www.webdeveloper.com
Page 2 of 2 FirstFirst 12
Results 16 to 24 of 24

Thread: help w/mysqli update

  1. #16
    Join Date
    May 2014
    Posts
    911
    Quote Originally Posted by \\.\ View Post
    Thing is with mysqli is that they have http://uk1.php.net/manual/en/mysqli.select-db.php and other functions that are the same as mysql_ versions, both procedural and OO style.
    The procedural effectively being a wrapper under the hood; a pointless wrapper for nothing other than overhead. It was a mistake for them to even include them in the language... though I know why they did it, some people are too stupid to figure out object and it gave a soft-gentle way to let people who can't get their head out of mysql_ thinking to the new way; unfortunately like most soft-gentle ways of doing things it lets people still sleaze out the old bad habits, when what's REALLY needed is a good hard slap with a wet trout.

    Again, why I prefer PDO, it doesn't provide any of that garbage.

    Quote Originally Posted by \\.\ View Post
    standard sql uses -- as the start of a comment and ; terminates a query string which means that if someone trued appending a hack to the end of the current query to be run, it would be ignored as a comment.
    Which does nothing when it's AFTER the variable; though a better solution? Don't waste time putting it in a variable!

    Can't say I've seen that, because how exactly would they "append" it THERE? Well, other than having access to actually edit the code in which case why not just replace the whole string? That has to be one of the DUMBEST things I've seen in SQL and the reasoning for it is total BS. Of course that prepared queries don't allow more than one query per PDOStatement would effectively be doing the same thing.

    Quote Originally Posted by \\.\ View Post
    The query about _real_escape_string, why are you saying this is nonsense? if you don't escape your query string and it has an errant apostrophe or quote, it breaks the query string so it needs to be escaped and you need to sanitize any incoming data in case it is a hack attempt.
    Because we have prepared queries now! -- which are one of the ENTIRE reasons we're supposed to stop using the old mysql_ functions in the first place. Them even including a _real_escape_string for mysqli is stupid, completely missing the point of NOT using the old functions. Prepared queries do this wonderful thing of completely separating queries from their data, as such there is NO chance to inject a blasted thing.

    If you are still doing this:

    Code:
    $id=mysqli_real_escape_string($link, filter_var( $_POST['id'], FILTER_SANITIZE_STRING ));
    $update = mysqli_query($link, "UPDATE emailtbl SET lastused=NOW() WHERE id='$id';--") ;
    You have COMPLETELY missed the point of mysqli and/or PDO over mysql_.

    Code:
    $stmt = $link->prepare('UPDATE emailtbl SET lastused=NOW() WHERE id = ?');
    $stmt->bindParam('i', $_POST['id']);
    $stmt->execute();
    No goofy ending comment nonsense, no chance of script injection because query and data are separate, and should you need to run the same query with different values, you can simply re-bind and execute without sending the query to the engine again. (assuming emulate_prepares is disabled, which I highly recommend doing).

    That ending comment thing? That's just stupid. Still slapping values directly into the query strings? That's missing a significant part of why we're not supposed to be using mysql_ functions anymore. If you're using mysqli, LEARN to use mysqli.

    Though I personally prefer PDO since you could then do:

    Code:
    $stmt = $link->prepare('UPDATE emailtbl SET lastused=NOW() WHERE id = ?');
    $stmt->execute([$_POST['id']]);
    Or
    Code:
    $stmt = $link->prepare('UPDATE emailtbl SET lastused=NOW() WHERE id = :id');
    $stmt->execute([':id' => $_POST['id']]);

    Though you want the real fun of prepare:
    Code:
    // tell PHP to ACTUALLY use "prepare" and not 'fake' it.
    $db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false)
    
    // set up our query ONCE
    $stmt = $db->prepare('SELECT * FROM users WHERE id = ?');
    
    // let's say you had an array of users
    
    foreach ($userList as $userId) {
    	$stmt->execute([$userId]);
    	if ($user = $stmt->fetch(PDO::FETCH_ASSOC)) {
    		echo 'User #', $userId, ' ', $user['name'], '<br />';
    	} else echo 'No info for user #', $userId, '<br />';
    }
    One prepare, query is only sent ONCE to the SQL server, but we can run it multiple times sending only the values to be plugged in separately.

