2

I have this PHP SQL statement:

$updateCategory = "UPDATE category 
                   SET name=".$name.", description=".$description.",
                       parent=".$parent.", active=".$active." 
                   WHERE id=".$catID."";

What is the best way to write this?

Thanks,

Chris.

Improve this question
2
  • How do you mean? Are you looking for a different query, formatting/layout options, maybe tips on how to use PDO, comments on injection, tips for speed... what is your question? Commented Mar 25, 2011 at 14:13
  • This seems pretty subjective, but Michiel Pater's answer is as good as any. You could also look into using prepared statements, which is a good practice and cuts down on the amount of annoying string concatenation you need to do. Commented Mar 25, 2011 at 14:15

4 Answers 4

Reset to default
14

I suggest you use prepared statements instead of concatenating the query string together:

$sql = 'UPDATE 
           category
        SET
           name=:name,
           description=:description,
           parent=:parent, 
           active=:active
        WHERE
           id=:catID';

if you are using PDO, which I strongly suggest, you would then call it like this:

$params = array(
    ':name'        => $name,
    ':description' => $description,
    ':parent'      => $parent,
    ':active'      => $active,
    ':catID'       => $catID
);

$stmt = $pdo->prepare($sql);
$stmt->execute($params);

You might ask, "why all this hassle?" The advantages of this approach are quite overwhelming:

  • You don't have to care about SQL injection, since the database driver now handles the correct transformation of the input parameters
  • You don't have to care about escaping special characters, but you can concentrate on what you want to achieve rather than on how to achieve it :-)
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

You could format it like this to make it more readable.

$updateCategory = "
    UPDATE
        category
    SET
        `name` = '" . $name . "',
        `description` = '" . $description . "',
        `parent` = '" . $parent . "',
        `active` = '" . $active . "'
    WHERE
        `id` = '" . $catID . "'";
Improve this answer

3 Comments

why not simply $name or {$name} without those hard-to-read concatenations?
@bazmegakapa: I find it more readable because of syntax highlighting.
OK with that, just a suggestion. I prefer {$name} for the same reason actually...
1

I find that concatenating queries causes me major headaches with syntax errors-- all those quotes and dots sprinked around like pepper. Here's how I would write the query:

$updateCategory = "
    UPDATE category     
    SET catname = '$name', description = '$description', 
        parent = '$parent', active = '$active'
    WHERE id = '$catID'";

Note that "name" is a reserved word and should not be used as a column name. Also if id is an integer, $catID doesn't need to be quoted.

Improve this answer

Comments

0

You can try:

$update = "update table_name SET name = '$name', email = '$email', password = '$password', phoneno = '$phoneno' WHERE id = '$id'";

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.