1

Is it possible to add WHERE id = '$id' to the end of my $query string? My $query string reads as:

 $query = 'UPDATE students SET ' . join (' , ', $sqlConditions);

Thanks

Improve this question
0

2 Answers 2

Reset to default
3 
$query = 'UPDATE students SET ' . join (' , ', $sqlConditions) . ' WHERE id = "' . $id . '"';

If $id is just a number (most likely) you can do...

$query = 'UPDATE students SET ' . join (' , ', $sqlConditions) . ' WHERE id = ' . $id;

Also use mysql_real_escape_string() as ZombieHunter replied in his answer.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This returns, for example, ''UPDATE students SET lastname = 'test' WHERE id = "$id" It does not reveal the value of the variable :/
2

Do not append variables directly. Use mysql_real_escape_string() to avoid potential SQL injections!

I strongly encourage you to read this page about SQL injections:
http://www.php.net/manual/en/security.database.sql-injection.php

If $sqlConditions contains more than one condition (as the variable name states), this is a dangerous operation. Anyway, if you really want to use it this way, you need to put it after the WHERE condition.

$query = 'UPDATE students SET column = value WHERE ' . join(' , ', $sqlConditions) . ' AND id = ' . mysql_real_escape_string($id);

If $sqlConditions contains the SET statement this is a dangerous operation too. Use the actual column names together with mysql_real_escape_string():

$query = 'UPDATE students SET column1 = value1, column2 = value2 WHERE id = ' . mysql_real_escape_string($id);
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.