Embedding variables into Mysql

Question

Wondering if anyone can help - I'm sure this was working before, but I can't get a mysql update to work

$db->query("UPDATE entry_pending_details SET old_value = '{$value ["old_value"]}' WHERE id = '{$value ["id"]}'");

it's clearly the variables not being recognised as if I drop hardcoded values in it's ok.

Any ideas ?

Thanks

Answer 1

what I would do is set the values as vars beforehand. e.g

$old_value = $value['old_value'];
$id = $value['id'];
mysql_query("UPDATE entry_pending_details SET old_value = '$old_value' WHERE id = '$id'");

Answer 2

You have to use single quotes ' or escape double ones around array indices (like \"). I replaced double quotes with single ones

"UPDATE entry_pending_details SET old_value = '{$value['old_value']}' WHERE id = '{$value['id']}'"

Answer 3

Try the following:

$sql = "UPDATE entry_pending_details SET old_value = '{$value ["old_value"]}' WHERE id = '{$value ["id"]}'";
mysql_query($sql) or die(mysql_error());
echo $sql;

It's a good idea to put the query into a variable so you can examine it later if need be.

As well, what does var_dump($values) show?

Answer 4

Your problems are probably:

1. You have double quotes within a double quoted string. This shouldn't even run, it's a syntax error.

2. The space between the variable names and the brackets.

You're potentially vulnerable to SQL injection attacks, and definitely vulnerable to your own logic errors.

Use bound parameters instead.

$st = $db->prepare("UPDATE entry_pending_details SET old_value = ? WHERE id = ?");
$st->execute(array($value['old_value'], $value['id']));