MySQLi update not working

Question

1.00/5 (1 vote)

See more:

hi im trying to use the update my mysql database but im having problems and im not getting a error message some one here said to add mysqli_real_escape_string but that didnt solve the problem can anyone help me please iv been stuck on this for 3 days

PHP

$uuid = $_REQUEST['uuid'];
$type = $_REQUEST['type'];
$msg = $_REQUEST['message'];
$name = $_REQUEST['name'];
$time = $_REQUEST['time'];
$uuid = mysqli_real_escape_string($link, $uuid);
$type = mysqli_real_escape_string($link, $type);
$msg = mysqli_real_escape_string($link, $msg);
$name = mysqli_real_escape_string($link, $name);
$time = mysqli_real_escape_string($link, $time);
mysqli_query($link, "UPDATE AlertPack SET Type = '$type', Message = '$msg', Time = '$time', Sender = '$name' WHERE Key = '$uuid'") or (mysqli_error($link));
?>

Posted 8-Mar-15 6:23am

Member 11472678

Add a Solution

Comments

Thomas Daniels 8-Mar-15 12:42pm

What's $link?

Member 11472678 8-Mar-15 12:44pm

$link = mysqli_connect('HOST', 'USER', 'PASS', 'DATABASE')or die("cannot connect" . mysqli_connect_error());

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sergey Alexandrovich Kryukov · Answer 1 · 2015-03-08T06:45:00

Solution 1

Before you proceed, please read this: http://en.wikipedia.org/wiki/SQL_injection[^].

Can you see that all your approach is wrong from the very beginning? Everyone can send HTTP request, and all those $msg, $type and the rest can be anything, including… fragments of SQL syntax.

What to do? Please start here:
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php[^],
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet[^].

—SA

Posted 8-Mar-15 6:45am

Sergey Alexandrovich Kryukov

Updated 8-Mar-15 6:48am

v3

Comments

Member 11472678 8-Mar-15 13:09pm

iv looked at them pages and i cant understand them thats why im asking for help im not concerned about SQL injections at the moment that can come later i just need to get the thing working

Sergey Alexandrovich Kryukov 8-Mar-15 13:16pm

First, "I can't understand is not informative". You need to ask questions if something is not clear.

Second, "I'm not concerned" does not give a way to further constructive discussion. You have to be concerned, but this is not even the main point. Your approach is still wrong from the very beginning; and you really need to use prepared statements instead of your string formatting to form the query. Ignoring this point, or trying to fix your other problems would mean discussing your work along wrong lines, which would be a waste of time. So, please, come back to the prepared statements.

—SA

Member 11472678 8-Mar-15 13:28pm

can you give me a example as im looking at http://www.sanwebe.com/2013/03/basic-php-mysqli-usage for prepared statements for update and i cant get my head around it sorry is it possible for you to give me a example ?