 | |
mysql_query("update... simple question
comp.databases.mysql comp.databases.mysql
 |
| | Thread Tools | Display Modes |
#1
 
| |||
| |||
|
mysql_query("update... simple question -
01-03-2012
, 10:16 PM
#2
| |||
| |||
|
|
I thought there was a way to do an update in the same style format as an insert, meaning: $result = mysql_query("UPDATE MyTables (Username, Password, Name, |
I think you need to check the manual. UPDATE and INSERT do not have the
same syntax.
#3
| |||
| |||
|
|
I thought there was a way to do an update in the same style format as an insert, meaning: $result = mysql_query("UPDATE MyTables (Username, Password, Name, BusinessName, Phone, Email, Website, Listing, County, Town, County2, Town2, County3, Town3) values ('".$Username."', '".$_SESSION['Rcrd']['Psswrd']."', '".$Name."', '".$BusinessName."', '".$Phone."', '".$Email."', '".$Website."', '".$Listing."', '".$HomeCounty."', '".$HomeTown."', '".$County2."', '".$Town2."', '".$County3."', '".$Town3."') WHERE Username='".$_SESSION['Rcrd']['Usernm']."' AND Password='".$_SESSION['Rcrd']['Psswrd']."'"); |
UPDATE [LOW_PRIORITY] [IGNORE] table_reference
SET col_name1={expr1|DEFAULT} [, col_name2={expr2|DEFAULT}] ...
[WHERE where_condition]
[ORDER BY ...]
[LIMIT row_count]
http://dev.mysql.com/doc/refman/5.5/en/update.html
(... or your favourite SQL reference, the basic syntax belongs to the
standard.)
--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://borrame.com
-- Mi web de humor satinado: http://www.demogracia.com
--
#4
| |||
| |||
|
|
El 04/01/2012 5:16, Michael Joel escribió/wrote: I thought there was a way to do an update in the same style format as an insert, meaning: $result = mysql_query("UPDATE MyTables (Username, Password, Name, BusinessName, Phone, Email, Website, Listing, County, Town, County2, Town2, County3, Town3) values ('".$Username."', '".$_SESSION['Rcrd']['Psswrd']."', '".$Name."', '".$BusinessName."', '".$Phone."', '".$Email."', '".$Website."', '".$Listing."', '".$HomeCounty."', '".$HomeTown."', '".$County2."', '".$Town2."', '".$County3."', '".$Town3."') WHERE Username='".$_SESSION['Rcrd']['Usernm']."' AND Password='".$_SESSION['Rcrd']['Psswrd']."'"); Well, there's no need to guess, this is all documented: UPDATE [LOW_PRIORITY] [IGNORE] table_reference SET col_name1={expr1|DEFAULT} [, col_name2={expr2|DEFAULT}] ... [WHERE where_condition] [ORDER BY ...] [LIMIT row_count] http://dev.mysql.com/doc/refman/5.5/en/update.html (... or your favourite SQL reference, the basic syntax belongs to the standard.) |
means you can cut and paste the line and reuse it with minimal
modification, for that, as well...
I have to say that I nearly always use sprintf in PHP to set up the
query, as just a bit of extra precaution against SQL injection..
The difference between a guranteed numerical value using '%d' or '%f'
and simply using the global variables value, is not to be sneezed at..
#5
| |||
| |||
|
|
I thought there was a way to do an update in the same style format as an insert, meaning: $result = mysql_query("UPDATE MyTables (Username, Password, Name, BusinessName, Phone, Email, Website, Listing, County, Town, County2, Town2, County3, Town3) values ('".$Username."', '".$_SESSION['Rcrd']['Psswrd']."', '".$Name."', '".$BusinessName."', '".$Phone."', '".$Email."', '".$Website."', '".$Listing."', '".$HomeCounty."', '".$HomeTown."', '".$County2."', '".$Town2."', '".$County3."', '".$Town3."') WHERE Username='".$_SESSION['Rcrd']['Usernm']."' AND Password='".$_SESSION['Rcrd']['Psswrd']."'"); Thanks Mike |
Do you get an error? and if so, what error?
(and i'm talking about the error from MySQL, not any errors from PHP
--
Luuk
#6
| |||
| |||
|
|
I have to say that I nearly always use sprintf in PHP to set up the query, as just a bit of extra precaution against SQL injection.. |
stuff to a query string.
Best regards,
--
( Kees Nuyt
)
c[_]
#7
| |||
| |||
|
|
On Wed, 04 Jan 2012 10:57:35 +0000, The Natural Philosopher tnp (AT) invalid (DOT) invalid> wrote: I have to say that I nearly always use sprintf in PHP to set up the query, as just a bit of extra precaution against SQL injection.. That offers no protection at all, not more than concatenating stuff to a query string. Best regards, |
string concats do.
Simnce te easiets way to swl inject given that teh query is often of the
form
update....where id=3
its stops people hacking things to send you instead of '3' '3; drop
table customers'
or whatever...
