Jump to content

SQL update statement parameter list or individual.


CB150Special
Go to solution Solved by Jacques1,

Recommended Posts

I'm not sure whether to create one SQL update routine and pass a parameter list to it possibly using something like a SESSION variable, or, to create one SQL routine for each procedure with its own set of variables.

The source of the data is a form using submit.

 

Alternately, what are the key words I need to search for on this.

 

Link to comment
Share on other sites

It's impossible to give you any meaningful answer or keyword based on this extremely vague description. Also, what's an "SQL routine"? A stored procedure? A PHP function running SQL queries? Something else?

 

Show us some concrete examples of what you're talking about, then we can help you.

Edited by Jacques1
Link to comment
Share on other sites

This is more a general question. I'm leaning to be passing a string to the php SQL script. Example below.

<?php
include 'sql_con.php';
if ($conn->connect_error) {
   echo ('Connection failed: ' . $conn->connect_error);
 }else {
    $sql =  'UPDATE db SET Name = '.$_POST['Name'].' WHERE ID = '.$_SESSION['NameID'].' ';
    $result = $conn->query($sql);
}   
$conn->close();
?> 

This would mean a php file for every db update required for each input form I have.

 

Using a variable for  "SET Name'.$_POST['Name']" means I can use the same php file for many update routines.  Eg

"SET column1 = value1, column2 = value2, ..."

Link to comment
Share on other sites

  • Solution

There seem to be several misunderstandings.

 

First, you definitely do not create a new connection or even PHP script for every single query. Why would you do that? You establish one connection and then run as many queries as you need in the main script or within functions.

<?php

$connection = new mysqli(...);

// one query
$connection->query('...');

// another query
$connection->query('...');

...

Secondly, you must not insert user input directly into query strings. This immediately leads to an SQL injection vulnerability and can compromise your database or even the entire server. Always use prepared statements with parameters when you need to pass dynamic values to a query.

 

Then you should seriously consider switching from mysqli to PDO which is far more programmer-friendly. If you insist on using mysqli, then you need to actually learn it (secure queries, proper error handling etc.).

 

If you fix all this, there's really no reason for special code to handle UPDATE queries. In fact, I strongly recommend against that. You may save a few lines with a generalized update routine, but there's a huge risk of introducing new vulnerabilities and bugs through the dynamic queries. Just use plain old prepared statements with static query templates.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.