Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 6 years ago.
Improve this question
When I use a variable in my WHERE clause of Update the updation doesnt take place.
$eventid=$_GET['id'];
$sql = "UPDATE events SET name=:name WHERE id=:id";
$q = $conn->prepare($sql);
$q->execute(array(':name'=>$name,':id'=>$eventid));
When I echo $_GET['id'] I get the correct value.
$_GET['id'] is the value I have passed from another page
People are saying you're vulnerable to sql injection attacks because you're passing an id via a $_GET parameter to an update statement where you directly use the $_POST superglobal.
In order to make it more secure, you could start by passing the ID via $_POST as well, and not using $_POST directly in your SQL.
But that's not the question you asked.
I would hazard to guess it's not updating because you're passing ID as a string, which it probably isn't.
Try changing
WHERE id='".$_GET['id']."'");\
to
WHERE id=".$_GET['id']."");
Save your query to a string variable so you can debug what are you sending to db MySQL. Then try to run the result query direct on the db.
$DBcon->query(#strSQL);
Related
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 3 years ago.
Improve this question
I'm trying to develop a site which asks or a username and creates a dare for their friends through a unique URL with a random ID.
I succeeded in generating random IDs with PHP uniqid() function
to append them in URL.
But I have no idea to make the generated URLs valid.
All I need to make the generated URLs valid when they are opened and display a welcome page with the username.
You can pass the ID in a query string of the URL, that would be easiest approach:
http://yoursite.com/?ID=1234
You can append query string (the part that starts with ?) to any URL and it will still load just as fine. If you need to add more parameters, use &. For example: ?ID=1234&name=Username.
These parameters are then accessible from global $_GET variable, or you can filter it out of the input stream:
$id = $_GET["ID"]; // This variable contains the ID passed in URL query string
$id = filter_input(INPUT_GET, "ID"); // This will produce the same result
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 7 years ago.
Improve this question
i have code like this but when i click submit its give me error
mysqli_real_escape_string() expects parameter 2 to be string, array
given where should i do or put the mysqli_real_escape_string ?
if(!empty($_POST['poscon'])) {
foreach($_POST['poscon'] as $condition)
$condition=mysqli_real_escape_string($link,$_POST['poscon']);
Seeing you're not responding to comments, I'm posting this as an answer.
- Maybe you'll respond then.
You see your foreach($_POST['poscon'] as $condition)?
You're using the wrong parameter and passing the array instead of the $condition variable.
Do $condition=mysqli_real_escape_string($link,$condition);
When ever you taking user inputs from the view you should check.
mysqli_real_escape_string Definition
This function is used to create a legal SQL string that you can use in an SQL statement. The given string is encoded to an escaped SQL string, taking into account the current character set of the connection.
mysqli_real_escape_string Manual
Normal text
Early `$name = $_POST['name'];`
New Practice `$name = mysqli_real_escape_string($_POST['name'])`
URL
Early `$url = $_POST['url'];`
New Practice `FILTER_VALIDATE_URL` [Check Example](http://www.w3schools.com/php/filter_validate_url.asp)
E-Mail
Early `$email = $_POST['email'];`
New Practice `FILTER_VALIDATE_EMAIL` [Check Example](http://www.w3schools.com/php/filter_validate_email.asp)
More Useful Articles
Is mysqli_real_escape_string safe?
mysql(i)_real_escape_string, safe to rely on?
mysqli::real_escape_string, mysqli_real_escape_string
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 7 years ago.
Improve this question
This...
header("Location: fichaTorneioFinSub.php?id=" . $_GET['id'] . "");
The value of the GET is 1. But I always end up in this page:
fichaTorneioFin.php?id=%271%27
The id value gets these %27 around it. I know that means it's an encoded single quote but it shouldn't be there.
It would be a good idea to track down what's giving you the lone ', but this will ensure you're only working with digits:
$id = preg_replace('/\D/', '', $_GET['id']);
header("Location: fichaTorneioFinSub.php?id=".$id);
This will sound as stating the obvious: if it shouldnt be there, make sure it isnt. This means sanitizing your input ($_get data) into data you expect. Somehow the get variable already contains a single quote so i would suggest checking that first. To get it out you could for example
trim($_get ['id'], "'")
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question appears to be off-topic because it lacks sufficient information to diagnose the problem. Describe your problem in more detail or include a minimal example in the question itself.
Closed 9 years ago.
Improve this question
I am trying to get my page to update a DB when there is $_GET data.
However even when www.myurl.com?status= is blank the page updates the DB with nothing.
Here is my code
$status=$_GET["status"];
$sql="UPDATE users SET status =$status WHERE personID='$user'" or die(mysql_error());
mysql_query($sql);
Can anyone help? I am trying to get the page to do nothing if the URL is just www.myurl.com
if(!empty($_GET['status']) { // Check if `status` is not empty
$sql="UPDATE users SET status = $_GET['status'] WHERE personID='$user'";
mysql_query($sql); // Continue with sql query
}
empty - http://us2.php.net/empty
isset - http://us2.php.net/isset
Make use of empty() in PHP to achieve this.
if(!empty($_GET["status"])) //<--- Control to the inside will be passed only if the status variable is not empty
{
$status=$_GET["status"];
$sql="UPDATE users SET status =$status WHERE personID='$user'" or die(mysql_error());
mysql_query($sql);
}
That was the first thing. Secondly you are using an obsolete deprecated API i.e. the mysql_* functions. You need to switch over to PreparedStatements.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I am currently working on a fun project, which involves Ajax, HTML, JavaScript, PHP and SQL.
I have debugged my project as far as I could, and I am 100% sure my AJAX, HTML and JavaScript are working fine and my variables are send to the server correctly.
I am trying to fetch data from the database, subtract a number (submitted in the form) from this data and update the database accordingly.
My database does update. However, it is not displaying the correct numbers. When submitting 1 in the form, it will ALWAYS return the same numbers in the database. (Which is odd, because I am subtracting it...). I am 100% sure the data from the form is passed to the server correctly, so I would like you all to check my server file, which should be the problem.
Edit:
The database connection is made in db.php and is made correctly. This has been tested.
You really need to switch to prepared statements to fix your sql injection problems.
Apart from that, what's wrong with this specific code, is that mysql_query does not return a number, it returns a resource. You need to fetch a row to get the number.
as far as I know, mysql_query returns resource, not result itself. So you have to modify your code to something like this:
$res = mysql_query("your_query_here");
$row = mysql_fetch_row($res);
$totaalaantal = $row[0];
check http://php.net/manual/en/function.mysql-query.php
I think you are mistaking the return value of mysql_query, look php's manual
mysql_query returns a resource which then may be passed to some other funcion to extract the value returned by the query you made. You should do something like this:
$res = mysql_query(...)
$row = mysql_fetch_assoc($res)
$dec = $res["column_name"] - $some_value
You should check the $_REQUEST[...] array values to eliminate sql injection vulnerabilities.