Passing PHP variable to SQL query

Question

    $user = mysql_real_escape_string($_POST["userlogin"]);

    mysql_connect("uritomyhost","myusername","password"); 
    mysql_select_db('mydatabase');
    mysql_query('UPDATE table SET field = field + ($userlogin)');

Is this the right way of getting userlogin from the post request and then inserting it to my SQL query?

Answer 1

Stop using outdated functions and use PDO instead.

$stmt = PDO::prepare('UPDATE table SET field = field + :field');
$stmt->execute(array('field' => $_POST["userlogin"]));

Read some information about PDO . In short: it escapes your data for you, is quite consistent across databases and generally just easier.

Answer 2

mysql连接后使用mysql_real_escape_string()并使用双引号

mysql_query("UPDATE table SET field = field + ({$userlogin})");

Answer 3

you should use mysql_real_scape_string() just after connecting to database ...
so change your code to this :

mysql_connect("uritomyhost","myusername","password"); 
mysql_select_db('mydatabase');
$userlogin = mysql_real_escape_string($_POST["userlogin"]);
mysql_query("UPDATE table SET field = '$userlogin'");

Answer 4

Try like this.

$user = mysql_real_escape_string($_POST["userlogin"]);

mysql_connect("uritomyhost","myusername","password"); 
mysql_select_db('mydatabase');
mysql_query("UPDATE table SET field = value where user='$user'");

Answer 5

Use mysqli_query for you queries(notice the i ) and use prepared statements. Using prepared statements is more secure than using straight queries and including the variable in the query string. Moreover, mysql will be deprecated soon. Example :

<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
$city = "Amersfoort";
/* create a prepared statement */
if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")) {

/* bind parameters for markers */
$stmt->bind_param("s", $city);

/* execute query */
$stmt->execute();

/* bind result variables */
$stmt->bind_result($district);

/* fetch value */
$stmt->fetch();

printf("%s is in district %s\n", $city, $district);

/* close statement */
$stmt->close();
}
/* close connection */
$mysqli->close();
?>

Answer 6

Try this

mysql_query("UPDATE table SET field = field + ('$user')");

However,

You might be updating all the fields in your table because you have no where in your UPDATE clause

Shouldn't it rather be

mysql_query("UPDATE table SET field = field WHERE user= '$user'");

Answer 7

I think you want to INSERT instead of using Update . Why field = field + ($userlogin) ? This will concatenate the values. And one more thing please use PDO or MYSQLI

Example of using PDO extension:

<?php

    $stmt = $dbh->prepare("INSERT INTO tanlename (field) VALUES (?)");
    $stmt->bindParam(1, $user);
    $stmt->execute();

?>