serialize() value store, in to a database using update query

**HaLo2FrEeEk** · Mar 4 '11, 02:27 AM

While it's not required, it's good practice to use backticks (the ` symbol, it's next to the 1 key in the nuber row [not the numpad]) in queries to denote table or column names. For example:

SELECT * FROM `table`

As for your query, I don't know how many times I have to explain to people that, while it works, putting variables directly within a string is bad practice. What's probably happening is your $metamoe variable contains a quote somewhere. First off, to fix the string, to embed a variable into a string you should end the string and append the variable with a . (dot):

$str = "This string has a " . $variable . " in it."

So your query should look like this:

Code:

mysql_query("UPDATE sgc SET meta_moe = '" . $metamoe . "' WHERE nric = 'S9221121E' AND name = 'ANG MEI KEE'") or die(mysql_error());

Now that that's fixed, you should ALWAYS sanitize your database input. Even if there's no user input, it's just safe to sanitize. PHP has a fantastic mysql method to sanitize sring inputs, mysql_real_esca pe_string():

Code:

mysql_query("UPDATE sgc SET meta_moe = '" . mysql_real_escape_string($metamoe) . "' WHERE nric = 'S9221121E' AND name = 'ANG MEI KEE'") or die(mysql_error());

This will properly escape any characters that would interfere with your query. SQL Injection Prevention 101, but it applies pretty much anywhere, and it should solve your problem.

**apssiva** · Mar 4 '11, 02:44 AM

Hi,

Thank you for your help. Sure i correct my mistake.

Regards,
apssiva.

serialize() value store, in to a database using update query

serialize() value store, in to a database using update query

Comment

Comment