MYSQL SET UPDATE table from a variable re-asked

Question

Need to be able to UPDATE a MYSQL table with string data. Get errors no matter what I try, and I have researched and nothing suggested works in this situation.

'$soldout'
'"$soldout"'
{$soldout}
'{$soldout}'
'"{$soldout}"'

<?php

/**
 * Use an HTML form to edit an entry in the
 * consignitem table.
 *
 */

require "../config.php";
require "../common.php";

if (isset($_POST['submit'])) {
  if (!hash_equals($_SESSION['csrf'], $_POST['csrf'])) die();

  try {
    $connection = new PDO($dsn, $username, $password, $options);

$itemnumber = $_POST['itemnumber'];

    $item =[
      "itemnumber"        => $_POST['itemnumber'],
      "itemdescription"  => $_POST['itemdescription'],
      "reserve"  => $_POST['reserve'],
      "amount"  => $_POST['amount'],
      "qtyavail"  => $_POST['qtyavail'],
      "qtybought"  => $_POST['qtybought'],
      "buyernumber"  => $_POST['buyernumber'],
      "sold"  => $_POST['sold'],
    ];

/* following is manipulation section including debug lines as echo of data*/
$qtyav = $_POST['qtyavail'];
$qtybo = $_POST['qtybought'];
$amt = $_POST['amount'];
echo "Quan Avail $qtyav<br>";
echo "Quan Bou $qtybo<br>";
echo "AMT $amt<br>";
$amttot = $qtybo * $amt;
echo "AMTTOT $amttot<br>";
$newqty = $qtyav - $_POST['qtybought'];
echo "NewQty $newqty<br>";

if ($newqty < "1") {
$soldout = "y";
echo "soldout $soldout<br>";
} else {
$soldout = "n";
echo "soldout $soldout<br>";
}

/* End Manipulation. 
Try adding field for quantity available, then do math.
*/

    $sql = "UPDATE consignitem 
            SET itemnumber = :itemnumber, 
              itemdescription = :itemdescription, 
              reserve = :reserve, 
              amount = :amount, 
              qtyavail = {$newqty}, 
              qtybought = :qtybought, 
              buyernumber = :buyernumber, 
              sold = :sold
            WHERE itemnumber = :itemnumber";

  $statement = $connection->prepare($sql);
  $statement->execute($item);
  } catch(PDOException $error) {
      echo $sql . "<br>" . $error->getMessage();
  }
}


if (isset($_GET['itemnumber'])) {
  try {
    $connection = new PDO($dsn, $username, $password, $options);
    $itemnumber = $_GET['itemnumber'];
    $sql = "SELECT * FROM consignitem WHERE itemnumber = :itemnumber AND sold = 'n'";
    $statement = $connection->prepare($sql);
    $statement->bindValue(':itemnumber', $itemnumber);
    $statement->execute();


    $item = $statement->fetch(PDO::FETCH_ASSOC);
  } catch(PDOException $error) {
      echo $sql . "<br>" . $error->getMessage();
  }
} else {
    echo "Something went wrong!";
    exit;
}
?>

<?php require "templates/header.php"; ?>

<?php if (isset($_POST['submit']) && $statement) : ?>

    <blockquote><?php echo escape($_POST['itemnumber']); ?> successfully updated.</blockquote>

<?php endif; ?>

<h2>Sell an item</h2>

<form method="post">

<style>
table, th, td {
  border: 1px solid black;
}
</style>
<table>
    <input name="csrf" type="hidden" value="<?php echo escape($_SESSION['csrf']); ?>">
    <?php foreach ($item as $key => $value) : ?>
<tr><td><?php echo ucfirst($key); ?></td><td><input type="text" name="<?php echo $key; ?>" id="<?php echo $key; ?>" value="<?php echo escape($value); ?>" <?php echo ($key === 'serial' ? 'readonly' : null); ?><?php echo ($key === 'salenumber' ? 'readonly' : null); ?><?php echo ($key === 'itemnumber' ? 'readonly' : null); ?> <?php echo ($key === 'lotnumber' ? 'readonly' : null); ?><?php echo ($key === 'category' ? 'readonly' : null); ?><?php echo ($key === 'itemdescription' ? 'readonly' : null); ?><?php echo ($key === 'reserve' ? 'readonly' : null); ?><?php echo ($key === 'sellernumber' ? 'readonly' : null); ?><?php echo ($key === 'paid' ? 'readonly' : null); ?>></td></tr>
           <?php endforeach; ?> 
</table>