    ... and again, none of that _real_escape_string nonsense needed. That's a relic that along with blindly slapping values into a query belongs in the past. It's damned near HALF the reason we're not supposed to use mysql_ anymore. The other half being mysql_ complete lack of scope, NOT that a whole lot of people seem to be paying attention to "don't put the connection in global scope" and still sleaze out their database code that way too.
    Last edited by deathshadow; 08-23-2014 at 10:50 AM.
    Java is to JavaScript as Ham is to Hamburger.

  2. #17
    Join Date
    May 2014
    Posts
    911
    Oh, and you want to know JUST how stupid a "--" comment would be to prevent appendage to the query?

    "\nDROP TABLE emailtbl"

    Would still work... since a newline ends a comment.

    Oh, and -- without a semi-colon preceding it should be an invalid query.
    Java is to JavaScript as Ham is to Hamburger.

  3. #18
    Join Date
    May 2014
    Posts
    911
    Quote Originally Posted by \\.\ View Post
    As for the sleep(), it is only in the demo for the sole purpose of hanging the page so that the OP can see if the output error "Ooops! Something wasn't set ... " displays before the user is sent to the designated page.
    That shouldn't even work, the delay is run SERVER-SIDE so if PHP is buffering for packet efficiency like a good little dooby, rendering may or may not even start during that delay. You want a delay like that, you put it client-side.
    Java is to JavaScript as Ham is to Hamburger.

  4. #19
    Join Date
    Mar 2007
    Location
    localhost
    Posts
    2,348
    Personally I find it illogical to have three lines of code that need to be executed to do the job of one that happens to be procedural, to me that is coding for nothing other than the sake of it.

    As for the sleep() function. again you have completely missed the point, yes it does sleep on the server in terms of making the script wait and that was the whole purpose because some item had been output and if it didn't sleep the output would be wiped before it was read, hence the note I put about removing it, again we are here with you harping on about a topic that is your opinion without considering others and what their needs are and frankly you are the most insulting of characters that has come to this forum, you don't seem to get the point that people of all abilities come here, not just professionals and you should be offering your resolution to a problem and not belittling others contributions.

    Some of your comments are blatantly insulting to others, if people don't want to learn OO then that is their choice and its not your position to ridicule those people for it, to put it in to another perspective, tonight, go outside and look up at the night sky. Obvious enough?
    Yes, I know I'm about as subtle as being hit by a bus..(\\.\ Aug08)
    Yep... I say it like I see it, even if it is like a baseball bat in the nutz... (\\.\ Aug08)
    I want to leave this world the same way I came into it, Screaming, Incontinent & No memory!
    I laughed that hard I burst my colostomy bag... (\\.\ May03)
    Life for some is like a car accident... Mine is like a motorway pile up...

    Problems with Vista? :: Getting Cryptic wid it. :: The 'C' word! :: Whois?

  5. #20
    Join Date
    Apr 2013
    Posts
    73
    Damn it guys, I really am impressed by your off knowledge(both)I'm sure both are correct in many ways. sure I was put off by by a certain moderator but give the devil his dues, some of us need a kick in the pants to wake us up and in my case, jog the memory That said, your dialogue left me at a loss to the solution. Please, u know the issue, u know my input. how do u code this?
    Last edited by 12Strings; 08-23-2014 at 03:12 PM.

  6. #21
    Join Date
    May 2014
    Posts
    911
    Quote Originally Posted by \\.\ View Post
    Personally I find it illogical to have three lines of code that need to be executed to do the job of one that happens to be procedural, to me that is coding for nothing other than the sake of it.
    Excepting it's not three instead of one, it's three instead of TWO or MORE. Of course, I love when people call it more code when the first one is 178 bytes and the 'proper' way is 131. Makes that argument sound SO legit to me.

