Adding or subracting from quantity in a table

**Dormilich** · Apr 24 '14, 06:28 AM

what are lines #68 and #81 supposed to do?

**oriola1** · Apr 24 '14, 07:10 AM

they are to check if there is error in the query then give the eror.. but it was to b $result the variable i use to query the database not result.thanks
plz any help or wht did u think is wrong with the code

**Dormilich** · Apr 24 '14, 07:22 AM

so what do your query functions return?

**oriola1** · Apr 26 '14, 06:18 AM

Thanks alot for ur replies. the query is to query the database and make the update change bt it not doing anytin at and all i get is jst a blank page no message of error or whtso ever..

**Dormilich** · Apr 26 '14, 10:40 PM

the update code does not have any output, so why should it display something?

**oriola1** · Apr 27 '14, 12:33 PM

viel dank Domilich
ok i understand wht u saying if the update code doesnt have any output bt it nt updating the value in the database now.
i now even added some code to the updating code to give me message if it update the datebase and also give me anoda message if failed bt notin happen stil.
dis is code now,,

Code:

<?php


require_once("db_connect.php");
$db=mysqli_connect("$host","$user","$password","$db");


$prod_name=$_POST['prod_name'];


if(isset($_post['add'])){
	$add = $_POST['number'];
	$query= "update products SET prod_qty = prod_qty + $add WHERE prod_name = $prod_name";
	$result=mysqli_query($db,$query);
	if(!@$result)
{
	echo"quantity not updated".mysqli_error($nitel);
}
else{
	echo" $prod_name has been updated";
}

	
}


if(isset($_POST['subract'])){
	$subract = $_POST['number'];
	$query = "update products SET prod_qty = prod_qty - $subract WHERE prod_name= $prod_name";
	$result=mysqli_query($db,$query);
	if(!@$result)
{
	echo"quantity not updatea".mysqli_error($nitel);
}
else{
	echo"$prod_name has been updated";
}

}




?>

**Dormilich** · Apr 28 '14, 07:56 AM

mysqli_error() expects the mysqli instance (connection) to be given, not some arbitrary variable.

**oriola1** · May 3 '14, 08:11 AM

Thanks man
ok, At dis point jst help me go thruogh the code and tel me wht am doing wrong dat is making it not working..

**koharu** · May 3 '14, 09:14 AM

Hi Oriola1

I noticed that your script is very susceptible to SQL injections. There are two options for you, you can look at using the string prepare function native to MySQLi. (See: http://php.net/manual/en/mysqli.prepare.php) as best practices are to never use the string directly within the query. I have hardened your code, and fixed some notable errors I saw. Bare in mind that you need to specify the mysqli link for mysqli_error to work. Your link is stored within $db, thus you need to use mysqli_error($d b).

Code:

<?php
 
require_once("db_connect.php");
$db = mysqli_connect($host,$user,$password,$db);
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error()); //Verify that we connected.
    exit();
}
 
//Try not to use direct user input, if you do, ensure you validate the data.
((empty($_POST['prod_name'])) ? die('Product Name is required.') : null); //Verify that $_POST['prod_name'] is not empty.

$prod_name=add_slashes(preg_replace("/[^a-zA-Z0-9\'\"\.\&\s]/","",$_POST['prod_name'])); //Only allow alpha numeric with ' " & and . punctuation. This adds resistance to MySQL Injection Attacks (" or 1=1 -- would be output as \" or 11 which doesn't really alter the query as the " or ' are escaped for MySQL)
 
 
if(isset($_post['add'])){
    $add = $_POST['number'];

    if(!is_numeric((int)$add)){ //This locks the $_POST['number] to being a whole integer (ie 1 2 3 10 so on.)
		exit("Sorry, the amount to add must be a valid number.");
    }

    $query = "update products SET prod_qty = prod_qty + $add WHERE prod_name = $prod_name";
    $result = mysqli_query($db,$query);

    if(!$result)
	{
    	exit("quantity not updated ".mysqli_error($db)); //Need to use $db here.
	}else{
    	echo "$prod_name has been updated";
	}
}
 
 
if(isset($_POST['subract'])){
    $subract = $_POST['number'];

	if(!is_numeric((int)$subtract)){ //This locks the $_POST['number] to being a whole integer (ie 1 2 3 10 so on.)
		exit("Sorry, the amount to subtract must be a valid number.");
	}
	
	$query = "update products SET prod_qty = prod_qty - $subract WHERE prod_name= $prod_name";
	
	$result = mysqli_query($db,$query);

    if(!$result) //If it is false.
    {
			exit("quantity not updated ".mysqli_error($db));
	}else{
			echo "$prod_name has been updated";
	}
 
}
?>

I apologise, I haven't tested this, I've typed it in my head, run the above code through your apache / server to check for any syntax errors, the above code should work from the box.

**oriola1** · May 4 '14, 01:42 PM

Thanks so much i wil try dis now n get back to u.
Viel dank Dormilich

**oriola1** · May 4 '14, 02:25 PM

I jst tried the code u ajusted for me infact i copy and paste not to make any silly error bt dis is wht i got..
Parse error: syntax error, unexpected '3.' (T_DNUMBER) in C:\xampp\htdocs \nestle\update_ script.php on line 5
Thanks

**koharu** · May 5 '14, 01:33 AM

I cut and pasted that script onto a blank server running PHP, MySQL and Apache. It worked perfectly. Verify the code you have in your own files.
One can be forgiven to assume that there was some form of copy and paste issue (PEBKAC?) based on "3." causing the error.

Can you paste up the contents of your update_script.p hp file?

**oriola1** · May 8 '14, 02:41 PM

Woow... i wil check my code vey wel
Thanks

**oriola1** · May 15 '14, 03:12 PM

Hi koharu
i hv check n checked bt am getin dis error
Parse error: syntax error, unexpected '3.' (T_DNUMBER) in C:\xampp\htdocs \nestle\update_ script.php on line 5
plz do u hv an idea of d meaning so i can even knw wht am doing wrong. i knw dat unexpected seem to b somtin is missing bt d '3' makes d error look difficult.
tanz

Adding or subracting from quantity in a table

Adding or subracting from quantity in a table

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment