Update several columns if variable is not empty

I know how to update the rows in my database, I know how to transfer data from one page to another, but what I don’t know is a good way to update the database of several different rows as long as the variable aren’t empty.

What I am working on is a user page with settings to change real name, username, password and similar, but I have no clue of how to just update the once I have changed. If I leave for example “Username” empty and press “Change Settings”, then it empties the row of username. How do I make it ignore the empty variables?

Answer

You most likely want to use prepared statements to accomplish this. Both to make the code prettier and more robust, and to avoid SQL injections (alternative).

Now, since you want to update different columns based on some condition, you have a few alternatives on how to continue.

One would be to use several update statements (one for each column you wish to update) and bundle them inside a transaction. Bundling the statements inside a transaction will ensure atomicity and will also help mitigate the performance impact of using several SQL statements in place of one (something that won’t likely matter unless you have many concurrent users).

It would probably look something like this (using the mysqli API):

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$mysqli = new mysqli("dbhost", "dbuser", "dbpassword", "dbname");
$mysqli->autocommit(FALSE);

if ($userName) {
    $stmt = $mysqli->prepare("UPDATE TABLE users SET username=? WHERE uid=?");
    $stmt->bind_param("si", $userName, $uid);
    $stmt->execute();
}

if ($password) {
    $stmt = $mysqli->prepare("UPDATE TABLE users SET password=? WHERE uid=?");
    $stmt->bind_param("si", $password, $uid);
    $stmt->execute();
}

if ($firstName) {
    $stmt = $mysqli->prepare("UPDATE TABLE users SET firstname=? WHERE uid=?");
    $stmt->bind_param("si", $firstName, $uid);
    $stmt->execute();
}

if ($lastName) {
    $stmt = $mysqli->prepare("UPDATE TABLE users SET lastname=? WHERE uid=?");
    $stmt->bind_param("si", $lastName, $uid);
    $stmt->execute();
}

$mysqli->commit();
$mysqli->close();

For brevity I’ve left out the error handling; you’d need to check for connection failures and problems preparing the statements as well as the execution of them. If anything fails after the first execute() line you need to call $mysqli->rollback() to make sure no changes are performed.

You would also be well advised to refactor the code so it doesn’t repeat itself quite so much, something like this perhaps:

function updateColumn($mysqli, $query, $uid, $value) {
    if ($value) {
        $stmt = $mysqli->prepare($query);
        $stmt->bind_param("si", $value, $uid);
        $stmt->execute();
    }
}

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$mysqli = new mysqli("dbhost", "dbuser", "dbpassword", "dbname");
$mysqli->autocommit(FALSE);

updateColumn($mysqli, "UPDATE TABLE users SET username=? WHERE uid=?", $uid, $userName);
updateColumn($mysqli, "UPDATE TABLE users SET password=? WHERE uid=?", $uid, $password);
updateColumn($mysqli, "UPDATE TABLE users SET firstname=? WHERE uid=?", $uid, $firstName);
updateColumn($mysqli, "UPDATE TABLE users SET lastname=? WHERE uid=?", $uid, $lastName);

$mysqli->commit();
$mysqli->close();

You could take it a few steps further and generate the query as well, that’s rather safe since you are not depending on/using user input to generate the query. This would get hairy fairly quickly though.

The other ways would be the ones already mentioned here, or combining the dynamic generation of the query with prepared statements. You might also want to try to do the same with the PDO API.

Probably the best way in the long term would probably be to use a third-party ORM framework (see this related question for suggestions).

Leave a Reply

Your email address will not be published. Required fields are marked *