-3

i'm trying to update a value on mysql database, but i cant do it, i'm receiving succefully the data from the table, but on update it says 'connection error' i don't know what i'm missing

Panel.php 

            <?php
        require_once 'funciones/mysql.php';

        $lista = $conexion->query("SELECT id, Nombre, apellidoPaterno FROM bomberos");

        if ($lista->num_rows > 0) {

            while ($row = $lista->fetch_assoc()) {
                echo "id: " . $row["id"] . " - Name: " . $row["Nombre"] . " " . $row["apellidoPaterno"] . "<br>";
                ?>
                <table class="table table-bordered">
                    <tr>
                        <td>
                            <img src='images/bomberos/<?php echo $row['id']; ?>.jpg' height="10%" width="10%" style="opacity: 0.5;"/><br /><?php echo $row['Nombre'] . " " . $row["apellidoPaterno"]; ?>
                            <br />
                            <div class="icon-container">
                                <form method="post" action="funciones/disponible.php">
                                    <input type="hidden" name="idBombero" value="<?php echo $row['id']; ?>">
                                    <button type="submit"></button>
                                </form>
                            </div>
                        </td>
                    </tr>
                </table>
                <?php
            }
        } else {
            echo "0 Resultados";
        }
        $conexion->close();
        ?>

mysql.php

    <?php
//Datos de la conexion
$servidor = "localhost";
$usuario = "root";
$contraseña = "";
$basedatos = "sidesp";
//crear conexion
$conexion = new mysqli($servidor, $usuario, $contraseña, $basedatos);
//revisar conexion
if ($conexion->connect_error) {
    die("conexion fallida: " . $conexion->connect_error);
}
?>

disponible.php

<?php
require_once 'mysql.php';
$consulta = "UPDATE 'estados' SET 'estado'='1' WHERE 'id'='".$_REQUEST['idBombero']."'";
if ($conexion->query($consulta) === true) {
    return "Exito!";
}else{
    return "Fallo!";
}

and... what's the best way to secure all of it?, i mean anti sql injections or decoding

Christian Orellana
  • 3
  • 1

2 Answers2

0

You should use backticks to escape. Also you should use prepared statements

$consulta = "UPDATE `estados` SET `estado` = '1' WHERE `id` = ?";   
$result = $conexion->prepare($consulta);
$result->bind_param('i',$_REQUEST['idBombero']);
echo $result->execute() === true ? 'Success' : 'Failed: '.$conexion->error;
Rotimi
  • 4,783
  • 4
  • 18
  • 27
0

Try simplifying the update query in disponible.php

$idBombero = $_REQUEST['idBombero'];
$consulta = mysqli_query($conexion,"UPDATE `estados` SET `estado`='1' WHERE `id`='$idBombero'");

Sometimes too many single quotes and double qoutes nested multiple times causes invalid query and syntax error. And i always recommend to use ( fieldname ) for field names instead of ( 'fieldname' ) in mysqli.

hope this helps you. let me know if it is.

Afsal
  • 21
  • 5