Should this work? (increment the login count?)
// update the login count
$data = array(
'logins' => 'logins + 1'
);
$n = $db->update('users', $data, 'user_id = '.$_userId);
Asked
Active
Viewed 140 times
3
David Snabel-Caunt
- 57,804
- 13
- 114
- 132
Kladskull
- 10,332
- 20
- 69
- 111
1 Answers
4
$data = array(
'logins' => new Zend_Db_Expr('logins + 1')
);
Also use quoting so you aren't as vulnerable to SQL injection:
$n = $db->update('users', $data, $db->quoteInto('user_id = ?', $_userId));
Re comment: Yes, in the case of the update() method, it assumes you're sending a literal value unless you use an object of type Zend_Db_Expr. You can test this yourself:
$db->getProfiler()->setEnabled(true);
$n = $db->update('users', $data, $db->quoteInto('user_id = ?', $_userId));
$qp = $db->getProfiler()->getLastQueryProfile();
echo $qp->getQuery() . "\n";
Any literal value you give in your $data array is parameterized so the query ends up looking like this:
UPDATE `users` SET `login` = ? WHERE user_id = 123
If you use an object of class Zend_Db_Expr, it knows to interpolate the string literally into the query, instead of parameterizing:
UPDATE `users` SET `login` = NOW() WHERE user_id = 123
Note that when you interpolate expressions like this, you are responsible for validation so you don't get security vulnerabilities.
Bill Karwin
- 538,548
- 86
- 673
- 828
-
Would the same go for 'Now()' ? – Kladskull May 15 '09 at 19:22