How to create a prepared statement for UPDATE query

Comments (4)

Sometimes we need to update not all fields but only certain ones. Say, we have an array with values we want to add to the query.

The task is not very complex, but one have to keep in mind the SQL injection against which prepared statements won't help. To protect from that, all field names should be checked against a pre-compiled list of allowed values. The rest is simple. So the algorithm would be:

Define an array with allowed values
Loop over the source array and create a SET statement for SQL dynamically, based on the allowed fields list
Respective values should be added to the designated array to be used in the execute()

So, imagine we have $_POST array with several fields. Here is the code to insert them into database safely:

// the list of allowed field names
$allowed = ["name","surname","email"];

// initialize an array with values:
$params = [];

// initialize a string with `fieldname` = :placeholder pairs
$setStr = "";

// loop over source data array
foreach ($allowed as $key)
{
    if (isset($_POST[$key]) && $key != "id")
    {
        $setStr .= "`$key` = :$key,";
        $params[$key] = $_POST[$key];
    }
}
$setStr = rtrim($setStr, ",");

$params['id'] = $_POST['id'];
$pdo->prepare("UPDATE users SET $setStr WHERE id = :id")->execute($params);

}

Latest comments:

25.09.20 16:47
Terry Kern for (The only proper) PDO tutorial:
Hello, I've been reading the PDO article with interest. Since in the mission of this site article...
read more
18.09.20 10:48
Ingus for (The only proper) PDO tutorial:
Hello, i got till moment when i do not know if it is secure! If SQL injection is inserted into...
read more
06.09.20 19:07
David Spector for Relative and absolute paths, in the file system and on the web server.:
Great introduction, but doesn't help with the confusions introduced by require or include. I...
read more
04.09.20 17:03
morpheus for Do you really need to check for both isset() and empty() at the same time?:
There are situations when "0"(or maybe 0) is valid. For example user input, i found a solution...
read more
04.09.20 12:24
John for Operator precedence or how does 'or die()' work.:
You say that I should replace die() with trigger_error(), i thought it was better to use throw...
read more

Add a comment

Please refrain from sending spam or advertising of any sort.
Messages with hyperlinks will be pending for moderator's review.

Markdown is now supported:

> before and an empty line after for a quote
four spaces to mark a block of code

Comments:

nagaratna, 15.05.20 10:11
Hi, I want to code this update query using binds_param. Can you please help me achieve this?
```
$sql = "UPDATE customer_address_copy 
SET full_name = 'xxxxxxxxxx', 
email_addess = 'xxxxxxxxxx@xxxxxxxxxx.com', 
address_line = 'xxxxxxxxxx', 
full_address_line = 'xxxxxxxxxx', 
postcode = 'xxxxxxxxxx', 
phone_no = 99999999999  
WHERE created_at < DATE_ADD(NOW(), INTERVAL -2 MONTH)";
```
Reply:
Hello Nnagaratna!

It is not clear what driver you are using, as your comment in the PDO section while bind_param() is a mysqli function.

Either way, just follow the corresponding tutorial, either https://phpdelusions.net/pdo_examples/update or https://phpdelusions.net/mysqli_examples/update
Russell, 31.10.19 18:42
Oh, so I can run rowCount() after execute()? Like:
```
$results->execute();
$results->rowCount();
```
or similarly
```
$results->lasinsertId();
```
I was under the impression those only ran on a fetch/fetchAll
Reply:
Oh, surely no.

The latter can be called only after insert, but rowCount() can be called after any query, though it makes very little sense for SELECT queries.
Russell, 31.10.19 18:18

When using a prepared statement using pdo->prepare method will Insert, Update and Delete return anything that can be fetched using fetch() or fetchAll()?

Reply:
Hello Russell!

Nope, as far as I know, none of them return anything fetchable. All the result you can get is a number of affected rows through rowCount() and the autoincrement id from insert, through lastInsertId()
David E, 21.10.17 16:57

Hello again. Please accept my apologies. I made a field type which resulted in a null variable in the prepare statement. Sorry to have bothered you. Thanks for your help. David E.

25.09.20 16:47
Terry Kern for (The only proper) PDO tutorial:
Hello, I've been reading the PDO article with interest. Since in the mission of this site article...
read more

18.09.20 10:48
Ingus for (The only proper) PDO tutorial:
Hello, i got till moment when i do not know if it is secure! If SQL injection is inserted into...
read more

06.09.20 19:07
David Spector for Relative and absolute paths, in the file system and on the web server.:
Great introduction, but doesn't help with the confusions introduced by require or include. I...
read more

04.09.20 17:03
morpheus for Do you really need to check for both isset() and empty() at the same time?:
There are situations when "0"(or maybe 0) is valid. For example user input, i found a solution...
read more

04.09.20 12:24
John for Operator precedence or how does 'or die()' work.:
You say that I should replace die() with trigger_error(), i thought it was better to use throw...
read more

How to create a prepared statement for UPDATE query

Related articles:

Got a question?

SEE ALSO:

Latest comments:

Add a comment

Comments:

Reply:

Reply:

Reply: