0

This question is a bit basic and have been covered many times but I'm not sure why my code doesn't do anything. it doesn't update string at all.

this is my code:

$fineImage = "users_fav/".$_GET['id']."/$newname";


$icon = "<img src='images/icon.png' height='70' width='70'  />";

$sql = "UPDATE $lchat SET user_message = replace(user_message, '$icon', '$fineImage')";
$query = mysqli_query($db_conx, $sql);

the problem is that if I change the '$icon', '$fineImage' to something like 'david', 'mark'. it works fine and it will replace the david with mark...!

so why doesn't it work the way i do it?

Improve this question
9
  • 4
    When using mysqli you should be using parameterized queries and bind_param to add user data to your query. DO NOT use string interpolation to accomplish this because you will create severe SQL injection bugs. You're probably having some kind of quoting issue here due to your use of string concatenation. Commented Oct 7, 2014 at 20:52
  • @tadman, care to explain further please? Commented Oct 7, 2014 at 20:53
  • @tadman, i thought that myself.. +1 for pointing taht out.. Commented Oct 7, 2014 at 20:54
  • 1
    @NoahMatisoff, no body can understand what?! Commented Oct 7, 2014 at 20:55
  • 1
    I'd also be extremely careful when using variables like $lchat in your queries. Does this table name change? If not, put it in directly. Every variable you have in your query creates an opportunity for problems you do not want to have. Commented Oct 7, 2014 at 20:57

2 Answers 2

Reset to default
2

It's likely that your call to MySQL's REPLACE(input, before, after) is failing to find before in its input, so is returning input unmodified.

Why could this be? Several reasons:

  1. user_message doesn't contain what you think it contains. For example, are the < and > tags entitized (that is, coded with &lt; and the like)?
  2. you're replacing a full <img..> tag with your $fine_image. Is $fineimage also an <img ...> tag?
  3. your before parameter contains embedded single quote characters. That could conspire to make your SQL string invalid.
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Try this:-

$sql = "UPDATE {$lchat} SET `user_message` = replace(`user_message`, '{$icon}', '{$fineImage}')";

Make sure you have $lchat, $icon, $fineImage defined. :)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.