PHP UPDATE prepared statement
$stmt = $this->mysqli->prepare("UPDATE datadump SET content=? WHERE id=?");
/* BK: always check whether the prepare() succeeded */
if ($stmt === false) {
trigger_error($this->mysqli->error, E_USER_ERROR);
return;
}
$id = 1;
/* Bind our params */
/* BK: variables must be bound in the same order as the params in your SQL.
* Some people prefer PDO because it supports named parameter. */
$stmt->bind_param('si', $content, $id);
/* Set our params */
/* BK: No need to use escaping when using parameters, in fact, you must not,
* because you'll get literal '\' characters in your content. */
$content = $_POST['content'] ?: '';
/* Execute the prepared Statement */
$status = $stmt->execute();
/* BK: always check whether the execute() succeeded */
if ($status === false) {
trigger_error($stmt->error, E_USER_ERROR);
}
printf("%d Row inserted.\n", $stmt->affected_rows);
Re your questions:
I get a message from my script saying 0 Rows Inserted
This is because you reversed the order of parameters when you bound them. So you're searching the id column for the numeric value of your $content, which is probably interpreted as 0. So the UPDATE's WHERE clause matches zero rows.
do I need to declare all the fields or is it ok to just update one field??
It's okay to set just one column in an UPDATE statement. Other columns will not be changed.
In fact, prepared statements are not that complex as it's shown in the other answer. Quite contrary, a prepared statement is the most simple and tidy way to execute a query. Take, for example, your case. You need only three lines of code!
$stmt = $this->mysqli->prepare("UPDATE datadump SET content=? WHERE id=?");
$stmt->bind_param('si', $content, $id);
$stmt->execute();
- Prepare your query with placeholders
- Then bind variables (a hint: you can safely use "s" for any variable)
- And then execute the query.
As simple as 1-2-3!
Note that checking every function's result manually is just insane, it would only bloat your code without any benefit. Instead you should configure mysqli to report errors automatically once for all. To do so, add the following line before mysqli_connect()/new mysqli:
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
the result will be pretty much the same as with trigger_error but without an single extra line of code! As you can see, the code could be very simple and concise, if used properly.