mysql - Can't update sql through php -

- 

$settings = parse_ini_file("settings.ini");  $conn = new mysqli($settings[servername],$settings[username],$settings[password], $settings[dbname]); $height = $_post['heightft'] * 12 + $_post['heightin']; if($conn->connect_error) {     die("connection failed: " . $conn->connect_error); } if(isset($_cookie['user'])) { list($currentfname, $currentlname) = explode(",", $_cookie['user']);  } $newfname = $_post['fname']; $newlname = $_post['lname']; $newage = $_post['age']; $newweight = $_post['weight']; $newheight = $_post['height']; $newsex = $_post['sex']; $sql = "update $settings[usertable] set fname = $newfname, lname = $newlname, age = $newage, weight = $newweight, height = $newheight, sex = $newsex fname = $currentfname , lname = $currentlname"; $retval = mysql_query($sql, $conn); if(!$retval) {     die("could not update data: " .  print_r($_post) );     //die("could not update data: " . mysql_error()); } echo "successful update";

this isn't working , don't know how troubleshoot it. code shows array ( [fname] => test [lname] => testing [age] => 25 [weight] => 199 [sex] => male [heightft] => 5 [heightin] => 7 ) not update data: 1

with

//die("could not update data: " . print_r($_post) ); die("could not update data: " . mysql_error());

it shows

could not update data:

is there anywhere php shows errors. when goes wrong in code white screen , have figure out issue through trial , error failed load resource: server responded status of 500 (internal server error)

you're mixing mysqli , mysql interface calls. doesn't work.

we see mysqli connection being created... 

$conn = new mysqli(

but see calls mysql_ interface function.

$retval = mysql_query(

don't that. doesn't doesn't work. use mysqli_ functions.

so, fix first.

for debugging sql, echo out $sql before submit database. (make sure string you're sending sql statement want execute.)

also, incorporating potentially unsafe values (such values of variables $_get or $_post) leads sql injection vulnerabilities. values incorporated text of sql statement must escaped. see mysqli_real_escape_string. that's not sufficient guarantee code isn't still vulnerable sql injection.

a better pattern use prepared statements bind placeholders.

this isn't right.

if $newfname fred , $newlname flintstone

then this:

$sql = "update $settings[usertable] set fname = $newfname, lname = $newlname, ...";

or might need this:

$sql = "update " . $settings[usertable] . " set fname = $newfname, lname = $newlname, ...";

evaluates 

 update mytable set fname = fred, lname = flintstone, ...

mysql going balk @ that, because string literals should enclosed in single quotes:

 update mytable set fname = 'fred', lname = 'flintstone', ...                             ^    ^          ^          ^

if $newlname o'reilly, mysql going balk, he's going see string literal 'o' followed mysql doesn't understand...

 update mytable set fname = 'fred', lname = 'o'reilly', ...                                                ^^^^^^

to run correctly, need escape single quote inside value single quote, our sql statement looks this: 

 update mytable set fname = 'fred', lname = 'o''reilly', ...                                               ^^

the 2 single quotes inside string literal interpreted (by mysql) 1 single quote. value stored in column (assuming statement succeeds of course), wanted: o'reilly

you muck escaping values, much better pattern prepared statements bind placeholders...

 $sql = "update mytable set fname= ? ,lname = ?, ... ";   $stmt = $dbh->prepare($sql);  $stmt->bind_param("ss",$newfname,$newlname);  $stmt->execute();

reference: http://php.net/manual/en/mysqli-stmt.bind-param.php


Comments

Post a Comment

Popular posts from this blog

python - TypeError: start must be a integer -

-
i trying draw 5 turtles, getting typeerror on line 25. here code: import turtle wn = turtle.screen() redrose = turtle.turtle() color = input("what background color be?") fillcolor_f = input("what color of rose be?") redrose.hideturtle() redrose.speed(30) redrose.penup() redrose.left(180) redrose.forward(175) redrose.right(90) redrose.forward(30) redrose.right(90) redrose.pendown() def drawrose(red): redrose.color("pink") redrose.fillcolor(fillcolor_f) redrose.fill(true) in range(red): redrose.forward(i) redrose.right(49) in range(5): drawrose(redrose) redrose.penup() redrose.forward(350) redrose.right(144) redrose.pendown() redrose.fill(false) drawrose(50) wn.bgcolor(color) i trying draw 5 roses, produces errors. doing in interactivepython.org. you recursively calling drawrose wrong parameter. on line 23 ( for in range(red): ) expect red integer...
Read more

c# - DevExpress RepositoryItemComboBox BackColor property ignored -

-
i have following code almost works properly; private void cbstatus_drawitem(object sender, listboxdrawitemeventargs e) { string item = e.item string; if (item != null) { switch (item) { case "1": e.appearance.forecolor = color.green; e.appearance.backcolor = color.green; break; case "2": e.appearance.forecolor = color.orange; e.appearance.backcolor = color.orange; break; case "3": e.appearance.forecolor = color.red; e.appearance.backcolor = color.red; break; } } } when dropdown shown, items forecolor correct, backcolor remains whatever backcolor of theme is; i.e. if i've got set dark theme, backcolor dark, cells in gridview, rather being green/orange/red. i've tried setting e.appearance.options.usebackcolor trying set e....
Read more

django - Creating multiple model instances in DRF3 -

-
1) create multiple model instances 1 api call, asked here: how create multiple model instances django rest framework? tried solution named in link, no success. i trying upload multiple files in 1 api call. result: files uploaded (only once overwrote perform_create) 1 instance created (if send 2 files, latter created instance). my code: class fileuploadserializer(serializers.modelserializer): def __init__(self, *args, **kwargs): many = kwargs.pop('many', true) super(fileuploadserializer, self).__init__(many=many, *args, **kwargs) class meta: model = fileupload read_only_fields = ('created', 'datafile', 'owner') class fileuploadviewset(viewsets.modelviewset): queryset = fileupload.objects.all() serializer_class = fileuploadserializer parser_classes = (multipartparser, formparser, ) def perform_create(self, serializer): file_list = self.request.data.getlist('file') ...
Read more