Home/ Questions/Q 8255013
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-08T01:23:18+00:00

I’ve user profile update page and have some forms to update, here they are

  • 0

I’ve user profile update page and have some forms to update, here they are

NAME
SURNAME
password
phone

And I am trying to make this update without big script, I mean I don’t want to define if for example NAME exists or not and so on. I want that if any marked form value exists it changed in mysql. How I know this is possible with mysqli_prepare statement. I’ve written sql like this

$stmt = "UPDATE table SET NAME=?,SURNAME=?,PASSWORD=?,PHONE=? WHERE email='" . $email . "'";

but something wrong, any ideas how to do it ? And also please advice why it is better way to use mysqli_prepare , why it is safe too ?
PS. I do not write php script because I’ve not any problem with it

UPDATE

I’ve marked sql statement and above this script in php I am writting this =>

if (isset($_POST['name']){
    $name = $_POST['name'];
} else {
    $name = null;
}

and so on …

but it doesn’t execute , nothing error msg is shown up , because I think something wrong with sql statement

Just want if some of detail is filled it updated and if all fields are filled all updated, how to write with script?

I can not understand this question marks in sql statement , does it means that if for example NAME is not exists it is ignored ?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The question marks in your SQL string not part of the SQL syntax, they are placeholders for the actual parameters. If you want to do it like this, you should first make a SQL statement, and then set the parameters.

    Something like 

    $con = new mysqli($hostname,$username,$password,$database);
$statement = $con->prepare( "UPDATE table SET NAME=?,SURNAME=?,".
                            "`PASSWORD`=?,PHONE=? ".
                            " WHERE email=?");
$statement->bind_param("sssss",$name,$surname,$pass,$phone,$email);

    example derived of http://www.xphp.info/security/getting-started-with-mysqli/

    Also note the comment of ThiefMaster: password is a reserved word in MySQL so you will need to put it in backticks (``)

    Alternatively you directly insert the values into the mysql string, like you initially did with the email address. You need to escape the values in that case, by using mysql_real_escape_string()

    Note that you are in both cases replacing ALL values with what was set, be it NULL or a string, or whatever.

    • 0