0

I have tried to work this code in postman but it does not update my Mysql database table. Shows Failed to execute the query.

Show error msg: "Data saving error. Please try again!"

<?php 
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET,POST');
header("Access-Control-Allow-Header: H-Requested-With");

$con = mysqli_connect("localhost","root","","savedata");

$srno = $_POST["srno"];
$name = $_POST["name"];

$sql = "UPDATE savedata name= '$name' WHERE srno = '$srno'";

if($con->query($sql) === TRUE){
    echo "Success";
}else{
    echo "Data saving error. Please try again!";
}
?>
Sachin Muthumala
  • 775
  • 1
  • 9
  • 17
  • 1
    You need a `SET` in `UPDATE savedata SET name= '$name' WHERE srno = '$srno'` But this leaves you wide open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's – RiggsFolly Aug 10 '19 at 09:11

1 Answers1

1

You missing SET 

$sql = "UPDATE savedata SET name= '$name' WHERE srno = '$srno'";

anyway you should avoid php var in SQL (you are at risk for sqlinjection ) you should use prepared statements and bindig param 

$stmt = $conn->prepare("UPDATE savedata SET name= ? WHERE srno = ?");
$stmt->bind_param("ss", $name, $srno);

// set parameters and execute
$srno = $_POST["srno"];
$name = $_POST["name"];
$stmt->execute();
ScaisEdge
  • 131,976
  • 10
  • 91
  • 107