im trying to understand why this works. any help would be much appreciated


$sql = sprintf("
UPDATE login
SET username='$username',
password='$password',
email='$email'
WHERE PayerID LIKE '$PayerID'
AND token LIKE '$token' ",


but this doesnt


$sql = sprintf("
UPDATE login (username, password, email)
VALUE ('%s','%s','%s')
WHERE token LIKE '$token'
AND PayerID LIKE '$PayerID'"

you aren't passing any arguments.

Neither example works - not the way you think they are, at least; they're not "doing" anything. They're simply returning the same (unaltered) string you give them.
(The second example is probably giving you an error like Warning: sprintf() [function.sprintf]: Too few arguments ..., yes?).

http://us3.php.net/manual/en/function.sprintf.php

try:

// this assumes you have already defined the variables $username, $password, $email

$preparedStatement = "
UPDATE login (username, password, email)
VALUES ('%s','%s','%s')
WHERE token LIKE '$token' AND PayerID LIKE '$PayerID'";

$sql = sprintf($preparedStatement, $username, $password, $email);

// you also had a typo in your SQL statement -should be VALUES (corrected above), not VALUE

thank you for responding. i should have been more clear from the beginning
the sql query is inside a function


function registerNewUser($username, $password, $password2, $email){

if (!valid_username($username) || !valid_password($password) ||
!valid_email($email) || $password != $password2 || user_exists($username))
{
return false;
}

$sql = sprintf("UPDATE login (username,password,email)
VALUES ('%s','%s','%s')
WHERE token LIKE '$token' AND PayerID LIKE '$PayerID' ",
mysql_real_escape_string($username), mysql_real_escape_string(sha1($password . $seed))
, mysql_real_escape_string($email)

}

and these variables are being passed in $username, $password, $password2, $email

the function was working before then something happened where these variables seem unresponsive
'%s','%s','%s'

yup im getting errors when i try to print. i separated the sql query but still getting errors



$format = '%s %s %s';
printf($format);

Warning: printf() [function.printf]: Too few arguments in



re: getting closer with this


$format = '%s %s %s %s';
printf($format,$username, $password, $password2, mysql_real_escape_string($email) );

the function was working before then something happened where these variables seem unresponsive
'%s','%s','%s'

well, in your first example, you were actually using variables - sprintf() wasn't making any changes to your string at all. When you added the references, there weren't any values being passed in as arguments. I'd recommend separating everything out, so it's easier to read. You had some syntax errors in your last example, as well:
function registerNewUser($username, $password, $password2, $email){

if (!valid_username($username)
|| !valid_password($password)
|| !valid_email($email)
|| $password != $password2
|| user_exists($username)
){
return false;
}

$prepstatement = "
UPDATE login (username,password,email)
VALUES ('%s','%s','%s')
WHERE token LIKE '$token' AND PayerID LIKE '$PayerID' ";
// there is no $token or $PayerID defined in your function !!

$user = mysql_real_escape_string($username);
$hash = mysql_real_escape_string(sha1($password . $seed));
// there is no $seed defined in your function !!

$Email = mysql_real_escape_string($email);

$sql = sprintf($prepstatement, $user, $hash, $Email);

// ...and then nothing happens.
// are you returning $sql for use in another function?
// is there more to this function than what you've shown?

}

all of the variables are outputing correct values. when i use the commented out SQL query it works but then i have issues elsewhere so i want to use the top version. originally i thought it was my sql syntax but it looks fine

below there is this "if (mysql_query($sql))"

and it echo's '2' , bypassing mysql_query


function registerNewUser($username, $password, $password2, $email)//register.php
{
global $seed, $token, $PayerID;

//$format = '%s %s %s %s';
//printf($format,$username, $password, $password2, mysql_real_escape_string($email) );
//echo mysql_real_escape_string(sha1($password . $seed));
//echo $token . " & " . $PayerID;

if (!valid_username($username) || !valid_password($password) ||
!valid_email($email) || $password != $password2 || user_exists($username))
{
return false;
}


// $code = generate_code(20);
$queryy = "UPDATE login (username,password,email)
VALUES ('%s','%s','%s')
WHERE token LIKE '$token' AND PayerID LIKE '$PayerID'";
$User = mysql_real_escape_string($username);
$Hash = mysql_real_escape_string(sha1($password . $seed));
$Email = mysql_real_escape_string($email);

$sql = sprintf($queryy, $User, $Hash, $Email);

//$SHA1 = SHA1($password);

/* $sql = sprintf("UPDATE login SET
username='$username',
password='$SHA1',
email='$email'
WHERE PayerID LIKE '$PayerID'
AND token LIKE '$token' ",
mysql_real_escape_string($username), mysql_real_escape_string(sha1($SHA1 . $seed))
, mysql_real_escape_string($email)
//, mysql_real_escape_string($code)
); */

if (mysql_query($sql))
{
$uid = $_SESSION['uid'];//review.php

if (sendActivationEmail($username, $password, $uid, $email, $PayerID ))//mail.functions.inc.php
{
echo '0';
return true;
} else
{
echo '1';
return false;
}

} else
{
echo '2';
return false;
}
echo '3';
return false;

}

seperating it out and doing this worked


$User = mysql_real_escape_string($username);
$Hash = mysql_real_escape_string(sha1($password . $seed));
$Email = mysql_real_escape_string($email);

$sql = sprintf("UPDATE login SET
username='$User',
password='$Hash',
email='$Email'
WHERE PayerID LIKE '$PayerID'
AND token LIKE '$token' ");

seperating it out and doing this worked


$User = mysql_real_escape_string($username);
$Hash = mysql_real_escape_string(sha1($password . $seed));
$Email = mysql_real_escape_string($email);

$sql = sprintf("UPDATE login SET
username='$User',
password='$Hash',
email='$Email'
WHERE PayerID LIKE '$PayerID'
AND token LIKE '$token' ");


Yes, it would give you the desired output.

_however_, be aware that your sprintf() function is doing nothing at all.

// this
$sql = sprintf("UPDATE login SET
username='$User',
password='$Hash',
email='$Email'
WHERE PayerID LIKE '$PayerID'
AND token LIKE '$token' ");
// and this
$sql = "UPDATE login SET
username='$User',
password='$Hash',
email='$Email'
WHERE PayerID LIKE '$PayerID'
AND token LIKE '$token' ";
// give _exactly_identical_ results.
// in the above form, sprintf() will _never_ affect any changes to your string.You have no references and no arguments in your sprintf() call. It returns the string you gave it, completely unaltered. There is no point in doing this. It is actually wasting processing resources by calling and running a function that has no effect, and never will have any effect, whatsoever.

It's fine if you want to use $variables instead of %references. But if that's the case, just assign the value to $sql directly (as in the second form I show here), without calling sprintf().

You have no references and no arguments in your sprintf() call. It returns the string you gave it, completely unaltered. There is no point in doing this. It is actually wasting processing resources by calling and running a function that has no effect, and never will have any effect, whatsoever.
yes, very good point!
im still puzzled why the %references stopped working

basic test: try this and see what you get. (it works as expected for me.)
$prepstatement = "UPDATE login (username,password,email) VALUES ('%s','%s','%s')";

$user = mysql_real_escape_string('test user');
$hash = sha1('testPass');
$email = mysql_real_escape_string('testuser@example.com');

$sql = sprintf($prepstatement, $user, $hash, $email);

print $sql;
// should output:
// "UPDATE login (username,password,email) VALUES ('test user','9a23b6d49aa244b7b0db52949c0932c365ec8191','testuser@example.com')"

yes. even in my examples it will echo out everything but the actual sql query would not work when using %s