problem, and would make it more useful to future readers with other, similar questions. Please [edit] your answer to add some explanation, including the assumptions you've made. – iBug Jan 21 '18 at 06:55

include variable in mysql function UPDATE

2 Answers2