PHP MySql Update

Re: PHP MySql Update

Message-ID: <1164073657.807 358.34740@h54g2 000cwb.googlegr oups.comfrom
Akhenaten contained the following:
shouldn't that be
$query="UPDATE table_name set

--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

Re: PHP MySql Update

Akhenaten wrote:
Wow, that's really hard to read... is there are reason you keep opening
and closing the string? It would be much easier to write it like this:

$query="UPDATE table_name set
First_Name = \"$formVars[First_Name]\",
Date_Committed = \"$formVars[Date_Committed]\",
Signed_By = \"$formVars[Signed_By]\",
....
";

or even using heredoc syntax like this:

$query = <<<END_OF_QUE RY
UPDATE table_name set
First_Name = "$formVars[First_Name]",
Date_Committed = "$formVars[Date_Committed]",
Signed_By = "$formVars[Signed_By]",
...
END_OF_QUERY;

Secondly, I hope you are escaping the variables in $formVars before
putting them into that string. If not, someone could inject sql into
the form variables and your sql will have unexpected consequences. Try
Googling "sql injection attack" some time to find out more.

If you use the PEAR DB library, ADODB or ADODB_Lite (and other database
libraries that are out there) instead of the straight php mysql_*
functions, you'll be able to use variable binding which helps to
eliminate the sql injection issues, and also can make your code a lot
easier to read. They also add portability between databases and error
checking.

Example of variable binding:

$db->query("
UPDATE table_name
SET First_Name = ?,
Date_Committed = ?,
Signed_By = ?
...",
array(
$formVars['First_Name'],
$formVars['Date_Committed '],
$formVars['Signed_By']
...
)
);

--
Chris Hope | www.electrictoolbox.com | www.linuxcdmall.com

Re: PHP MySql Update

..oO(Chris Hope)
Even simpler and more SQL-compliant with single quotes:

$query="UPDATE table_name set
First_Name = '$formVars[First_Name]',
Date_Committed = '$formVars[Date_Committed]',
Signed_By = '$formVars[Signed_By]',
....
";


Micha

Re: PHP MySql Update

Michael Fesser wrote:
Very true. Now why didn't I think of that ;)
I haven't yet used PDO so I always forget it exists :)

--
Chris Hope | www.electrictoolbox.com | www.linuxcdmall.com

Re: PHP MySql Update

Akhenaten wrote:I don't see any problems with the PHP quotes. However, SQL uses single
quotes (') to indicate a string, not double quotes ("). And you
shouldn't have a \" before the WHERE clause.

Your query should be:

$query="UPDATE table_name set ".
"First_Name = '".$formVars["First_Name "]."', ".
"Date_Committed = '".$formVars["Date_Committed "]."', ".
"Signed_By= '".$formVars["Signed_By"]."', ".
"Rep= '".$formVars["Sales_Rep"]."', ".
"Aut= '".$formVars["Atty"]."', ".
"Car= '".$formVars["Car"]."', ".
"Dbl= '".$formVars["Dbl"]."', ".
"Sts= '".$formVars["Sts"]."', ".
"Notes= '".$formVars["Notes"]."', ".
"WHERE Client_ID = '".$formVars["Client_ID"]."'";

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

Re: PHP MySql Update

Akhenaten wrote:Instead of doing this, I would suggest taking some wrapper which
builds the querries from you based on an array of values. This is a
sure way of creating code that's very difficult to maintain. Eg. you
want to add something to your tables in the next update, and you have to
insert just the right code in the right place into this mess. Perhaps
PEAR::MDB2 to the rescue?