Im wondering if something like this is possible?
$joinguild = "UPDATE guild SET '.$rank.'='.$receiver.' WHERE name ='"$dupecheckinfo["guild"]"'";
Im trying to SET '.$rank.'='.$receiver.', but I dont know if I can use a variable where $rank is. Is there a proper way to write this. Is it even possible? If not how would you approach it? Thanks!
Here is my SQL table im working with
Edit: See how my table has Rank1 Rank2 Rank3 etc. Well I am passing the rank value that I want to set so for example
$rank = $_POST["rank"];
$joinguild = "UPDATE guild SET '.$rank.'='.$username.' WHERE name ='"$dupecheckinfo["guild"]"'";
Your question in not clear but you have some problems in your PHP statement. I think you are trying to create your SQL UPDATE query using PHP variables.
Try this:
$joinguild = "UPDATE guild SET $rank='$receiver' WHERE name='" . $dupecheckinfo["guild"] . "'";
Here $rank should have valid column name in your table. Also read about SQL injection.
Your question is quite unclear but to update records from a table you can use this line of code:
$sql=mysqli_query($conn, "UPDATE `table` SET option1='$op1', option2='$op2', option3='$op3', option4='$op4' where id='$id'");
If this is unclear please let me know.
Yes, you can use variables for table and field names in your queries. However, you should avoid it whenever possible, because it generally leads to SQL injection vulnerabilities. Instead of building queries with string concatenation, use prepared statements with bound parameters. See this page and this post for some good examples.
Unfortunately, the bind mechanism works only for values and not for table names or field names, so it's best to try avoiding variable table/field names. If you find that you absolutely must, the best approach would be to ensure that the contents of the variable matches with a pre-set whitelist of allowed table/field names.
Related
Forgive me if this already exists, but I didn't see anything close enough to my issue to offer any kind of solution or path toward solving.
My Query:
$sql = "UPDATE users SET FirstName=$fname WHERE id=$id";
$fname does equal Jason. But it should be changing the sql field FirstName to "Jason". Instead, it is trying to find a field named Jason. I have tried hardcoding in "Jason", but then it says that there is an unexpected string. Hardcoding it in would actually cause issues as the data needs to be a variable so the user can change to their First Name to whatever they want. I have echo'd $id and that value is coming across correctly. My code is in php.
Long time reader of stackoverflow.com, first time poster. If there is any additional code or info that might be helpful, please let me know.
EDIT: I had not realized that variables also need to be within quotes. I assumed the quotes were specifically for hardcoded strings. Placing $fname within single quotes as '$fname' solved it. Thank you, everyone!!!
Use single quotations:
$sql = "UPDATE users SET FirstName='$fname' WHERE id=$id";
Be sure about securing your SQL query; if the $fname's value is dynamic, then you must escape special characters using mysqli_real_escape_string to avoid a very dangerous vulnerability SQL Injection.
I have made a makegroup.php site which is supposed to create a group, and put the person in the connection table between UserID and GroupID.
..but I am not sure how to go on. The logged in user is saved in session variable $usid, but how what about GroupID? How do I fetch that right after on another page? Need I make this in steps? Including quick DB scheme.
Thanks in advance.
I guess GrouID is autonumeric?
So you leave db create the id for you.
Also loos like you are trying to concat the $groupname value
$sql = "INSERT INTO group (Groupname) VALUES ('".$groupname."') ";
But you dont want do that because that method is vulnerable to SQL Injection attack
Use parametrized values instead
How can I prevent SQL injection in PHP?
This is quite a basic question, but have not found that much on-line to support.
I need to use a simple update statement in mysql (I know i should use mysqli but not yet ready for this update)
Given That I am working with a database made of a fixed number of items I want that the update apllies only when 2 conditions together are true.
my idea is something like
$sql ="update `members` set `description`='$description[$index]' WHERE id='1' AND fruit = 'banana'";
Is this the proper way of selecting the record to be updated?
Many thanks
Manu
That's how you'd do it more or less, here's a refined one:
$sql ="update `members` set `description`=? WHERE `id`='1' AND `fruit` = 'banana'";
1) See how I put the ? instead of the array? There are smart objects in PHP (read about "Prepared Statements") which allow you to put a parameter "spot" in the query and later have a value instead of it. This makes your query much more secure.
2) I added '`' around your columns. It's not mandatory, but it makes sure that your columns aren't mistaken for something else.
Yes that should work but it's safer to wrap array values in a string in brackets:
$sql ="UPDATE `members` SET `description`='{$description[$index]}' WHERE id='1' AND fruit = 'banana'";
Also make sure $description is somehow filtered or validated, before plugging it directly into the string.
NOTE: Best practice dictates that you use all caps for all SQL keywords, allowing easier differentiation between keywords and your values. Yours has half and half update and set lowercase; WHERE and AND caps, which is worse than going with all lowercase.
