How to update database using PHP variables? [duplicate]

问题

This question already has answers here:

How to include a PHP variable inside a MySQL statement (11 answers)

Closed 12 days ago.

$Createdby=$_SESSION['adminlog'];
$total =$_POST['total'];
$due =$_POST['due'];
$date =$_POST['issedate'];
$invoiceno =$_POST['invno'];
$CmpnyName =$_POST['CmpnyName'];
$itemdetails =$_POST['item_details'];
$itemname =$_POST['itemname'];
$amtpaid =$_POST['paid'];



$query  = "UPDATE billdata SET Total='$total' Due='$due' WHERE InvoiceNo=$invoiceno";

$result = mysql_query($query);

This is the code I am using to get HTML values to variable and update particular invoice number with new data.

回答1:

First off, never use the deprecated mysql_* API.
Switch to either PDO or mysqli, both have prepared statements, which would make your code a tad bit more safe when it comes to SQL-Injections (which your code is very open for).

When a query fails, the mysql_error() global function will return the latest mysql error.
The easiest way to get information about a failing query is by adding or die(mysql_error()); after the query execution.
Example with your code:

$result = mysql_query($query) or die(mysql_error());

This will report your error and stop execute the script.

Your sql code is slightly wrong (as RST mentions), you are missing a comma between the values you are trying to set.

---

Using mysqli and prepared statements, your code could look something like:

// Using the mysqli object oriented style.
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$mysqli = new mysqli('localhost', 'username', 'password', 'database');

// Prepare the statement.
$statement = $mysqli->prepare('UPDATE billdata SET Total=?, Due=? WHERE InvoiceNo=?');
// The question marks is placeholders for the input that will be added in a while.

// Bind your parameters (ssi tells mysqli what type of params it is, s = string, i = int).
$statement->bind_param('ssi', $total, $due, $invoceno);
// Execute the statement.
$statement->execute();

// Cleanup.
$statement->close();
$mysqli->close();

回答2:

$query  = "UPDATE billdata SET Total='$total', Due='$due' WHERE InvoiceNo=$invoiceno";

There should be a comma between the sets of values. It is not a good idea to use the value from $_POST() as they are, better perform some validation checks.

回答3:

$query = "UPDATE billdata SET Total='$total', Due='$due' WHERE InvoiceNo='$invoiceno' ";

this is the query for mysql using php and its working well Tested as well :)

来源：https://stackoverflow.com/questions/30962763/how-to-update-database-using-php-variables