EDIT: Thank you all for the very quick answers! I have been at this for a while, trying to figure out why $id was being recognized and why the strings weren't. I feel a bit silly now seeing the obvious answer but I'm relieved to have it working.
I apologize if this has been answered before, I've looked for hours and could not find something similar to help me figure this out.
I am trying to update a row in my database of devices with new information. Problem is, the php file only recognizes $data->devID; and nothing else.
If I have something like
$sql = "UPDATE devices SET devName = 'static test string', description = 'static test string' WHERE devID = $id";
the entry with the correct ID will update in my database table just fine.
If I try
$sql = "UPDATE devices SET devName = $name, description = $desc WHERE devID = $id";
it does not work.
Where am I going wrong?
HTML:
<div data-ng-repeat="info in deviceInfo">
<form class="deviceInfo">
<h2>Device ID: {{info.devID}}</h2>
<p>Device Name:</p>
<input type="text" data-ng-model="info.devName">
<p>Device Description:</p>
<textarea data-ng-model="info.description"></textarea>
<p>Device Available: {{info.isAvailable}}</p>
<input type="submit" name="Update" value="Update" data-ng-click="updateInfo(info.devID, info.devName, info.description)">
</form>
</div>
updateDeviceInfo.php:
<?php
$data = json_decode(file_get_contents("php://input"));
include('config.php');
$id = $data->devID;
$name = $data->devName;
$desc = $data->description;
$sql = "UPDATE devices SET devName = $name, description = $desc WHERE devID = $id";
$qry = $conn->query($sql);
$data = $qry;
$sql = "SELECT * FROM devices";
$qry = $conn->query($sql);
$data = array();
if($qry->num_rows > 0){
while($row = $qry->fetch_object()){
$data[] = $row;
}
}else {
$data[] = null;
}
$conn->close();
echo json_encode($data);
controller.js:
$scope.updateInfo = function($paramID, $paramName, $paramDesc){
console.log($paramID);
console.log($paramName);
console.log($paramDesc);
$scope.dataOneTest = {
devID: $paramID,
devName: $paramName,
description: $paramDesc
};
console.log($scope.dataOneTest.devID);
$http.post('./js/updateDeviceInfo.php', {'devID': $paramID, 'devName': $paramName, 'description': $paramDesc})
.success(function(data){
$scope.results = data;
})
.error(function(err){
$log.error(err);
})
}
tl;dr You are almost certainly performing SQL injection on yourself both by inserting variables directly into a query and by failing to use proper quotation marks around them.
You need to use prepared statements, rather than concatenating variables directly into your query. If, for example, $data->devName contained something nefarious like NULL --, that would toast your entire table. And that's a very mild example of how badly things could go. Prepared statements would render that example (and pretty much all other examples) harmless.
Short-Term Fix
As a short-term fix, put quotation marks in the query and escape your data, like this:
$id = your_database_escape_function($data->devID);
$name = your_database_escape_function($data->devName);
$desc = your_database_escape_function($data->description);
$sql = "UPDATE devices SET devName = '$name', description = '$desc' WHERE devID = $id";
substituting your database's corresponding escaping function for your_database_escape_function(). For example, use $conn->real_escape_string() if $conn is a MySQLi object. See the manual.
The Real Fix
Here's how you really do it correctly, and the solution you should implement ASAP. That is, do this before you go any further if at all possible. Use prepared statements.
Read this entire Q&A and this cheat sheet from OWASP (no affiliation) for more information.
change this becuase description and devName which are string should be quoted
$sql = "UPDATE devices SET devName = $name, description = $desc WHERE devID = $id";
to
$sql = "UPDATE devices SET devName = '".$name."', description = '".$desc."' WHERE devID = $id";
Try this, $sql = "UPDATE devices SET devName = '$name', description = '$desc' WHERE devID = $id";
As title and description are string it requires single quote wrapping inside double quotes.
Related
I am in need of some help, please? I can successfully do a MySQL query using:
IP_Address/fund_list.php?Id_Number=555666
With this below:
$ID = $_GET['Id_Number'];
$sql = "SELECT * FROM fund_list WHERE Number = ".$ID;
Now I want to use 2 different things in my web call. Like:
IP_Address/fund_list.php?Id_Number=555666&Name=Billy
But I don't know how to write the 'get' line below.