    Of course, How about we actually make it one line, and let's plug in say... three values:

    Code:
    $id=mysqli_real_escape_string($link, filter_var( $_POST['id'], FILTER_SANITIZE_STRING ));
    $name=mysqli_real_escape_string($link, filter_var( $_POST['name'], FILTER_SANITIZE_STRING ));
    $name=mysqli_real_escape_string($link, filter_var( $_POST['city'], FILTER_SANITIZE_STRING ));
    $update = mysqli_query($link, "UPDATE emailtbl SET lastused=NOW(), name = '$name', city = '$city' WHERE id='$id';--");
    399 bytes vs:

    Code:
    $stmt = $link->prepare('UPDATE emailtbl SET lastused=NOW(), name = ?, city = ? WHERE id = ?');
    $stmt->bindParam('ssi', $_POST['name'], $_POST['city'], $_POST['id']);
    $stmt->execute();
    185 bytes. Yeah that old outdated and outmoded way is just SO efficient and effective :/

    or for PDO:

    Code:
    $stmt = $link->prepare('UPDATE emailtbl SET lastused=NOW(), name = ?, city = ? WHERE id = ?');
    $stmt->execute([$_POST['name'], $_POST['city'], $_POST['id']]);
    Where it's even less.

    .. and of course that doesn't even account for the efficiency improvements under the hood or the fact it FINALLY means that people stop blindly putting values into query strings WHERE THEY NEVER BELONGED IN THE FIRST BLASTED PLACE.

    ... and if I'm short with people and possibly even insulting, it's due to my disgust with how people ignore the specifications, ignore the recommendations, ignore just plain common sense and sleaze things out any-old-way. It's nauseating the outright bull programmers are allowed to get away with and even more disgusting the lame excuses and ignorant halfwit nonsense they use to justify it! Seriously makes one wonder what the devil is in the kool-aid.

    Quote Originally Posted by 12Strings View Post
    Damn it guys, I really am impressed by your off knowledge(both)I'm sure both are correct in many ways. sure I was put off by by a certain moderator but give the devil his dues, some of us need a kick in the pants to wake us up and in my case, jog the memory That said, your dialogue left me at a loss to the solution. Please, u know the issue, u know my input. how do u code this?
    There's so many issues and it's so unclear as to what you are trying to do that other than trying to teach you to use mysqli properly (or suggest moving to PDO) it's hard to even say what the proper code would be; simply that this isn't it.

    You were given a bunch of example code right up until post #12 that should have worked -- what you added in that post just needs to be tossed in it's entirety.

    When I have the time I'll see if I can dig through that and try and make sense of what you are attempting, but really I'm not sure I even understand what any of this is trying to accomplish, much less how it's trying to go about it as you're doing a number of things I wouldn't put in PHP in the first place. (like the stupid malfing header redirection nonsense).

    Really not your fault, there's a lot of outdated, outmoded and just plain bad advice in most of the tutorials and books out there, most of which much like their creators have their heads wedged up 1997's backside on HTML and 2004's backside on PHP; making everyone else (particularly those who blindly copy and paste from said examples) equally out of date.

    Though copying and testing other people's code can only get you so far. You're going to have to actually learn the underlying languages if you're serious about this. We can only give you so many fish before we ship you to Alaska.
    Last edited by deathshadow; 08-23-2014 at 03:43 PM.
    Java is to JavaScript as Ham is to Hamburger.

  7. #22
    Join Date
    May 2014
    Posts
    911
    Looking back at those posts in more detail, I think I need to see more of the picture to really be helpful. Snippets are cute, but they really don't tell us what's REALLY going on here. It's also odd that (post 12, 3rd code block) you're including the user update (and it's header redirect) from a file that likely outputs stuff before and after it for no good reason. That program flow makes no sense, again making me wonder just what you're trying to accomplish with all this.

    Basically, can't see the big picture through a keyhole... and that's what snippets are; very tiny, TINY peep-holes.

    From what I can see, it would seem your entire 'outer plan' is flawed and needs to be pitched, you're kinda pasting together stuff before you even have a proper logic flow; I suspect much of that comes from your still learning and not knowing the order in which things SHOULD be done -- like setting headers and cookies and the ilk BEFORE you can echo-out or otherwise send ANYTHING else client-side.
    Last edited by deathshadow; 08-23-2014 at 03:49 PM.
    Java is to JavaScript as Ham is to Hamburger.

  8. #23
    Join Date
    Apr 2013
    Posts
    73
    if I could send u screenshot it wouId be clear what I'm doing

  9. #24
    Join Date
    Apr 2013
    Posts
    73
    sending u screenshot to show what I'm doing:
    lastused.jpg

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles