1
$firstName = mysqli_real_escape_string($dbcon, $_POST['newFirstName']);
$lastName = mysqli_real_escape_string($dbcon, $_POST['newLastName']);
$emailAddress = mysqli_real_escape_string($dbcon, $_POST['newEmailAddress']);

$sqlQuery = "INSERT INTO admins (firstname, lastname, email) VALUES ('$firstName','$lastName','$emailAddress')
  ON DUPLICATE KEY UPDATE firstname ='".$firstName."' lastname='".$lastName."' email='".$emailAddress."'";

My issue is on the last line. AFAIK you have to use double quotes for PHP to actually insert your variable into the string, but no matter what quotes I use I get errors. What's the proper syntax for inserting the variables?

acc1999
  • 25
  • 5
  • 1
    What error do you get? – John Conde Jun 06 '18 at 12:06
  • Also note that even though you escaped your input, you still are vulnerable to sql injection. Always prepare statements! https://stackoverflow.com/questions/22304930/is-mysqli-real-escape-string-safe – Loek Jun 06 '18 at 12:08
  • Your script is wide open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's – RiggsFolly Jun 06 '18 at 12:08

2 Answers2

1

You are missing commas from your SQL query in between the parameters you are updating.

Additionally for your update statement, you need to specify the table and SET:

"Update admins
Set firstname = '". $firstname . "' , lastname = '" . $lastname . "' " etc.
DKyleo
  • 806
  • 8
  • 11
1

You should separate the columns you're updating with a comma. e.g:

ON DUPLICATE KEY UPDATE firstname ='".$firstName."', lastname='".$lastName."', 
email='".$emailAddress."'";
Leander Iversen
  • 83
  • 1
  • 8