samanj Posted May 2, 2020 Share Posted May 2, 2020 Hi, I have a php form that submits updated 'comments' onto specific records. I have now added a timestamp feature to record the time of submission automatically. I have only added the lines and sections containing 'sent' (which is the column that for the timestamp) but there is an error when I do this and the php file shows an error as a result. $hospitalnumber = $_POST['hospitalnumber']; $PIN = $_POST['PIN']; $comments = $_POST['comments']; $sent = date("Y-m-d H:i:s"); // mysql query to Update data $query = "UPDATE `greencard` SET `comments`= '$comments', 'sent' = '$sent' WHERE `hospitalnumber`= '$hospitalnumber' and `PIN`= '$PIN'"; I have tested the timestamp coding and it has worked on other php files I made so I am confused as to what is wrong. Also, the overall code works when I remove 'sent' = '$sent' and $sent = date("Y-m-d H:i:s"); (but obviously without updating the timestamp). Any help appreciated as always. Quote Link to comment Share on other sites More sharing options...
requinix Posted May 2, 2020 Share Posted May 2, 2020 Before dealing with this, you need to change to using prepared statements. Because as your code is now, someone could submit malicious data into your form and completely screw up everything in your database. Not sure whether you're using PDO or mysqli, but both of them support it. Switch now. It might even fix your problem, too. Quote Link to comment Share on other sites More sharing options...
Barand Posted May 2, 2020 Share Posted May 2, 2020 1 hour ago, requinix said: It might even fix your problem, too. Unlikely Quotes need removing... $query = "UPDATE `greencard` SET `comments`= '$comments', 'sent' = '$sent' WHERE `hospitalnumber`= '$hospitalnumber' and `PIN`= '$PIN'"; ^ ^ and it's easier just to use ... sent = NOW() WHERE ... 1 1 Quote Link to comment Share on other sites More sharing options...
requinix Posted May 2, 2020 Share Posted May 2, 2020 5 minutes ago, Barand said: Unlikely Shh. 1 Quote Link to comment Share on other sites More sharing options...
gizmola Posted May 2, 2020 Share Posted May 2, 2020 This is one of the reasons I don't use bactics around column names unless they are absolutely necessary (wihich is rare). $query = "UPDATE greencard SET comments = '$comments', sent = '$sent' WHERE hospitalnumber = '$hospitalnumber' and PIN= '$PIN'"; Quote Before dealing with this, you need to change to using prepared statements. Because as your code is now, someone could submit malicious data into your form and completely screw up everything in your database. Make sure that follow Requinix's instructions and change this code to use parameters and prepared statements. There is no excuse to write new code this way! Quote Link to comment Share on other sites More sharing options...
samanj Posted May 3, 2020 Author Share Posted May 3, 2020 Thank you everyone for your guidance and support. I do have a long way to go before getting to grips with this programming language so all input is gladly taken. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.