#8
| |||
| |||
|
|
I thought there was a way to do an update in the same style format as an insert, meaning: $result = mysql_query("UPDATE MyTables *(Username, Password, Name, BusinessName, Phone, Email, Website, Listing, County, Town, County2, Town2, County3, Town3) values ('".$Username."', '".$_SESSION['Rcrd']['Psswrd']."', '".$Name."', '".$BusinessName."', '".$Phone."', '".$Email."', '".$Website."', '".$Listing."', '".$HomeCounty."', '".$HomeTown."', '".$County2."', '".$Town2."', '".$County3."', '".$Town3."') WHERE Username='".$_SESSION['Rcrd']['Usernm']."' AND Password='".$_SESSION['Rcrd']['Psswrd']."'"); Thanks Mike |
INSERT using a similar format to an UPDATE. but the converse isn't
necessarily true.
And if you're building your string using double quotes, do yourself a
favour and dumb all the "."s, thus:
$result = mysql_query("UPDATE MyTables (Username, Password, Name,
BusinessName, Phone, Email, Website, Listing, County, Town, County2,
Town2, County3, Town3) values ('$Username',
"{$_SESSION['Rcrd']['Psswrd']}', '$Name', '$BusinessName',
'$Phone', '$Email', '$Website', '$Listing',
'$HomeCounty', '$HomeTown', '$County2', '$Town2',
'$County3', '$Town3') WHERE
Username='{$_SESSION['Rcrd']['Usernm']}' AND
Password='{$_SESSION['Rcrd']['Psswrd']}'");
But even better would be to format your query neatly!
#9
| |||
| |||
|
|
On Jan 4, 4:16 am, Michael Joel<n... (AT) please (DOT) com> wrote: I thought there was a way to do an update in the same style format as an insert, meaning: $result = mysql_query("UPDATE MyTables (Username, Password, Name, BusinessName, Phone, Email, Website, Listing, County, Town, County2, Town2, County3, Town3) values ('".$Username."', '".$_SESSION['Rcrd']['Psswrd']."', '".$Name."', '".$BusinessName."', '".$Phone."', '".$Email."', '".$Website."', '".$Listing."', '".$HomeCounty."', '".$HomeTown."', '".$County2."', '".$Town2."', '".$County3."', '".$Town3."') WHERE Username='".$_SESSION['Rcrd']['Usernm']."' AND Password='".$_SESSION['Rcrd']['Psswrd']."'"); Thanks Mike You've got it the wrong way round. In MySQL it is possible to do an INSERT using a similar format to an UPDATE. but the converse isn't necessarily true. And if you're building your string using double quotes, do yourself a favour and dumb all the "."s, thus: $result = mysql_query("UPDATE MyTables (Username, Password, Name, BusinessName, Phone, Email, Website, Listing, County, Town, County2, Town2, County3, Town3) values ('$Username', "{$_SESSION['Rcrd']['Psswrd']}', '$Name', '$BusinessName', '$Phone', '$Email', '$Website', '$Listing', '$HomeCounty', '$HomeTown', '$County2', '$Town2', '$County3', '$Town3') WHERE Username='{$_SESSION['Rcrd']['Usernm']}' AND Password='{$_SESSION['Rcrd']['Psswrd']}'"); But even better would be to format your query neatly! |
example is very bad for security.
ALL strings need to use mysql_real_escape_string() to ensure characters
such as quotes (') (and others, depending on the charset) are handled
properly. More importantly, it prevents SQL injection attacks.
Additionally, numeric values need to be verified that they actually are
numeric before inserting, again to prevent SQL injection attacks.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex (AT) attglobal (DOT) net
==================
#10
| |||
| |||
|
|
On Jan 4, 4:16 am, Michael Joel<n... (AT) please (DOT) com> wrote: I thought there was a way to do an update in the same style format as an insert, meaning: $result = mysql_query("UPDATE MyTables (Username, Password, Name, BusinessName, Phone, Email, Website, Listing, County, Town, County2, Town2, County3, Town3) values ('".$Username."', '".$_SESSION['Rcrd']['Psswrd']."', '".$Name."', '".$BusinessName."', '".$Phone."', '".$Email."', '".$Website."', '".$Listing."', '".$HomeCounty."', '".$HomeTown."', '".$County2."', '".$Town2."', '".$County3."', '".$Town3."') WHERE Username='".$_SESSION['Rcrd']['Usernm']."' AND Password='".$_SESSION['Rcrd']['Psswrd']."'"); Thanks Mike You've got it the wrong way round. In MySQL it is possible to do an INSERT using a similar format to an UPDATE. but the converse isn't necessarily true. And if you're building your string using double quotes, do yourself a favour and dumb all the "."s, thus: $result = mysql_query("UPDATE MyTables (Username, Password, Name, BusinessName, Phone, Email, Website, Listing, County, Town, County2, Town2, County3, Town3) values ('$Username', "{$_SESSION['Rcrd']['Psswrd']}', '$Name', '$BusinessName', '$Phone', '$Email', '$Website', '$Listing', '$HomeCounty', '$HomeTown', '$County2', '$Town2', '$County3', '$Town3') WHERE Username='{$_SESSION['Rcrd']['Usernm']}' AND Password='{$_SESSION['Rcrd']['Psswrd']}'"); But even better would be to format your query neatly! |
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex (AT) attglobal (DOT) net
==================
|
« Previous Thread
|
Next Thread »
| Thread Tools | |
| Display Modes | |
Linear Mode
| |
Powered by vBulletin Version 3.5.3
Copyright ©2000 - 2012, Jelsoft Enterprises Ltd.
Copyright ©2000 - 2012, Jelsoft Enterprises Ltd.