数据库表不会使用Mysqli更新

Question

So I have a problem with updating a mysql table via mysqli in php.

The database connection and class:

<?php
class testDB extends mysqli {
    private static $instance = null;

    private $user = "tester";
    private $pass = "tester01";
    private $dbName = "testdb";
    private $dbHost = "localhost";

 public static function getInstance() {
   if (!self::$instance instanceof self) {
     self::$instance = new self;
   }
   return self::$instance;
 }

 public function __clone() {
   trigger_error('Clone is not allowed.', E_USER_ERROR);
 }
 public function __wakeup() {
   trigger_error('Deserializing is not allowed.', E_USER_ERROR);
 }

private function __construct() {
    parent::__construct($this->dbHost, $this->user, $this->pass, $this->dbName);
    if (mysqli_connect_error()) {
        exit('Connect Error (' . mysqli_connect_errno() . ') '
                . mysqli_connect_error());
    }
    parent::set_charset('utf-8');
}

public function verify_credentials ($username, $password){
   $username = $this->real_escape_string($username);
   $password = $this->real_escape_string($password);
   $result = $this->query("SELECT 1 FROM users WHERE user_username = '" . $username . "' AND user_password = '" . $password . "'");
   return $result->data_seek(0);
}

public function get_vitae() {
    return $this->query("SELECT * FROM vitae");

public function update_vitae($text, $id) {
    $text = $this->real_escape_string($text);
    $this->query("UPDATE vitae SET vitae_text=".$text." WHERE vitae_id = ".$id);
}
}
?>

Here's the page code:

Above the header we check the login by making sure there is a session started; then import the database class and the rest is called upon resubmitting the form to this same page:

<?php
session_start();
if (!array_key_exists("username", $_SESSION)) {
    header('Location: index.php');
    exit;
}

require_once("includes/db.php");

$vitae_empty = false;

if ($_SERVER['REQUEST_METHOD'] == "POST") {
    if ($_POST['text'] == "") {
        $vitae_empty = true;
    } else if ($_POST["text"]!="") {
        testDB::getInstance()->update_vitae($_POST["text"], $_POST["id"]);
        header('Location: manage.php' );
        exit;
 } 
}

?>

In the body (the header and the rest of the html is imported via a 'require_once'):

    <section>
        <div class="grid_3 header_line"><h2>Update for CV</h2></div>
        <div class="grid_3">
            <?php
            $result = testDB::getInstance()->get_vitae();
            $vitae = mysqli_fetch_array($result);                
            ?>

            <form name="editvitae" action="editvitae.php" method="POST">

                <textarea name="text" rows="50" cols="100"><?php echo $vitae['vitae_text'];?></textarea><br/>
                <?php if ($vitae_empty) echo "Please enter some text.<br/>";?>

                <input type="hidden" name="id" value="<?php echo $vitae["vitae_id"];?>" /> <br/>
                <input type="submit" name="savevitae" value="Save Changes"/>
            </form>
        </div>
        <div class="grid_3">
            <p><a href="manage.php">&lsaquo; back to management consol</a></p>
        </div>
    </section>

After the 'body' tag:

<?php mysql_free_result($result);?>

As you can see this pulls the 'vitae' text from the database then loops it to the same page with changes to update the table. It also check's to see that the 'text' box is not empty.

This code works in another application; I'm not understanding why it won't work here. AND before you start warning me about injection and security I have stripped most of it out trying to find the problem with the update. It WILL go back in once I can figure that out.

I have tried stripping the text check; different variable names; dumping the post values into an array before updating the database; putting the post values into static variables; checking all my spellings etc...

I'm missing something and I feel like it's going to be simple.

Answer 1

Anytime an UPDATE is run through mysqli you need to run the $mysqli->commit(); method.

Your new update_vitae would be:

public function update_vitae($text, $id) {
    $text = $this->real_escape_string($text);
    $this->query("UPDATE vitae SET vitae_text=".$text." WHERE vitae_id = ".$id);
    $this->commit;
}

mysqli also has an autocommit feature that can be toggled on or off:

$this->autocommit(true); //on
$this->autocommit(false); //off

Answer 2

So the answer was indeed simple. It was my escaping on the update string as Andrewsi suggested. Here's the update that fixed it:

public function update_vitae($text, $id) {
    $text = $this->real_escape_string($text);
    $this->query("UPDATE vitae SET vitae_text = '$text' WHERE vitae_id = ".$id);
}

Thanks for the help!

I've been designing websites for almost 10 years, but I'm just now getting into 'real' php coding instead of using prepared classes and dreamweaver's built in functions. Far to much to learn but it's fun in my limited spare time.

Answer 3

$result = $this->query("SELECT 1 FROM users WHERE user_username = '" . $username . "' AND user_password = '" . $password . "'");

Be careful with using logical ANDs for user authentication. It may be more wise to completely validate the username first before going after any kind of password. I say this in regard to the many examples of people inserting --; WHERE 1=1 -- and stuff like that (not specifically this statement, however). Sure, this may require two queries, but at least you only have to process one piece of information to determine if a visitor is valid. Another advantage might be saving processing because you won't have to deal with hashing/encrypting the user's password in your app or at the database (until the username has been verified).