[edit] I agree with Daniel Saad that you should be using prepared statements here as well.
I have this code:
<?php
$table = $_GET ["table"];
$query = "SELECT 1 FROM $table";
$st = $pdo->prepare($query);
$st->execute();
This is not the real code, but it is an example to get the idea.
If I make:
hacked.php?table=users;DROP TABLE users;
It will work, cause it is not correctly escaped.
However, if I want to update information like this:
hacked.php?table=users; UPDATE users SET name="abc" WHERE name="def";
It will not work, cause since it is escaped, pdo will convert the query to
SELECT 1 FROM users; UPDATE users SET name=\"abc\" WHERE name=\"def\";
and obviously it fails.
Is there anyway to make this query works?
EDIT 1
We have one guy in our team only devoted to check my code and hacked it. So I want to be ready if this can be in some way accomplished.
EDIT 2
I was already read this: Are PDO prepared statements sufficient to prevent SQL injection? but it really did not answered my question. However it gave me a way to go through. And the solution of #duskwuff was the same I came to. So, for the admins, if this should be removed or marked as a duplicate is ok. But I insist that this can be helpful for someone to know how pdo prepared can be hacked.
It will not work, cause since it is escaped, pdo will convert the query to
SELECT 1 FROM users; UPDATE users SET name=\"abc\" WHERE name=\"def\";
This is incorrect! PDO does not perform escaping on text that is interpolated into queries, as it has no awareness of what text was interpolated. What you're seeing is the result of PHP's deprecated magic_quotes feature adding backslashes to the content of request variables (like $_GET and $_POST). Even if this is enabled, it can be trivially avoided in a query like this one by using non-quoted constructs such as:
SELECT 1 FROM users; UPDATE users SET name = CHAR(97,98,99) WHERE name = CHAR(100,101,102)
(CHAR() is a MySQL function which constructs a string from a list of character code values. If you're using some other database, an equivalent function probably exists.)
Interpolating unescaped content directly into a query is never safe. Don't do it.
I think you are asking the wrong question. If you have code that is even remotely similar to this, then you have a huge problem with the way you're writing code... and probably with the way you're conceptualizing the problem that you need to solve, or you're working from a very bad design.
If, for some reason, you have a need for anything about the design of your database to be passed in on a URL query string or an http post, and if, for some reason, you think executing an unescaped query is the approach you need... then whatever you're doing, you're doing it wrong.
If, by some remote chance, you actually have a need to pass the name of a table to a web page, then the very least you must do is compare the input value to some kind of static structure to see if the input value is in the list... and then use the value from the list, or from something static, never from the input.
Simplistically something as primitive as the following would be a far superior approach, though arguably it is a bad design if table names, column names, or any database internals ever need to go out into browser-land.
$table = $_GET ["table"];
IF ($table == "users")
{
$query = "SELECT 1 FROM users;"
}
ELSEIF ($table == "points")
{
$query = "SELECT 1 FROM points;"
}
...
I am getting this error,
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' address='xxxxx', city='sssssssss', pincode='333333333', state='Assam', count' at line 1
Thanks in advance.
http://dpaste.com/hold/181959/
your WHERE clause is wrong, you don't write WHERE a=1, b=2, c=3 you want WHERE a=1 AND b=2 AND c=3
additionally your logic is flawed, because your WHERE clause would usually be something more like WHERE id = x (at the moment you're updating a row in a table, where the row data is already the same as that which you're updating it to - if that makes any sense? :) )
furthermore, learn to escape your sql strings properly or you leave yourself vulnerable to sql injection
As well as the problem explained by oedo, you've also got severe SQL injection problems. You need to use mysql_real_escape_string to encode strings for insertion into an SQL statement, not htmlspecialchars. Or use parameterised queries.
htmlspecialchars() is for HTML-encoding text just before you output it into an HTML page. You should not HTML-encode strings for storage in the database.
Firstly, don't you have some kind of unique identifier for your users? Maybe a customer-id of some kind? You could use that to identify the customer in the WHERE clause to make your SQL more clear.
Secondly, do you expect that your user to write all the company EXACTLY like it is in the database? Because that is what you expect from them with your current design.
You need to identify the record by using an ID, not the field values. If you look to a lot of websites, usually they send the ID to identify a record. Like edit.php?id=1284, or view.php?id=1284, etc.
In short you will have a form that you fill up with the values that are in the database for that record ID. If you edit it, you write a edit query like:
$UpdateQuery = "UPDATE customer SET name = '" . $name . "', address = '" . $address . "' ....... WHERE id = " . intval($_GET['id']);
The reason I add intval is because that will only allow numeric values to pass through. As mentoined by bobince, watch out for SQL injections and let mysql_real_escape_string pass through all of your string values you enter in the query too.