$ID = $_GET['Id_Number'] & $Name = $_GET['Name']; <-- Does not work
I would think the SQL select statement would be:
$sql = "SELECT * FROM fund_list WHERE TheNumber = .$ID AND TheName = .$Name";
All the things I look up online, the syntax is overly confusing, I can't dissect it and make something work. Thank you.
To start with you should really be preparing your statements, passing data directly from a query string into a SQL query is really dangerous. You should also avoid using * in your SELECTs if you insist on not preparing them.
Your issue in this case is you need '' around TheName =
$sql = "SELECT * FROM fund_list WHERE TheNumber = {$ID} AND TheName = '{$Name}'";
Regardless, what you should be doing is this:
$sql = "SELECT Param1, Param2 FROM fund_list WHERE TheNumber = ? AND TheName = ?";
$stmt = $conn->prepare($sql);
$stmt->bind_param("is", $ID, $Name);
$stmt->execute();
$stmt->bind_result($param1, $param2);
while($stmt->fetch()) {
//Your code
}
That code prevents SQL injection attacks, and a number of other potential issues you can create not using PDO or mysqli prepared statements.
Edit per request:
$ID = $_GET['Id_Number'];
$Name = $_GET['Name'];
$sql = "SELECT * FROM fund_list WHERE TheNumber = {$ID} AND TheName = '{$Name}'";
$result = $conn->query($sql);
while($row = $result->fetch_assoc()) {
//your code
}
You need '' when comparing string parameters in SQL.
Have you tried doing this? This always works to me
$ID = $_GET['Id_Number'];
$Name = $_GET['Name'];
I'm toying around with mysql and PHP and hit a VERY strange problem:
After establishing a successful database connection I set two variables for the query:
$searchcolor = $_SESSION["color"];
$searchprice = $_POST["price"];
$query = "SELECT `toys`.`id` FROM `database`.`toys` WHERE `toys`.`color` = $searchcolor AND `toys`.`price` = $searchprice;";
$result = mysqli_query($link, $query);
echo $query;
This querys won't work. When echoing it, it reads the correct string, like:
SELECT `toys`.`id` FROM `database`.`toys` WHERE `toys`.`color` = brown AND `toys`.`price` = 1500;
This code, however, works just fine:
$searchcolor = $_SESSION["color"];
$searchprice = $_POST["price"];
$query = "SELECT `toys`.`id` FROM `database`.`toys` WHERE `toys`.`color` = $searchcolor AND `toys`.`price` = 1500;";
$result = mysqli_query($link, $query);
echo $query;
First I though the $searchprice wasn't getting it's content by the $_POST array correctly. But the echoed search query in the first example seems to be fine.
It also works when setting $searchprice = 1500; instead of getting the $_POST-value.
I tried casting it to integer and stuff, but that didn't worked.
Cheers and thanks for every hint on this!
(The code is shortened!)
Table structure of toys:
id int(10)
name varchar(10)
color varchar(10)
price int(20)
Edit:
Woah, just made an interesting discovery:
echo "-".$searchprice."-";
Gives -5-
if ($searchprice == 5){echo "1";}
if ($searchprice == "5"){echo "2";}
Gives.. nothing?!
var_dump($searchprice);
Gives string(14) "5"
Edit:
echo bin2hex($searchprice);
Gives 3c6e6f62723e353c2f6e6f62723e (?!)
Solution: I used a unicode character in the submitting form. That broke everything. Lesson: Avoid unicode.
First of all you should read this: How can I prevent SQL injection in PHP?
Try this:
$q = mysqli_prepare($link, 'SELECT toys.id FROM toys WHERE toys.color = ? AND toys.price = ?');
mysqli_stmt_bind_param($q, 'si', $searchcolor, $searchprice); //d for double
$searchcolor = $_SESSION['color'];
$searchprice = $_POST['price'];
mysqli_stmt_execute($q);
Before that you should connect properly with DB. I see that you used database in FROM.
