CODEWITHSUNDEEP
phppdo
Jurudocs
Jurudocs

Reputation: 9165

DB Update doesn't work

Hi im using PDO to update some fields of a MySQL database. I've written a class called "bakeIT" which connects to a DB and updates some fields depending on the parameters of the method simple_update().

Somehow the first instantiation call to BakeIT()->simple_update() is working but not the second one? Why is that? I'm getting really crazy on that...

Edit: I found out some errors:

string(85) "SQLSTATE[28000] [1045] Access denied for user 'ODBC'@'localhost' (using password: NO)" Fatal error: Call to a member function prepare() on a non-object in BakeIT.php

The table looks like the following:enter image description here

class BakeIT {

    function simple_update(
    $tablename,
    $fieldname,
    $value,
    $id,
    $idname,
    $token,
    $tokenvalue){

        $conn=$this->connect_db();
        $sql= "UPDATE $tablename SET $fieldname=? WHERE $idname=? AND $token=?";
        $q = $conn->prepare($sql);
        $q->execute(array($value,$id,$tokenvalue));
        $conn = null;}
}


//This as the first query works!        
$saveanchor = new BakeIT();
$saveanchor->simple_update('navigation','anchor','whoo',5,'idnavigation','hash','3234'); 

//This as the second query not!    
$savetitle = new BakeIT();
$savetitle->simple_update('navigation','linkname','kawoom',5,'idnavigation','hash','3234');

Upvotes: 1

Views: 420

Answers (2)

Jurudocs
Jurudocs

Reputation: 9165

okay i got it! It's the require_once for the external db-access data. with only "require" the data.php (script with db-access variables) everything works fine...

Thanks for helping though!

Upvotes: 1

rekire
rekire

Reputation: 47945

The field linkname doesn't exists.

To my comment about the security: So far I know the prepred statemend prevents an attacker to inject any bad values into the field content.

function example($value, $primarykey, $condition) {
    $q = $conn->prepare("UPDATE table SET somefield=? WHERE $primarykey=?");
    $q->execute(array($value,$condition));
}

It is not possible to manipulate the parameters $value and $condition but you can set $tableid to 1=1 -- which would override your compleate table.

E.g. example(12, 34, "1=1 --");that would execute this here:

UPDATE table SET somefield=12 WHERE 1=1 --=34

Upvotes: 1

Related Questions