0

This is probably a very trivial question but I've been struggling with it for a while and also tried finding answers online and still getting errors.

Trying to write a simple UPDATE query for a PHP/MySql form:

  $sql="UPDATE mytable SET numericValue = '".$someid."', description =  '".$sometext."' WHERE id='".$myid."' ";

Whilst all numeric values are being passed and updated fine, I can't get the description right. The description column is a VARCHAR and $sometext is a string and I cant get it escaped / wrapped with quotes correctly.

Improve this question

2 Answers 2

Reset to default
1

You should make use of sprintf, it avoids string confusion by providing placeholders (%d for decimals, %s for strings). See the manual for more.

$sql= sprintf("UPDATE mytable SET numericValue = %d, description = '%s' WHERE id = %d", $someid, $sometext, $myid);

If $someText is coming from GET/POST/.. you should wrap a mysql_real_escape_string() around it to prevent SQL injection (or use PDO prepared statements).

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

sprintf() is an ugly method if it's a complex query with lots of values to insert. Far too easy to mis-place parameters. better to massage the values before building the string and then build it "traditionally", or better yet, yes, use PDO.
I did try sprintf method, however still not successful. Record is being updated but only the numeric values change - no sql errors but VARCHAR doesn't get updated
0 
$sql="UPDATE mytable SET numericValue = '$someid' , description = '$sometext' WHERE id='$myid' ";

I think you have to worry about sql injection.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.