<?php echo ($key === 'itemnumber');?>
<br>
    <button type="submit" name="submit"><b><h3>Sell the Item</h3></b></button>
</form>
<br>
<a href="sellitem.php">Back to Item List</a><br>
<?php require "templates/footer.php"; ?>

UPDATED- - - Original post: In the section where sql = UPDATE SET: Where it says sold = :sold, I need it to take the variable $soldout and use it to update the field for sold in the table. The one above it for $newqty works fine but when I change the sold one from sold = :sold to sold = , I get an error about number of items doesn't match number of bound items or some such. And it doesn't update the table. Leaving it as sold = :sold works but just doesn't update the sold field. I have researched using a string in there but nothing I try works. I know my code is horrible, but this is the first time I have ever tried using PHP with a MYSQL database, and the first time ever to work with a MYSQL database at all. I know it is subject to injections and all that. . once I get it working, I can then figure out how to secure it better. Thank you in advance! UPDATED INFO - - - This script works perfectly for every thing except changing the sold from 'n' to 'y' in the table. The

qtyavail = {$newqty},

line works so why doesn't

sold = {$soldout}

work? It is the same format as the qtyavail one and the variable $soldout is set just a few lines from the qtyavail one but it is eluding me why it won't work. Thanks again for any insight!

`$statement->bindValue(':sold, "{$soldout}"');` you have single quotes around boht parameters, making it effectively one string. Also delete the double quotes and the curly brackets... just use `$soldout` — Honk der Hase, Oct 16 '19 at 20:23
So what is 'sold' in the database? A number, string, etc? And what is it when it's sent to the server? Sounds like you have a mismatch between what type is and what MySQL expects it to be. — Steve, Oct 16 '19 at 20:24
Sold will be either y or n depending on whether $newqty is less than 1 or 0. I tried it with = 0 but didn't get anywhere with that either. — veewee77, Oct 17 '19 at 03:10
@steve sold is either y or n depending on the value of $newqty. The debug lines show that that stuff is all working correctly. I just can't get it to update the table with sold = 'y' when $newqty is less than 1 (or zero). — veewee77, Oct 17 '19 at 15:21
@lars-stegelits I fixed the quote things and have tried MANY variations and none work. Some break it completely (page shows nothing) or toss up the bind number doesn't match number of tokens error. This is driving me nuts! — veewee77, Oct 17 '19 at 15:24

Barmar · Answer 1 · 2019-10-17T15:22:47.037

0

You don't have a :sold placeholder in the query. And you're calling bindValue() incorrectly; you should call it the same way for :sold as you do for :itemnumber.

    $itemnumber = $_GET['itemnumber'];
    $sql = "SELECT * FROM consignitem WHERE itemnumber = :itemnumber AND sold = :sold";
    $statement = $connection->prepare($sql);
    $statement->bindValue(':itemnumber', $itemnumber);
    $statement->bindValue(':sold', $soldout);
    $statement->execute();

