1. 技术文章
  2. Why does this SQL UPDATE query not work with a variable for WHERE?

Why does this SQL UPDATE query not work with a variable for WHERE?

安稳与你 提交于 2020-02-03 02:25:06

问题


this is my first post here at Stack Overflow. I know the question has been asked many times before. I went through many answers, tried all of them (except the correct approach obviously) and don't know what to try anymore.

I have an SQL table where every row has an "edit" button. When clicking it, I pass over the id of the selected row to edit.php. There, I get it and update the given row based on the id with the user input from the form. The first column is id which is set to AUTO_INCREMENT.

On a side note, I get the same error, no matter if I use WHERE id=$id"; or WHERE id='$id'";

The code which I think is closest to the correct approach is as follows and generates the error message below the code:

<html>
    <title>
        Video Archiv - New
    </title>

    <body>
        <?php
            include("connect.php"); 
            $id=$_GET['id'];
            echo "Details von Video #$id editieren:<br /><br />";

            if(isset($_POST['update']))
            {
                $sql =  "UPDATE VideoArchiv             
                        SET ('".$_POST["titel"]."','".$_POST["schauspieler"]."')
                        WHERE id=$id";

                        $result = mysqli_query($connect,$sql);

                if (mysqli_query($connect,$sql) === TRUE) 
                {
                    echo "Record updated successfully";
                } 
                else 
                {
                    echo "Error updating record: " . $connect->error;
                }
            }
            ?>

        <form action="edit.php" method="post"> 

            <label> Titel:</label><br/>
            <input type="text" name="titel" required><br/>

            <label>Schauspieler</label><br/>
            <input type="text" name="schauspieler" required><br/>
            <br />
            <button type="submit" name="update">Speichern</button>

        </form>

        <?php
            include("back.php");
        ?>
    </body>
</html>

Error message:

Error updating record: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '('a','d') WHERE id=9' at line 2

Thanks a lot for your help and sorry for the duplicate question, but I really can't find the solution and am pretty desperate.

UPDATE:

The following code gives this error:

Fatal error: Uncaught Error: Call to a member function bind_param() on bool in /homepages/25/d72758610/htdocs/multimedia/edit.php:30 Stack trace: #0 {main} thrown in /homepages/25/d72758610/htdocs/multimedia/edit.php on line 30

<html>
    <title>
        Video Archiv - New
    </title>

    <body>
        <?php
            include("connect.php"); 
            $id=$_GET['id'];
            $title = $_POST["titel"];
            $schauspieler = $_POST["schauspieler"];

            if(empty($title))
            {
                echo "error";
            }
            elseif(empty($schauspieler))
            {
                echo "error";
            }
            else
            {
                $sql = "UPDATE users SET title=?, schauspieler=? WHERE id=?";
                $stmt= $connect->prepare($sql);
                $stmt->bind_param("ssi", $title, $schauspieler, $id);
                if($stmt->execute())
                {
                      echo "Succes";
                }
                else
                {
                  echo "something went wromg";
                }
            }
            ?>

        <form action="edit.php" method="post"> 

            <label> Titel:</label><br/>
            <input type="text" name="titel" required><br/>

            <label>Schauspieler</label><br/>
            <input type="text" name="schauspieler" required><br/>
            <br />
            <button type="submit" name="update">Speichern</button>

        </form>

        <?php
            include("back.php");
        ?>
    </body>
</html>

回答1:


Very simple to avoid sql injections and use up to date codes and You have an error in your SQL syntax.

Here is an example :

   include("connect.php"); 
    $id=$_GET['id'];
    $title = $_POST["titel"];
    $schauspieler = $_POST["schauspieler"];

    if(empty($title)){
    echo "error";
    }elseif(empty($schauspieler)){
    echo "error";
    }else{

    $sql = "UPDATE VideoArchiv SET title=?, schauspieler=? WHERE id=?";
    $stmt= $connect->prepare($sql);
    $stmt->bind_param("ssi", $title, $schauspieler, $id);
    if($stmt->execute()){
      echo "Succes";
    }else{
      echo "something went wromg";
    }

    }

See more on : https://phpdelusions.net/mysqli_examples/update

UPDATE : First code will work for you, but if you still want to use procedural way then us this :

include("connect.php");
if ($_SERVER["REQUEST_METHOD"] == "POST") {

//Check if we get id 
$Testid = $_GET['id'];
if(empty($Testid)){
    echo "id is empty";
}else{
    $id = $_GET['id'];
}


$title = $_POST["titel"];
$schauspieler = $_POST["schauspieler"];

    if(empty($title )){
        echo "error". $title; 
    }elseif(empty($schauspieler)){
        echo "error". $schauspieler;
    }else{
       $sql = "UPDATE VideoArchiv SET title=?, schauspieler=? WHERE id=?";
       $stmt = mysqli_prepare($connect, $sql);
       mysqli_stmt_bind_param($stmt, 'ssi', $title, $schauspieler, $id);
       mysqli_stmt_execute($stmt); 
    }
}


<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">

	<label> Titel:</label><br/>
	<input type="text" name="titel" required><br/>

	<label>Schauspieler</label><br/>
	<input type="text" name="schauspieler" required><br/>
	<br />
	<button type="submit" name="update">Speichern</button>

</form>



回答2:


The issue that you have is the fact your code does not use the SET correctly, you currently have the following;

$sql =  "UPDATE VideoArchiv             
    SET ('".$_POST["titel"]."','".$_POST["schauspieler"]."')
        WHERE id=$id";

Which is used like you'd do an INSERT

To rectify the immediate issue, simply change to;

$sql =  "UPDATE VideoArchiv             
        SET field1 = '".$_POST["titel"]."',
            field2 = '".$_POST["schauspieler"]."'
        WHERE id=$id";

But this odes leave you open to SQL injection attacks, to do a quick and easy fix on this, something as simple as the following would be helpful;

$id = mysqli_real_escape_string($connect, $_POST["id"]);
$titel = mysqli_real_escape_string($connect, $_POST["titel"]);
$schauspieler = mysqli_real_escape_string($connect, $_POST["schauspieler"]);

$sql =  "UPDATE VideoArchiv             
        SET field1 = '{$titel}',
            field2 = '{$schauspieler}'
        WHERE id=$id";

I'd suggest reading into prepared statements as this would be a lot safer however

I know this has had the right answer to the question at hand prior to this post, but none have mentioned injection and how to resolve (even a soft way like here)




回答3:


Your update query will not work for the proper syntax will be:

$sql = 'UPDATE table SET field='value', field2='value' WHERE id=$id';



回答4:


The following query can be used:

UPDATE VideoArchiv SET columnname1 = '".$_POST["titel"]."', columnname2 = '".$_POST["schauspieler"]."' WHERE id=$id



回答5:


Column Names are not givn in query

UPDATE table_name SET column_name1 = expr1, column_name2 = expr2, ... [WHERE condition];

So, your query will be something like this and check column names in database:

$sql =  "UPDATE VideoArchiv             
                SET titel='".$_POST["titel"]."',schauspieler='".$_POST["schauspieler"]."'
                WHERE id=$id";

Note: This is sql vulnerable, so please add mysql real escape function (https://www.php.net/manual/en/function.mysql-real-escape-string.php) or convert it to pdo.



来源:https://stackoverflow.com/questions/59929209/why-does-this-sql-update-query-not-work-with-a-variable-for-where

标签
php
sql
mysqli
sql-update
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!