-2

I have this php script:

$query = "UPDATE event_rsvp SET event_note = '" . $_POST[note] . "', event_rsvp_type_id = '" . $_POST[rsvpId] . "' WHERE user_id = '" . $_POST[userId] . "' AND event_id = '" . $_POST[eventId] . "'";   
$result = $mysqli->$query;
echo $query;

that echo gives me this: 

UPDATE event_rsvp SET event_note = 'test', 
       event_rsvp_type_id = '4' 
WHERE user_id = '1' AND event_id = '1'

Problem is that only the event_rsvp_type_id is updated in database, event_note isn't. However, if I copy this echo-ed query and paste it directly into adminer or phpmyadmin, it works fine and updates the note as expected.

Any help? Thanks!

Improve this question
6
  • 2
    I don't think that code will work at all. What is $mysqli->$query supposed to do? Commented Aug 9, 2017 at 20:54
  • 2
    Little Bobby says you are at risk for SQL Injection Attacks. Learn about Prepared Statements for MySQLi. Even escaping the string is not safe! I recommend PDO, which I wrote a function for to make it extremely easy, very clean, and way more secure than using non-parameterized queries. Commented Aug 9, 2017 at 20:55
  • Well it certainly works in different scenarios. $mysqli = new mysqli($dbHost, $dbUsername, $dbPassword, $dbName); mysqli_set_charset($mysqli,"utf8"); Commented Aug 9, 2017 at 20:56
  • 1
    @user235937, but $query is a string. You can't do $mysqli->"SELECT * FROM foo", and you can't do $mysqli->$query either. Commented Aug 9, 2017 at 20:58
  • Oh, right... thanks a lot, I kind of didn't notice that after 16 hours in front of PC... solved, working. Commented Aug 9, 2017 at 21:01

1 Answer 1

Reset to default
1

Try the following code:

$query = $mysqli->prepare("UPDATE event_rsvp SET `event_note`=?, `event_rsvp_type_id`=? WHERE `user_id`=? AND `event_id`=?");
$query->bind_param("siii", $_POST['note'], $_POST['rsvpId'], $_POST['userId'], $_POST['eventId']);
$query->execute();

Your real problem is that you were missing the singlequotes on your variables, and also, $mysqli->$query doesn't make any sense, the $query part isn't a variable, it should just be query. I converted your code to use prepared statements as well, hopefully this will allow you to see how easy they are to use, while giving you way more security.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.