1

I am trying to increment rows in a table using PHP PDO and i have come up with this query

UPDATE users SET log = ?

I am trying to make an update based on the previous value on each column of the log

So, if my table was like this earlier

+----+------+------+-----------+--------+ | id | name | age | eye_color | log | +----+------+------+-----------+--------+ | 21 | OLa | 19 | black | 1 | | 22 | OLa | 19 | Green | 2 | | 23 | OLa | 19 | Grey | 3 | +----+------+------+-----------+--------+

Am expecting to get this result

+----+------+------+-----------+--------+ | id | name | age | eye_color | log | +----+------+------+-----------+--------+ | 21 | OLa | 19 | black | 2 | | 22 | OLa | 19 | Green | 3 | | 23 | OLa | 19 | Grey | 4 | +----+------+------+-----------+--------+

I found out i could make the value of my placeholder to be

log + 1

There by making the full query 

UPDATE users SET log = log + 1

This works well when i use the PDO's query method and also from my terminal, the problem comes when I try updating this using prepared statements, If i did

$stmt = $this->pdo->prepare("UPDATE users SET log = ?");
$stml->execute(['height + 1']);

Then all the log columns becomes 0.

Is there anything am doing wrong? I also know i can just make the query plain

$stmt = $this->pdo->prepare("UPDATE users SET log = log + 1");
$stmt->execute(['log + 1']);

But i would prefer my initial approach, i am working with some constraints.

Improve this question
8
  • The query execute where you used height + 1 what is height supposed to be? With the single quotes around it you are passing a literal string to the update which is not what you intended. Commented Feb 21, 2019 at 18:56
  • 2
    You need UPDATE users SET log = height + ? and $stml->execute(['1']); Commented Feb 21, 2019 at 18:57
  • the height is suppose to be the previous value of the height from the db table, sql works that way Commented Feb 21, 2019 at 18:58
  • Additionally, you have a typo: $stmt vs $stml Commented Feb 21, 2019 at 18:58
  • 2
    This post make absolutely no sense. If you need height + 1 then why does your code show log + 1 Commented Feb 21, 2019 at 18:59

2 Answers 2

Reset to default
2

You can't use query parameters to insert expressions to your syntax. Parameters are not just string-interpolation. If they were, there would be no benefit to using them, because you can do string-interpolation easily in PHP already.

The whole point of query parameters is that the value is combined with the query on the server, after the SQL syntax has been parsed, so it's too late for you to insert any new syntax, like an expression.

Query parameters are always treated as a single scalar value. You can't use a parameter for:

  • Table identifiers
  • Column identifiers
  • SQL keywords
  • Expressions
  • Lists of values

As others have explained, in this case, you have no need to use a query parameter anyway. Using the literal expression log + 1 directly in your query is safe. There's no untrusted content (from users or other sources) being inserted into the query, so there's no risk of SQL injection.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Since you are not getting information from the user, and is to sum 1 to a column you are safe executing a regular query.

UPDATE users SET log = log + 1

If you use a prepare statement you will have to query the column get the current value and then on the second query do the update and add 1 to it.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.