$link = mysqli_connect('localhost', 'my_user', 'my_password', 'my_db');
I have this code:
public function updateOrder($num, $ufood, $uquan) {
$response = array();
mysql_query("SET NAMES 'utf8'");
foreach ($ufood as $index => $f) {
$result = mysql_query("SELECT food, quantity, uquantity FROM table1 WHERE food ='".$f."'") or die(mysql_error());
$no_of_rows = mysql_num_rows($result);
$response['number rows'] = $no_of_rows;
if ($no_of_rows>0) {
while ($row = mysqli_fetch_array($result)); {
if (!$row['uquantity']) {
$w = "INSERT INTO table1(uquantity) VALUES ('$uquan[$index]')";
mysql_query($w);
$e = (int)$row['quantity'];
$q = (int)$uquan[$index];
$sum = $e+$q;
$s = (string)$sum;
$d = "UPDATE table1 SET quantity = '$s' WHERE food = ".$row['$food']." ";
mysql_query($d);
} else if($row['uquantity']) {
$c = (int)$row['uquantity'];
$q = (int)$uquan[$index];
$sumq = $c+$q;
$sq = (string)$sumq;
$d = "UPDATE table1 SET uquantity = '$sq' WHERE food = ".$row['$food']." ";
}
}
} else {
$string ="INSERT INTO table1(food,uquantity) VALUES ('".$f."','".$uquan[$index]."')";
$z = mysql_query($string);
}
}
}
Well i can not make this work, and i am trying all kinds of things put still it doesn't work.
So i have some questions:
Is this structure of foreach and while valid?
Though the $result query returns some rows from the database, when i try to use $row['quantity'], as a value, i get null.
In this code i receive some data from an android app, and i try to "see", if there are already entries for the type food of my db_table(table1). If there are entries i want the db to sum the quantity entry of the android sent, data with the one that are inside my db, and update the field. This is the basically it. But as i said when i try to use the data that comes from the database, i get null values.
Please if someone could give me some hint, cause I'm really stuck..
There are many problems with your code. I'm marking this answer as Community Wiki, and I invite others to edit and add things as they find them.
You may also consider posting to https://codereview.stackexchange.com/ instead, when you have so many mistakes, until you have a more specific question.
Bad variable interpolation
This line won't do what you want it to:
$w = "INSERT INTO table1(uquantity) VALUES ('$uquan[$index]')";
This is not quite valid PHP syntax. You can either concatenate expressions:
$w = "INSERT INTO table1(uquantity) VALUES ('".$uquan[$index]."')";
Or you can embed expressions in curly braces:
$w = "INSERT INTO table1(uquantity) VALUES ('{$uquan[$index]}')";
Or you can use a query parameter placeholder:
$w = "INSERT INTO table1(uquantity) VALUES (?)";
$stmt = mysqli_prepare($w) or die(mysqli_error());
$uqi = $uquan[$index];
mysqli_stmt_bind_param($stmt, "i", $uqi);
mysqli_stmt_execute($stmt);
Mixing MySQL APIs
You can't mix mysql_query() with mysqli_fetch_array(). PHP has more than one API for MySQL, and you can't mix them. You should standardize on using the mysqli API, because the older mysql API is now deprecated.
Semicolon defeats while loop
The semicolon after the while statement makes the loop a no-op, and when it terminates, the $row contains nothing.
while ($row = mysqli_fetch_array($result)); {
Should be:
while ($row = mysqli_fetch_array($result)) {
Using variables inappropriately
Referencing a $row key with a single-quoted variable is probably not what you mean, in multiple ways:
$d = "UPDATE table1 SET quantity = '$s' WHERE food = ".$row['$food']." ";
The column name in the select-list of your earlier SELECT query is 'food', not '$food'.
Also, even if you meant to use a variable name $food as the key, putting it in single quotes would not use the value of the variable, it would be the literal string '$food'.
Failure to quote string literal?
Furthermore, you use a quoted literal for comparing to the food column in your SELECT query, which makes me think it might be a string.
So the UPDATE should be something like:
$d = "UPDATE table1 SET quantity = '$s' WHERE food = '".$row['food']."' ";
Or:
$d = "UPDATE table1 SET quantity = '$s' WHERE food = " . intval($row['food']);
Or preferably use parameters and a prepared query, then you don't need to worry about quotes or types:
$d = "UPDATE table1 SET quantity = ? WHERE food = ?";
. . .
Failure to check for errors
Every query might fail, either because you have a syntax error (e.g. a string without quoting), or because the table doesn't have a column by the name you reference, or privileges issues, etc.
