Updating MSSQL table with PHP + sqlsrv

Question

I'm trying to do the simplest thing...

I have a form with 2 fields. I want to enter data in those fields and have them write that data to my db (mssql using sqlsrv driver).

Connecting to the db isn't a problem. Here's my form processor (only set up to update quantity (qnty) at the moment):

require_once 'dbconnect.php';

$partno = $_POST["partno"];
$qnty = $_POST["qnty"];

$sql = 'UPDATE WestDevDB SET LocationQty = $_POST["qnty"]';

$result = sqlsrv_query($conn,$sql) or die(sqlsrv_errors());

All I get is the error:

Notice: Array to string conversion in filepath\file.php on line 8 Array

and nothing writes.

I've tried changeing $_POST["qnty"] to $_POST["qnty"][0] thinking that would solve the issue, but it makes no difference.

Any thoughts on this?

dani herrera · Answer 1 · 2015-04-20T13:58:59.463

3

You should use params to avoid sql injection and errors on string concatenations.

$qnty = $_POST["qnty"];
//sanitize $qnty ( !is_null, is_numeric, ... )
$sql = "UPDATE WestDevDB SET LocationQty = ( ?)";
$params = array( $qnty );

$stmt = sqlsrv_query( $conn, $sql, $params);
if( $stmt === false ) {
     die( print_r( sqlsrv_errors(), true));
}

More sqlsrv_query update samples at Microsoft MSDN.

edited Apr 20 '15 at 13:58

answered Apr 20 '15 at 13:53

dani herrera

48,760
8
117
177

score 3 · Accepted Answer · answered Apr 20 '15 at 14:11

Basic PHP Syntax 101: '-quoted strings do NOT interpolate variables. That means your query definition:

$sql = 'UPDATE WestDevDB SET LocationQty = $_POST["qnty"]';

is sending the literal characters $, _, P etc... as the value to compare LocationQty against. That also means that your query is causing a syntax error, because $_ etc... is not a valid field name, in pretty much any database under the sun.

And even if '-quoted strings DID interpolate variables:

a) you'd be wide open for sql injection attacks anyways.
b) Array keys cannot be quoted inside strings, unless you using the {} syntax:

$sql = "UPDATE ... = {$_POST['qnty']};"
or
$sql = "UPDATE ... = " . $_POST['qnty'];

score 0 · Answer 3 · answered Mar 29 '18 at 19:33

0

None of the answers above are answering the question. You have no WHERE statement. You are attempting to set LocationQty for every row in your database table. That's why it's not working

answered Mar 29 '18 at 19:33

Jeffrey Smith

1

Please use formatting tools to properly edit and format your answer. – Morse Mar 29 '18 at 19:55

Updating MSSQL table with PHP + sqlsrv

3 Answers3