0
<?php
$conn = mysqli_connect("localhost", "root", "password");
mysqli_select_db($conn, "stiry");
$sql = "UPDATE system SET ad = '".$_POST['ad']."', ph = '".$_POST['ph']."' , usage = 0 WHERE id = 1";
$result = mysqli_query($conn, $sql);
?>

I have understand that I have to use comma in order to update multiple variables at the same time. My goal is to update ad, ph and usage when user press submit button in index.php. Without usage = 0 in $sql line everything just works fine.

Hereby, usage type is varchar(15) NOT NULL. Since purpose of using usage is to check the status of the service which I am planning to test whereby usage = 1 will represent that user is using my service.

In my database, usage column is recorded as 0 thus I have to change it to 1 as user press submit button.

What is the possible error here?

ajdh
  • 9
  • 1
  • 1
    don't do what you are doing. google php sql injection – drum Jul 31 '21 at 13:53
  • Why would you store integers in a varchar(15) column? As for what's wrong, debug your code so that you can include two things in your question; The exact value of `$sql` before you execute it, and the exact error message you recieve. Then, look in to using `mysqli_prepare` for parameters to your sql statements. – MatBailie Jul 31 '21 at 13:53
  • @drum may I know the reason why? – ajdh Jul 31 '21 at 13:56
  • @MatBailie you mean debug it in mysql in order to check the error code right? – ajdh Jul 31 '21 at 13:57
  • use `';--` in any of your input fields and your see why you should use prepared queries (see https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1), other than that if it works without `usage` then remove it, if you want to set usage to 1 then do so if its a condition, then it should be in the WHERE clause – Lawrence Cherone Jul 31 '21 at 14:01
  • Usage is a reserved word in MySQL and MariaDB. You can keep the name, but you'll have to use it as: `\`usage\`` (with back-ticks, **not** single quotes) to avoid errors. As others have already mentioned, strongly advise to use prepared queries. – Paul T. Jul 31 '21 at 16:00
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Jul 31 '21 at 17:25

0 Answers0