-1

I'm having a problem with my PHP and MySQL project . I wanted to insert multi collumn value into the database but the truth is, im already confused by the codes. it's like this if you would like to take a look:


    if(!empty($_POST['brando'])){
        $A="brand = '$brando'";}
        else{
        $A=" ";}    

    if(!empty($_POST['prnameo'])){
        $B="product_name = '$prnameo'";}
        else{
        $B=" ";}    

    if(!empty($_POST['prido'])){
        $C="product_id = '$prido'";}
        else{
        $C=" ";}    

    if(!empty($_POST['prcolo'])){
        $D="color = '$prcolo'";}    
        else{
        $D=" ";}    

    if(!empty($_POST['priceo'])){
        $E="price = '$priceo'";}
        else{
        $E=" ";}    



        $sqlq="UPDATE $tbl_name2 SET $A $B $C $D $E  where id='$id'";


        mysql_query($sqlq);

I noticed that querying multivalue command into a database requires comma such as:

mysql_query("UPDATE $tablename SET collumn1='value', collum2='value' where id='value'");

and now i cant put any comma or "," in any of those codes, making the PHP page unable to send other variable values into the server.

even if i change the coding to this: 

$sqlq="UPDATE $tbl_name2 SET $A , $B , $C , $D , $E  where id='$id'";

it'll produce what else but damn errors.

so i would like to ask for help if you know what i'm talking about. i know, it sounds like i've been stressed out by the codings.

ooh, this code too, i forgot to put it for these.


    for ($help_given=1, $help_given++)
    {
    echo "Thanks";
    }
Mohammad Saberi
  • 12,864
  • 27
  • 75
  • 127
Rfqkml
  • 51
  • 1
  • 2
  • 9
  • 3
    Just FYI: Your script is prone to sql injections. – TimWolla Jan 01 '12 at 14:49
  • What does `echo $sqlq` give you? – jprofitt Jan 01 '12 at 14:50
  • @TimWolla sql injection is something that i'm ignoring because these are supposedly to finish up my final project and it runs on localhost. i know im new with php and stuff, but sql injections are not my focus. – Rfqkml Jan 01 '12 at 14:56
  • @jprofitt echo $sqlq; = "UPDATE product_list SET brand = 'test' product_name = 'test' product_id = 'test' color = 'test' price = '0.001' where id='1' " – Rfqkml Jan 01 '12 at 14:56
  • 1
    @Rfq sql injections are something one should not easily ignore, even on local projects. You better do it always the right way and don't run into problems lateron. – TimWolla Jan 01 '12 at 15:17

2 Answers2

2

Try to implode() an array with "," ,like this:

<?php
if(!empty($_POST['brando'])){
    $value[] ="brand = '$brando'";
}

if(!empty($_POST['prnameo'])){
    $value[] ="product_name = '$prnameo'";
}

if(!empty($_POST['prido'])){
    $value[] ="product_id = '$prido'";
}

if(!empty($_POST['prcolo'])){
    $value[] ="color = '$prcolo'";
}

if(!empty($_POST['priceo'])){
    $value[] ="price = '$priceo'";
}

$sqlq="UPDATE $tbl_name2 SET " . implode(",",$value)."  where id='$id'";
mysql_query($sqlq);
?>

Then, you'd better to use "mysql_escape_string" or "PDO::prepare" method to prevent SQL injection.

TopCaver
  • 369
  • 4
  • 9
  • this one looks promising although to tell you the truth, i dont know those php method such as "mysql_escape_string" "implode" or even "prepare". i'll try that, once the result is good or otherwise, i'll inform you. thanks a lot, dude. – Rfqkml Jan 01 '12 at 15:59
  • i wish i could vote this up, but i dont have enough reputation. but still, you solved it, dude. i couldnt thank you enough but still, i appreciate it. thanks a lot. – Rfqkml Jan 01 '12 at 18:29
  • It’s my pleasure. @Rfqkml please remind that **unset/empty** $value[] at the beginning of this section, otherwise you may got an unexpected result :P – TopCaver Jan 02 '12 at 02:47
1
    if(isset($_POST['brando']))
    {
        $brando=mysql_escape_string($_POST['brando']);
        $A="brand = ".$brando;
    }
    else
    {
        $A=" ";
    }


    if(isset($_POST['prnameo']))
    {
        $prnameo=mysql_escape_string($_POST['prnameo']);
        $B="product_name = ".$prnameo;
    }
    else
    {
        $B=" ";
    }

    if(isset($_POST['prido']))
    {
        $prido=mysql_escape_string($_POST['prido']);
        $C="product_id = ".$prido;
    }
    else
    {
        $C=" ";
    }

    if(isset($_POST['prcolo']))
    {
        $prcolo=mysql_escape_string($_POST['prcolo']);
        $D="color= ".$prcolo;
    }
    else
    {
        $D=" ";
    }

    if(isset($_POST['priceo']))
    {
        $priceo=mysql_escape_string($_POST['priceo']);
        $E="price = ".$brando;
    }
    else
    {
        $E=" ";
    }

    $tbl_name="mytable";//to set
    $id='primary_key';//to set

    $sqlq="UPDATE $tbl_name SET $A, $B, $C, $D, $E  where id='$id'";

    mysql_query($sqlq);

Just put values where I have commented as //to set...

Rajat Singhal
  • 11,234
  • 5
  • 38
  • 56
  • can you explain to me what's the function of mysql_excape_string? reading the explanation "Returns the escaped string, or FALSE on error. " and "If this function is not used to escape data, the query is vulnerable to SQL Injection Attacks. " doesnt seem to fill my head with adequate information. – Rfqkml Jan 01 '12 at 15:02
  • oh hmm ok but where should i put the comma? i mean, in here: $A="brand = '$brando',";} or here: $sqlq="UPDATE $tbl_name2 SET $A , $B , $C , $D , $E where id='$id'"; because im not sure it will run effectively. – Rfqkml Jan 01 '12 at 15:04
  • $sqlq="UPDATE $tbl_name2 SET $A , $B , $C , $D , $E where id='$id'"; – Rajat Singhal Jan 01 '12 at 15:06
  • ok i'll try those. once i get the result, i'll give the feedback. thanks. – Rfqkml Jan 01 '12 at 15:07