Always check the return status of the query function when you run a SQL query. The function returns false if there's an error, and if that happens you must check the error message.
mysqli_query($mysqli, $d) or trigger_error(mysqli_error($mysqli), E_USER_ERROR);
Failure to execute the UPDATE
Your second update assigns a SQL query string to the variable $d, but then does not execute that update query at all!
I simply want to define the variable "$read" as whatever its value is in the database. How can I do this?
$read = "SELECT `read` FROM `users` WHERE `id` = '$id'";
$read = mysql_result(mysql_query("SELECT read FROM users WHERE id = $id"),0);
Beware of the answers given using mysql_query, as they're vulnerable to SQL injection.
If $id is supplied by a user, you should never directly put it into the SQL query, but rather use a prepared statement.
One way of doing this, is by using PDO, in a manner similar to this:
$dbh = new PDO($connStr, $user, $pass);
$sql = "SELECT `read` FROM `users` WHERE `id` = :id";
$statement = $dbh->prepare($sql);
$statement->execute( array('id' => $id) );
$read = $statement->fetchColumn();
For more information on how to use PDO, see the following:
Are there good tutorials on how to use PDO?
One way to accomplish this is as follows:
// Run the query
$db_result = mysql_query("SELECT read FROM users WHERE id = $id");
// Get the first row (in this case you'll only get one row)
$row = mysql_fetch_array($db_result, MYSQL_NUM);
// Get the first column (you should only have one column anyway) and put it into your variable
$read = $row[0];
As pointed out below, I should add that if you don't trust $id to be properly escaped, you could be vulnerable to SQL injection. To overcome this, you should either make sure you properly escape and validate $id or use some kind of binding or prepared statement to do it for you, like in this question or in the example below.
I know it's almost impossible to teach someone something, especially if they don't want to learn. But in hope it will be useful for someone else
All modern programming languages supports such a thing called "user defined functions".
A very handy feature.
A programmer, who wants to have their code real neat, can make a function out of some repetitive code and make calling this code REAL small, just almost as it was phrased in the OP:
$read = dbgetvar("SELECT `read` FROM `users` WHERE `id` = %d",$id);
another benefit from such an approach - your code could contain all necessary things, like parameter sanitization and error handling. And still calling this code would be shorter than all codes above, made ugly and unmantainable in pursue for shortness.
An example of such a function
function dbgetvar(){
$args = func_get_args();
$query = array_shift($args);
$query = str_replace("%s","'%s'",$query);
foreach ($args as $key => $val) {
$args[$key] = mysql_real_escape_string($val);
}
$query = vsprintf($query, $args);
$res = mysql_query($query);
if (!$res) {
trigger_error("dbget: ".mysql_error()." in ".$query);
return FALSE;
}
$row = mysql_fetch_row($res)
if (!$row) return NULL;
return $row[0];
}
I would do the following:
// leave the single quotes around $id because it most probably is an INT
// LIMIT 1 will make the query a bit faster
$result = mysql_query("SELECT `read` FROM `users` WHERE `id` = $id LIMIT 1");
$row = mysql_fetch_row($result);
$read = $row[0];
Hope it works for you.
Assuming there is only 1 result:
$read = mysql_fetch_array(mysql_query("SELECT read FROM users WHERE id = $id"));
$read = $read[0];
I have an array with strings with international characters.
When I save this in the database I loose the backslashes? Why?
$descr_arr = array("héééllo","world");
$js_encoded = json_encode($descr_arr);
print $js_encoded; // "[\"h\u00e9\u00e9\u00e9llo\",\"world\"]"
$sql_query = "UPDATE test_table SET description = '$js_encoded' WHERE id = 0";
$sql_res = mysql_query($sql_query);
// in the description field in the database I find:
// ["hu00e9u00e9u00e9llo","world"]
You didn't escape your database inputs. Always escape!
Here's one way
$sql_query = "UPDATE test_table SET description = '".
mysql_real_escape_string($js_encoded).
"' WHERE id = 0";
Better yet, use a database wrapper like PDO or ADODb, which would take care of the escaping for you. It would look something like this:
$db->Execute("UPDATE test_table SET description =? where id=?",
array($js_encoded, $id));