1 
<?php
    require 'functions/connection.php';
    $conn = Connect();
    $e_id = $conn->real_escape_string($_POST['e_id']);
    $first_name = $conn->real_escape_string($_POST['first_name']);
    $last_name = $conn->real_escape_string($_POST['last_name']);
    $e_salary = $conn->real_escape_string($_POST['e_salary']);
    $e_startdate = $conn->real_escape_string($_POST['e_startdate']);
    $e_department = $conn->real_escape_string($_POST['e_department']);          
    $sql = "UPDATE employee SET firstname='$first_name' WHERE id=$e_id";
    if (mysqli_query($conn, $sql)) {
        echo "Record updated successfully";
    } else {
        echo "Error updating record: " . mysqli_error($conn);
    }
    mysqli_close($conn);
?>

I'm trying to use the first_name variable inside the update query.

I tried echo the variable and its working... this is my connection code that im using.

<?php


function Connect()
{
 $dbhost = "localhost";
 $dbuser = "root";
 $dbpass = "";
 $dbname = "company";

 // Create connection
 $conn = new mysqli($dbhost, $dbuser, $dbpass, $dbname) or die($conn->connect_error);

 return $conn;
}

?>

if i i replace the variable with anything between "" the database is getting updated

Improve this question
4
  • 1
    are you getting any error? Also you are mixing object-oriented and procedural way. show your connection.php file Commented Oct 5, 2017 at 9:11
  • try single quotes around the $e_id variable Commented Oct 5, 2017 at 9:15
  • 1
    Best practice is to use prepared statements. PDO is good for this, but if you are set on using mysqli, see: php.net/manual/en/mysqli.prepare.php Commented Oct 5, 2017 at 9:18
  • @B.Desai im getting the following error: Error updating record: Unknown column 'rida' in 'field list' Commented Oct 5, 2017 at 10:25

2 Answers 2

Reset to default
2

I'd suggest making it more secure and using prepared statements. This is an example using mysqli, but I prefer PDO:

  <?php
        require 'functions/connection.php';
        $conn = Connect();

        // Prepare the query
        $myQuery = $conn->prepare("UPDATE employee SET firstname=? WHERE id=?");

        $e_id = $conn->real_escape_string($_POST['e_id']);
        $first_name = $conn->real_escape_string($_POST['first_name']);
        $last_name = $conn->real_escape_string($_POST['last_name']);
        $e_salary = $conn->real_escape_string($_POST['e_salary']);
        $e_startdate = $conn->real_escape_string($_POST['e_startdate']);
        $e_department = $conn->real_escape_string($_POST['e_department']);          

        // Bind your variables to the placemarkers (string, integer)
        $myQuery->bind_param('si', $first_name, $e_id);

        if ($myQuery->execute() == false) {
        echo 'Error updating record: ' . $mysqli->error;
        }
        else {  
        echo 'Record updated successfully';
        }
        $myQuery->close();

    ?>

Note: The 'cleansing' you're doing in the middle I have left, but it's not really necessary with prepared statements.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Actually, you want to remove the 'cleansing', if you want to match existing records for people such as O'hara and the like...
True, in this instance it looks like an integer ID lookup though. I wanted to leave it there for a talking point, as opposed to doing it for the OP and the issue going under the radar, but you're absolutely correct.
0

functions/connection.php (Now an object):

<?php
class Connect
{
 private $dbhost = "localhost";
 private $dbuser = "root";
 private $dbpass = "";
 private $dbname = "company";

 public $conn;

 public function __construct()
 {
    if($this->conn = new mysqli($this->dbhost, $this->dbuser, $this->dbpass, $this->dbname))
    {
      //connection established
      //do whatever you want here
    }
    else
    {
      //Error occurred
      die($this->conn->error);
    }
 }

 //other functions here

}

?>

Change mysqli_query to: $conn->conn->query($sql);

Prepared statement: Avoid SQLI injection

if($stmt = $conn->conn->prepare("UPDATE employee SET firstname = ? WHERE id = ?"))
{
    $stmt->bind_param('si', $first_name, $e_id);
    $stmt->execute();
    echo $stmt->affected_rows;
}

Final code:

<?php
    require 'functions/connection.php';
    $conn = new Connect();
    $e_id = $conn->conn->real_escape_string($_POST['e_id']);
    $first_name = $conn->conn->real_escape_string($_POST['first_name']);
    $last_name = $conn->conn->real_escape_string($_POST['last_name']);
    $e_salary = $conn->conn->real_escape_string($_POST['e_salary']);
    $e_startdate = $conn->conn->real_escape_string($_POST['e_startdate']);
    $e_department = $conn->conn->real_escape_string($_POST['e_department']);          

    if($stmt = $conn->conn->prepare("UPDATE employee SET firstname = ? WHERE id = ?"))
    {
        $stmt->bind_param('si', $first_name, $e_id);
        $stmt->execute();
        echo $stmt->affected_rows;
    }
    $conn->conn->close();
?>
Improve this answer

2 Comments

This isn't recommended - you should be using prepared statements for this kind of thing
Updated answer @ChrisJ

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.