0 
    $user = mysql_real_escape_string($_POST["userlogin"]);

    mysql_connect("uritomyhost","myusername","password"); 
    mysql_select_db('mydatabase');
    mysql_query('UPDATE table SET field = field + ($userlogin)');

Is this the right way of getting userlogin from the post request and then inserting it to my SQL query?

Improve this question
1
  • What point is it using a + with a database field with a user supplied value? Commented Sep 7, 2012 at 7:01

7 Answers 7

Reset to default
5

Stop using outdated functions and use PDO instead.

$stmt = PDO::prepare('UPDATE table SET field = field + :field');
$stmt->execute(array('field' => $_POST["userlogin"]));

Read some information about PDO. In short: it escapes your data for you, is quite consistent across databases and generally just easier.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

How should I connect to it? This only get ths value and insert it. How do I log in to my database with this code?
You'd use the __construct. See the examples on that page :)
0

you should use mysql_real_scape_string() just after connecting to database ...
so change your code to this :

mysql_connect("uritomyhost","myusername","password"); 
mysql_select_db('mydatabase');
$userlogin = mysql_real_escape_string($_POST["userlogin"]);
mysql_query("UPDATE table SET field = '$userlogin'");
Improve this answer

Comments

0

Try like this.

$user = mysql_real_escape_string($_POST["userlogin"]);

mysql_connect("uritomyhost","myusername","password"); 
mysql_select_db('mydatabase');
mysql_query("UPDATE table SET field = value where user='$user'");
Improve this answer

Comments

0

Try this

mysql_query("UPDATE table SET field = field + ('$user')");

However,

You might be updating all the fields in your table because you have no where in your UPDATE clause

Shouldn't it rather be

mysql_query("UPDATE table SET field = field WHERE user= '$user'");
Improve this answer

Comments

0

I think you want to INSERT instead of using Update. Why field = field + ($userlogin)? This will concatenate the values. And one more thing please use PDO or MYSQLI

Example of using PDO extension:

<?php

    $stmt = $dbh->prepare("INSERT INTO tanlename (field) VALUES (?)");
    $stmt->bindParam(1, $user);
    $stmt->execute();

?>
Improve this answer

1 Comment

It's supposed to count with the current value?
0

Use mysql_real_escape_string() after mysql connection and Use double quotes 

mysql_query("UPDATE table SET field = field + ({$userlogin})");
Improve this answer

1 Comment

To add on this, when using single quotes, variables do not expand Edit: And it also seems like you call your variable $user instead of $userlogin.
0

Use mysqli_query for you queries(notice the i) and use prepared statements. Using prepared statements is more secure than using straight queries and including the variable in the query string. Moreover, mysql will be deprecated soon. Example :

<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
$city = "Amersfoort";
/* create a prepared statement */
if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")) {

/* bind parameters for markers */
$stmt->bind_param("s", $city);

/* execute query */
$stmt->execute();

/* bind result variables */
$stmt->bind_result($district);

/* fetch value */
$stmt->fetch();

printf("%s is in district %s\n", $city, $district);

/* close statement */
$stmt->close();
}
/* close connection */
$mysqli->close();
?>
Improve this answer

2 Comments

Mysqli is not more secure when being used this way. Mysqli is only more secure when using prepared statements, just like PDO
yeah, sorry forgot to mention that, editing my answer. Thanks for reminding

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.