Adding value to database via php

Question

Can someone tell me how I can add value to database?

My code looks like this:

        if(isset($_GET['gold']))//
      {
        $gold = $_GET['gold'];
        mysqli_query($db_handle, "UPDATE serverplayers SET Gold='$gold' WHERE Unique_Id = '$unique_id'");
      }
    }
  mysqli_close($db_handle);
}

In this code I'm set new value "gold" at table "gold" . But I don't want do that . I want add value (+) to current value in "gold" table.

Note:"$gold" is my variable , "gold" is my table.

Thanks for any advice. Best Regards Piter.

Your script is at risk of [SQL Injection Attack](//stackoverflow.com/questions/60174) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](//stackoverflow.com/questions/5741187) Use [prepared parameterized statements](https://php.net/manual/en/mysqli.quickstart.prepared-statements.php). — John Conde, Mar 12 '18 at 12:32
To add using a prepared statement, you need `SET gold = gold + ? WHERE ...`. — jeroen, Mar 12 '18 at 12:37

score 0 · Answer 1 · answered Mar 12 '18 at 12:41

0

Update your query like this:

"UPDATE serverplayers SET Gold='".$gold."' WHERE Unique_Id = '".$unique_id."'";

answered Mar 12 '18 at 12:41

Rafiqul Islam

1,636
1
12
25

score 0 · Accepted Answer · answered Mar 12 '18 at 12:46

0

This method is way too vulnerable to sql injection, you should at least check if $_GET['gold'] is a number and isn't equal to 0.

If you want to add number to existing column in mysql you should do something like:

mysqli_query($db_handle, "UPDATE serverplayers SET Gold=(ifnull(Gold, 0) + ".$gold.") WHERE Unique_Id = '".$unique_id . "'");

answered Mar 12 '18 at 12:46

Sylwester Kocański

16

Thanks you very much ! / Dziękuje za pomoc! :) – Piotrek Borkowski Mar 12 '18 at 12:53
Nie ma problemu, powodzenia :) – Sylwester Kocański Mar 12 '18 at 13:32

Adding value to database via php

2 Answers2