• Guest, before posting your code please take these rules into consideration:
    • It is required to use our BBCode feature to display your code. While within the editor click < / > or >_ and place your code within the BB Code prompt. This helps others with finding a solution by making it easier to read and easier to copy.
    • Don't share a wall of code. All we want is the problem area, the code related to your issue.


    To learn more about how to use our BBCode feature, please click here.

    Thank you, Code Forum.

PHP update statement with ? instead of the variable

220061

New Coder
hello I have a question. I'm almost there but I can't seem to figure this one out
I really wanna set inlever_datum to now time+ 7 days as you can see above that I have made a code that will give a now + 7 days ahead time. How will I use this with my insert statement? I tried doing
PHP:
$id = $_GET['id'];
                    $date = date("Y-m-d");
                    $new_date = date('Y-m-d', strtotime($date. '+7 day'));
$sql = "UPDATE apparatuur SET inlever_datum ='$new_date' , uitleen_datum = NOW() WHERE id=$id";
and this does give the result in de db that I wanted but from what I have learned it isn't really the correct way to do these things its more like
$id = $_GET['id'];
$date = date("Y-m-d");
$new_date = date('Y-m-d', strtotime($date. '+7 day'));
PHP:
$sql = "UPDATE apparatuur SET inlever_datum =? , uitleen_datum = NOW() WHERE id=$id";

however this keeps giving NULL into my db
so my question is how do I make this prepared statement correct with user input in mind

Code:
  case "0":
                    //doesn't work
                    $id = $_GET['id'];
                    $date = date("Y-m-d");
                    $new_date = date('Y-m-d', strtotime($date. '+7 day'));
                    // je moest '' eromheen zetten
                    $sql = "UPDATE apparatuur SET inlever_datum = ?, uitleen_datum = NOW() WHERE id=$id";
                    $stmt = $conn->prepare($sql);
                    //var_dump($stmt);// false???
                    $stmt->bind_param('si', $inlever_datum , $id);
                    $status = $stmt->execute();
                    break;
 
Hi,

We use stored procedures in our database and have code written so that we provide the procedure name, and an array of variables. For some information, try googling "php stored procedures" and/or here is a Stored Procedure Tutorial

I realise this doesn't answer your question but by using stored procedures, reduces sql injection attacks on your website.

Cheers
Carl.
 

Top