1

I probably have some injection error in my code, but I don't know where this is happening.

$name = 'Toshiba LED TV 32" 32W2333D HD Ready';

$query = "UPDATE `tv`
         SET `title` = '" . $this->mysqli->real_escape_string($name). "'
         WHERE `id` = '" . $id . "'";

$prep = $this->mysqli->prepare($query);
$prep->execute();

Instead to get in field title:

Toshiba LED TV 32" 32W2333D HD

I get:

Toshiba LED TV 32"

Improve this question
8
  • 1
    and the where is probably wrong too. WHERE '42'? perhaps it should be WHERE id = '42' or something. Since you're using mysqli, why are you manually escaping anyways? Why not use a prepared statement and placeholders? Commented Feb 18, 2015 at 15:55
  • 2
    @MarcB Probably? - Nah; is. Definitely missing an equal sign. OP's probably not showing us actual used code. Edit: It's been changed. Commented Feb 18, 2015 at 15:57
  • @Fred-ii- i added that, sorry, there is no id field just wanted to give sample. Commented Feb 18, 2015 at 15:58
  • if you pass the $name as Toshiba LED TV 32 32W2333D HD , will you still having that issue? Commented Feb 18, 2015 at 15:58
  • 1
    Or the title field is set to varchar(18)? Commented Feb 18, 2015 at 15:58

1 Answer 1

Reset to default
2

Have you tried to use bind parameters? Like:

$query = $mysqli->prepare("UPDATE tv SET title = ? WHERE id = ?");
$statement = $mysqli->prepare($query);

$results =  $statement->bind_param($product_title, $find_id);
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.