0

I have a table that filter data range by ID. That is I'm giving option to enter from Id and to Id and filter data. Now I want to update two columns to those filtered data. Can some one tell me how to do that. I want to update using a button click.

This is my query to filter data:

SELECT * FROM pass WHERE pass_id BETWEEN '$start' AND '$end'

I have tried to update data from following query:

UPDATE pass SET  cash_s_date = '$date', cash_status = '$cstatus'
WHERE pass_id BETWEEN '$start' AND '$end'

but it doesn't work,

jarlh
  • 42,561
  • 8
  • 45
  • 63
Hansini Lakshani
  • 39
  • 6
  • 1
    are you facing any error? Did you get any records in `select` query? – M.Hemant May 09 '19 at 08:32
  • 2
    you're open to SQL injection and should address imminently – treyBake May 09 '19 at 08:33
  • A very basic porblem is your escaping. I would recommend to wrap the query itself with double quotes and the values exclude from the query like this: `SELECT * FROM pass WHERE pass_id BETWEEN '" . htmlspecialchars($start) . "' AND '" . htmlspecialchars($end) . "'` – Spears May 09 '19 at 08:38
  • @unherz `htmlspecialchars()` shouldn't be used to escape SQL data. It's for displaying data on web pages in order to prevent XSS. – Barmar May 09 '19 at 08:45
  • 1
    What database are you using? SQL-Server, MySQL, Oracle, PostGres? – Barmar May 09 '19 at 08:47
  • Try this `UPDATE pass SET cash_s_date = '$date', cash_status = '$cstatus' WHERE pass_id >= '$start' AND pass_id <= '$end'` – Zain Farooq May 09 '19 at 08:54
  • @M.Hemant I didn't get any errors. yes in select query i got records – Hansini Lakshani May 09 '19 at 09:02
  • @Barmer I'm using phpmyadmin on wampserver that i already hosted – Hansini Lakshani May 09 '19 at 09:03
  • @Barmar sure its not safe but that wasnt the point here. It was jsut to demonstrate where he should improve the security of his query. For sure you have to escape all special chars to be parsed as string and also its better to use PDO! – Spears May 09 '19 at 10:18
  • Just give them a link to [how can I prevent SQL injection in PHP](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) rather than giving them bad advice. – Barmar May 09 '19 at 10:19
  • @ZainFarooq that you. It works!! – Hansini Lakshani May 09 '19 at 11:35

1 Answers1

0

You can also use greater than and less than option here

UPDATE pass SET cash_s_date = '$date', cash_status = '$cstatus' WHERE pass_id >= '$start' AND pass_id <= '$end';

However I suggest you to use prepared statements to prevent sql injections as your this query is open to sql injections

Zain Farooq
  • 2,956
  • 3
  • 20
  • 42