Jump to content

Recommended Posts

Hi,

I have a php form that submits updated 'comments' onto specific records.

I have now added a timestamp feature to record the time of submission automatically.

I have only added the lines and sections containing 'sent' (which is the column that for the timestamp) but there is an error when I do this and the php file shows an error as a result.

$hospitalnumber = $_POST['hospitalnumber'];
   $PIN = $_POST['PIN'];
   $comments = $_POST['comments'];
   $sent = date("Y-m-d H:i:s");

   // mysql query to Update data
   $query = "UPDATE `greencard` SET `comments`= '$comments', 'sent' = '$sent' WHERE `hospitalnumber`= '$hospitalnumber' and `PIN`= '$PIN'";

I have tested the timestamp coding and it has worked on other php files I made so I am confused as to what is wrong.

Also, the overall code works when I remove 'sent' = '$sent' and $sent = date("Y-m-d H:i:s"); (but obviously without updating the timestamp).

Any help appreciated as always.

Link to comment
https://forums.phpfreaks.com/topic/310676-updating-the-timestamp-error/
Share on other sites

Before dealing with this, you need to change to using prepared statements. Because as your code is now, someone could submit malicious data into your form and completely screw up everything in your database.

Not sure whether you're using PDO or mysqli, but both of them support it. Switch now. It might even fix your problem, too.

1 hour ago, requinix said:

It might even fix your problem, too.

Unlikely :)

Quotes need removing...

$query = "UPDATE `greencard` SET `comments`= '$comments', 'sent' = '$sent' WHERE `hospitalnumber`= '$hospitalnumber' and `PIN`= '$PIN'";
                                                          ^    ^

and it's easier just to use

... sent = NOW() WHERE ...

  • Like 1
  • Great Answer 1

This is one of the reasons I don't use bactics around column names unless they are absolutely necessary (wihich is rare).

$query = "UPDATE greencard SET comments = '$comments', sent = '$sent' WHERE hospitalnumber = '$hospitalnumber' and PIN= '$PIN'";

 

Quote

Before dealing with this, you need to change to using prepared statements. Because as your code is now, someone could submit malicious data into your form and completely screw up everything in your database.

Make sure that follow Requinix's instructions and change this code to use parameters and prepared statements.  There is no excuse to write new code this way! 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.