0

I have the following SQL. 

$sql_shells = "UPDATE `shells` SET `situation` = 'sold'  WHERE `id` = '" . $id . "'";
$conn->query($sql_shells);

I updated the rows with column named buytime and another one called buyer so it would be like this:

$sql_shells = "UPDATE `shells` SET `buyer`= " . $buyer . ", `buytime`= " . $trn_date . " , `situation` = 'sold'  WHERE `id` = '" . $id . "'";
$conn->query($sql_shells);

It's not updating.

`$trn_date = $trn_date = date("Y-m-d H:i:s");

and

$buyer = $_SESSION['username'];

Error log is empty.

Another SQL update doesn't have constant values and works fine

$sql_users  = "UPDATE `users` SET `amount`= " . $newAmount . ", `gain`= " . $newgain . "   WHERE `username` = '" . $buyer . "'";

I tried echoing the SQL query that's not working, this is what I get when I run it.

Wolverine
  • 1,712
  • 1
  • 15
  • 18
RanaMontana
  • 3
  • 2
  • You should quote and escape the values in the query. See https://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-back-ticks-in-mysql – vuryss Jun 21 '18 at 16:57
  • i tell you it was updating before i added my modification – RanaMontana Jun 21 '18 at 16:58
  • 1
    Or better yet, you should use parameterization so that all of the issues like sql injection, proper quoting, proper escaping, and all of their pitfalls can be avoided. – JNevill Jun 21 '18 at 16:59
  • As for doing this by concatenating like you are doing you will need to add double quotes around your date like `buytime= \"" . $trn_date . "\"` Don't though; use mysqli parameter binding or PDO so you don't have to worry about this stuff and you protect your app from sql injection. – JNevill Jun 21 '18 at 17:01
  • @RanaMontana what you posted above has the updated value in quotes. The second query does not. It doesn't escape or sanitize the value either. – vuryss Jun 21 '18 at 17:01
  • print your `sql_shells` variable and see the update query string first. Hope it will help you out easily what you mess up? – A l w a y s S u n n y Jun 21 '18 at 17:03
  • done , check the picture , it doesn't miss anything wow – RanaMontana Jun 21 '18 at 17:05
  • 2
    Can I ask why you don't do this? `$sql_shells = "UPDATE shells SET buyer = '$buyer', buytime = '$trn_date', situation = 'sold' WHERE id = '$id'";`? – JeanPaul98 Jun 21 '18 at 17:07
  • 1
    lol give this dude a medal , thanks @JeanPaul98, actually a friend told me it helps to avoid sql injections – RanaMontana Jun 21 '18 at 17:10
  • Yea the query I posted is not ideal, so I would look into using prepared statements @RanaMontana – JeanPaul98 Jun 21 '18 at 17:11
  • It 100% won't help with SQL injection. You REALLY need to properly bind your values with [PDO](http://php.net/manual/en/ref.pdo-mysql.php) or [mysqli bind_param](http://php.net/manual/en/mysqli-stmt.bind-param.php) It's super simple and you can avoid so much of the issues you are have already ran into. – JNevill Jun 21 '18 at 17:12
  • @JeanPaul98 I was about to sarcastically remark that "It protects against SQL injection attacks 50% better." and then I read OPs comment and now I am sad that this was actually the truth :-/ – MonkeyZeus Jun 21 '18 at 17:23

1 Answers1

0

try to remove ` caracter and i think buytime and buyer should add ' caracter and remove it from id if is int type:

 $sql_shells = "UPDATE shells SET buyer= '" . $buyer . "', buytime= '" . $trn_date . "' , situation = 'sold'  WHERE id = " . $id ;
        $conn->query($sql_shells);
HamzaNig
  • 1,019
  • 1
  • 10
  • 33