You also have a problem with the UPDATE query. $item contains

"qtyavail"  => $_POST['qtyavail'],

but the query contains

qtyavail = {$newqty},

You should change the query to

qtyavail = :qtyavail,

and set

$item['qtyavail'] = $newqty;

edited Oct 17 '19 at 15:22

answered Oct 16 '19 at 20:25

Barmar

741,623
53
500
612

Thank you for your help. . . But it is still eluding me. I just don't understand why it doesn't work for the {$soldout} one and does for the {$newqty} and both items are created the same way as far as I can tell. I am just at a loss, here. . . Either the page comes up blank, ot I get that danged bind number doesn't match number of items or some such. – veewee77 Oct 17 '19 at 15:09
@veewee77 it doesn't work because you are abusing a prepared statement. It should be neither {$soldout} nor {$newqty} but :soldout and :newqty **only**. Just like it is said in the linked answer. – Your Common Sense Oct 17 '19 at 15:20
`$item` has a `:qtyavail` element, but there's no `:qtyavail` in the `UPDATE` query. @veewee77 – Barmar Oct 17 '19 at 15:20
@veewee77 I've updated the answer to explain how to fix that. – Barmar Oct 17 '19 at 15:23
@barmar The {$newqty} one works. Beautifully! as-is. I just need the sold = $soldout to work. Just above the UPDATE stuff, there is some math done with debug echoes (so I can see what it is doing) that takes inputs, does some math and sets a few variables to be UPDATEd in the table. The results are echoed and the math is working right. The {$newqty} works. The sold ={$soldout} (which will be 'y' or 'n' depending on $newqty's value does not work. That is the one I need to work. If I can get that working, this part of it will be good to go. . . getting very frustrated. . . – veewee77 Oct 17 '19 at 16:24
You have `"sold" => $_POST['sold']`. Is that not what you want? – Barmar Oct 17 '19 at 16:32
Why are you mixing parameters and variable substitutions? You should use parameters for everything. – Barmar Oct 17 '19 at 16:34
@barmar Yes, at that time, sold is the value -read- from the table, which should always be 'n' read by the SELECT line. Then if the $qtyavail gets changed to 0 (zero) the value UPDATEd to the table should be 'y' {$soldout}. NOT the value read previously from the table :sold . How it should work: The value for sold is read from the table and that itemnumber is displayed in a list because sold = 'n'. Once the item is actually sold (the $newqty goes to 0) the value to be written back to the table is 'y' and the next time the list is displayed, looking for 'n' it won't show up because it is 'y'. – veewee77 Oct 17 '19 at 17:10
You should just change `$item['sold']`, not create a new variable. – Barmar Oct 17 '19 at 17:11
@barmar "Why are you mixing parameters and variable substitutions? You should use parameters for everything. " This is my very first time ever trying to work with PHP and MYSQL so I don't know how to do any of it. I have just been using bits and pieces from around the web to get it working. I am amazed it works as good as it does. Every other part is working so far except this sold thing. So bear with me, ok? I have been doing this in my spare time for only a month or two and there isn't much spare time. – veewee77 Oct 17 '19 at 17:18
@barmar This is my problem. I don't understand what you are saying, and you don't understand that I don't understand. When you said "change $item['sold'] not create a new variable" I have no idea where that would be done, how that would be done, where it would come from. . . nothing. . . I am sorry I just don't understand. – veewee77 Oct 17 '19 at 17:22
`$item` contains all the values that fill in the `:XXX` placeholders in the query. If you want to change how you're filling them in, change the corresponding entry in `$item`. – Barmar Oct 17 '19 at 17:23
Ok. I will go fight with it some more on my own. I have wasted enough of your time. Thank you for everything. I will refer back to this and see if I can make heads or tails of it. – veewee77 Oct 17 '19 at 17:31
@barmar HOLY COW! IT WORKS! – veewee77 Oct 17 '19 at 18:02

score -1 · Answer 2 · answered Oct 16 '19 at 22:17

-1

first of all check wrong quotes in"

$statement->bindValue(':sold, "{$soldout}"');

Most probably should be :

$statement->bindValue(':sold', "{$soldout}");

answered Oct 16 '19 at 22:17

Igor Mizak

1,088
1
11
19

*Any* quotes here would be wrong – Your Common Sense Oct 17 '19 at 15:17
I have tried it with none, with all three, ` ' and " in all kinds of variations and nothing works for the sold one. The $newqty one works beaitifully as-is. What is the difference? – veewee77 Oct 17 '19 at 15:19

MYSQL SET UPDATE table from a variable re-asked

2 Answers2