Я бы порекомендовал вам использовать mysqli_query()
с prepared
заявлениями. Чтобы избежать SQL injection
, вы должны использовать prepared statements
.
$mysqli = new mysqli("example.com", "user", "password", "database");
if ($mysqli->connect_errno) {
echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
}
/* Prepared statement, stage 1: prepare */
$stmt = $mysqli->prepare("update mahasiswa set password = ? where mahasiswa_id = ?");
$new_password = password_hash($_POST['new_password']);
$stmt->bind_param("si", $new_password, $session_id);
$stmt->execute();
if($stmt->affected_rows === 0) exit('No rows updated');
$stmt->close();
Простой пример, который использует mysqli_query()
вместо mysql_query()
.
//$con must contain your database connection
//eg: $con = mysqli_connect("localhost","my_user","my_password","my_db");
$new_password = password_hash($_POST['new_password']);
$my_query = 'update mahasiswa set password = '.$new_password.' where mahasiswa_id = '.$session_id;
if(mysqli_query($con,$my_query)){
//database updated succesfully
} else {
//failure
}
Если вы работаете с mysql_query()
, тогда
// if your db connection is valid then
if(mysql_query($my_query)){
//database updated succesfully
} else {
//failure
}