PHP script to update mySQL database

Question

another day another question...

I need to write PHP script to update mySQL database.

For example: updating profile page when user want to change their first name, last name or etc.

Here is my php script so far, it doesn't work. Please help!

<?php
@ $db = new MySQLi('localhost','root','','myDB');

if(mysqli_connect_errno()) {
    echo 'Connection to database failed:'.mysqli_connect_error();
    exit();
}

if (isset($_GET['id'])) {

$id = $db->real_escape_string($_GET['id']); 

$First_Name2 = $_POST['First_Name2'];

$query  = "UPDATE people SET $First_Name2 = First_Name WHERE `Id` = '$id'";

$result = $db->query($query);

if(! $result)
{
    die('Could not update data: ' . mysql_error());
}
echo "Updated data successfully
";

$db->close();
}
?>

THank you.

Answer 1

Your sql is wrong. Apart from the gaping wide open SQL injection attack vulnerability, you're generating bad sql.

e.g. consider submitting "Fred" as the first name:

$First_Name2 = "Fred";
$query = "UPDATE people SET Fred = First_name WHERE ....";

now you're telling the db to update a field name "Fred" to the value in the "First_Name" field. Your values must be quoted, and reversed:

$query = "UPDATE people SET First_name = '$First_Name2' ...";

You are also mixing the mysqli and mysql DB libraries like a drunk staggering down the street. PHP's db libraries and function/method calls are NOT interchangeable like that.

In short, this code is pure cargo-cult programming.