sql query including where doesn't update table without it does?

Question

    <?php
session_start();


error_reporting(0);
include("config.php");
?>
<?php echo '<pre>' . print_r($_SESSION, TRUE) . '</pre>'; ?>

    <html>
    <head>
      <title>MR stempagina</title>
    </head>
    <body>
      <?php if( $_SESSION['user_info']['gestemd']>0){
        header("Location: logout.php");
      }
      ?>

      <?php echo $_SESSION['user_info']['name']  ?>, u kunt hier stemmen. 
      <form action="stemmen.php" method="POST">
        <p>Welke ouder wilt u als vertegenwoordiger van de ouders van de HBK afdeling in de medezeggenschapsraad?</p>
        <input type="radio" name="kandidaat" value="piet"> piet<br>
        <input type="radio" name="kandidaat" value="hein"> hein<br>
        <p><input type="submit" name="stem" value="stem"></p>

<?php

$error = '';
  if(isset($_POST['kandidaat'])){
      echo $_POST['kandidaat'];
      $_SESSION['user_info'] = $user;
      //$query = " UPDATE ".$SETTINGS["USERS"]." SET gestemd = gestemd+1 WHERE id=".$_SESSION['id'];
      //$query = " UPDATE ".$SETTINGS["USERS"]." SET gestemd = gestemd+1";
      //$query = " UPDATE ".$SETTINGS["kandidaat"]." SET aantal = aantal+1";
      //$query = " UPDATE ".$SETTINGS["USERS"]." SET gestemd = gestemd+1 WHERE id='{$_SESSION['id']}'";
      $query = "UPDATE {$SETTINGS["USERS"]} SET gestemd = gestemd+1 WHERE id={$_SESSION['id']}";
      mysql_query ($query, $connection ) or die ('request "Could not execute SQL query" '.$query . ': ' . mysql_error());


    }

?>

          </form>
    </body>
    </html>

when i use:

$query = " UPDATE ".$SETTINGS["USERS"]." SET gestemd = gestemd+1 WHERE id='{$_SESSION['id']}'";

the table_column gestemd is not incremented.

when i use the same query without the where it works but increment of course all users.

The printR is and echo is for debugging.

thx for your help

you're updating your entire db without a `WHERE` clause. You know that right? — Funk Forty Niner, Nov 14 '18 at 15:52
sorry, i forgot to mention that i know that it is because i don't use where. — heino, Nov 14 '18 at 15:55
Check that your value `$_SESSION['id']` is what you expect - it may be empty. — Nigel Ren, Nov 14 '18 at 15:56
Have you tried checking the generated query that returns an error? Can you attach it to the question? — Nico Haase, Nov 14 '18 at 15:59
Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php). [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. — DigiLive, Nov 14 '18 at 16:13
I did a ' . print_r($_SESSION, TRUE) . ''; ?> which gave the correct $_SESSION id. — heino, Nov 14 '18 at 16:16
i used the next query: $query = " UPDATE ".$SETTINGS["USERS"]." SET gestemd = gestemd+1 WHERE id =".$_SESSION['id']; the error is Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in /h/b/d/h.nl/public_html/stemmen.php on line 35. This is the query line. — heino, Nov 14 '18 at 16:19
Thx dn Fer, ik know but i would like to get it work first and then i will make is msqli. — heino, Nov 14 '18 at 16:21
i did some research and altered the query. $query = " UPDATE ".$SETTINGS["USERS"]." SET gestemd = gestemd+1 WHERE id='{$_SESSION['id']}'"; now it doesn't give an error but gestemd for user 2 is not incremented while $_SESSION id = 2 — heino, Nov 14 '18 at 16:36
Not really sure why this is being downvoted. It's a fairly reasonable report. More than enough information provided to provide an answer. — Jack hardcastle, Nov 14 '18 at 16:38
While I'm here anyway, you could improve the formatting here. Try `$query = "UPDATE {$SETTINGS['users']} SET gestemd = gestemd+1 WHERE id {$_SESSION['user_id']}";` - means the whole thing doesn't need concatenating. This makes it easier to see you are missing an = before the WHERE component of this query. Now that we've ruled that out, let's consider other possible issues here. We know that everything in the $_SESSION is likely stored as a string, so it might be worth casting that id to an int before passing it into that query? — Jack hardcastle, Nov 14 '18 at 16:40
thx Jack, i had to rewrite a little $query = "UPDATE {$SETTINGS["USERS"]} SET gestemd = gestemd+1 WHERE id={$_SESSION['id']}"; but give the same error as in post — heino, Nov 14 '18 at 16:44
You have started the session before running this query, right? `session_start()` — Jack hardcastle, Nov 14 '18 at 16:44
I also assume there's more to your code than what we see here, $user isn't set as anything looking at just the above. — Jack hardcastle, Nov 14 '18 at 16:46
Why are you using a database API that's been deprecated for 10 years and hasn't even existed in PHP for 3 years now? https://stackoverflow.com/q/12859942/1255289 — miken32, Nov 14 '18 at 17:00
i found an example which works even the code is depreceated. As i already mentioned when it works i will update this code. — heino, Nov 14 '18 at 17:10

score 0 · Answer 1 · answered Nov 15 '18 at 16:02

0

i found The answer to the asked question

$query = " UPDATE ".$SETTINGS["USERS"]." SET gestemd = gestemd+1 WHERE id={$_SESSION['user_info']['id']}";

with this solution it works.

answered Nov 15 '18 at 16:02

heino

11
1

sql query including where doesn't update table without it does?

1 Answers1