1

As a novice MySQL user I tried to insert, but I just read on the MySQL documentation that you can only insert on blank rows. My UPDATE statement needs work though, and I'm not sure that I have the syntax correct.

$query3 = "UPDATE `offices` SET `scash`="$total" WHERE `officename`="$office"";

offices is the table name. scash is the row to be updated. $total is a variable pulled from a post. $office is a variable pulled from the same database. I only want to set scash to total where the officename is $office.

Parse error: syntax error, unexpected T_VARIABLE is the error I'm getting.

Improve this question
1
  • 1
    Please learn how to use proper SQL escaping before you hurt yourself. This query is extremely dangerous. Commented Oct 22, 2012 at 17:42

3 Answers 3

Reset to default
2 
$query3 = "UPDATE `offices` SET `scash`='$total' WHERE `officename`='$office'";

Replace the double quotes with normal quotes in the string since double quotes are string delimiters and can't be used in the string.

And as Marc B mentioned your code might be vurnerable for SQL injections. See this post how you can avoid that.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

and for the average php novice, better mention something about SQL injection
I really appreciate your efforts. I don't know what I'd do without you guys.
The best way to say thanks is to learn PDO or mysqli so you don't fall into this trap again in the future.
I'm on my way to learning mysqli, unfortunately, I'm under a time crunch right now, so this is the route I have to take. I can update my code as of next week.
1

You are going wrong at quotes

$query3 = "UPDATE `offices` SET `scash`="$total" WHERE `officename`='$office'";

Also always use LIMIT 1 if you want to update just a single row...

And sanitize your inputs before updating your row, atleast use mysqli_real_escape_string()

Improve this answer

5 Comments

Using LIMIT 1 on an UPDATE is bad advice. Your WHERE clause should be more specific if you're having limit issues.
Yes, there is harm. It makes no sense, for one, and secondly leads to a false sense of security. Randomly updating one row is crazy.
The problem with LIMIT 1 is you don't get to say what row. MySQL will just pick one randomly for you, which leads to unpredictable behavior.
Additionally, if you're using mysqli and somehow involve mysqli_real_escape_string in your code you're doing it wrong. Please use placeholders for all data escaping.
The WHERE clause doesn't have a limit, the UPDATE does. It's generally wrong to do this. You really don't have a leg to stand on here.
1

if you still want to use double quotes inside double quotes escape it..

your query can be modified as follows..

$query3 = "UPDATE `offices` SET `scash`=\"$total\" WHERE `officename`=\"$office\"";
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.