I have a HTML page for updating a mysql table, and when the user is finished modifying it clicks a "submit" button at the bottom of the page, named 'valider'. I use POST method and the action leads to a php page with the UPDATE request but it won't update. I've tried putting the values from the previous page into variables before using them in the request but it still won't work. Here is the php code:
<?php
include_once("connexionMysql.php");
if(isset($_POST['valider'])){
$titreIci=$_POST["titre"];
$idIci=$_POST["id"];
$envoie= "UPDATE AY_albums SET titre='$titreIci' WHERE id='".$idIci."'";
}
header("Location: pageDaccueilAdmin.php");
?>
The "id" must be an int in your database and you are casting it as string this may cause issue also check your config file:
remove the header redirection to see if there is an error.
CAREFUL !! You have a BIG mistake in you code: you don't control the $idIci parameter!! so it is highly vulnerable about SQL injection attacks!! Anyone can wipe you database or deface you website...
Firstly, I suggest to control $idIci:
$idIci = $_POST['id']
if (!is_numeric($idIci))
{
echo "Bad parameter!!";
exit;
}
Or use PDO->bindParam() method... And where do you execute the query?
You should send $invoie variable to some function which send it to database server. Like PDO::query($invoie);
The code shown in the question is simply assigning a string value to a variable.
That's all it's doing.
There's no execution of a SQL statement.
The contents of that variable are not getting sent to the database to be executed as a SQL statement. That's not happening, no matter how much you make the string look like a SQL statement. It's not going to be executed as a SQL statement unless your code makes that happen.
And fair warning... when the code does send that string to the database as a SQL statement, the code is going to be vulnerable to SQL Injection.
Check var_dump($_POST); and see what data you have before SQL update line. You probably sent the wrong data. Also, use $idIci = (int) $_POST["id"]; because of security reasons.
Related
Alright, so I've set up a small system where I can add pages through an administration panel and for them to appear on the main site. As well as html pages that are made in the admin panel I have also got about two PHP pages with queries that are stored in the database.
Anyways I am calling these by using 'Eval' which I've read that it is unsafe.
Although since its only html codes going in from the administration panel [php codes are disallowed and wont function if posted in these pages] and the PHP pages are unediable unless access to the database, is this safe?
One PHP page involves user comments but all HTML and PHP codes are stripped from the form. I've tested it involving a few exploiting techniques but none seemed to succeed.
But is using eval for my purpose safe? Is there a better work around?
Code:
<?php
if (isset($_GET['p']))
{
$stmt = $dbh->prepare('SELECT * FROM pages WHERE shortname = :p');
if (!$stmt->execute(array(':p' => $_GET['p'])))
{//
exit('Could not exec query with param: '.$_GET['p']);
}
while($row = $stmt->fetch(PDO::FETCH_ASSOC))
{
eval(" ?>".$row["content"]."<?php ");
echo '</div>';
}
}
//ends connection
$row->dbh = null;
?>
Sometimes writing secure code is more than being sure that it is safe. Maybe we all look at your code and think that it is safe, but oversee something small and obvious that will make a big security hole.
Better safe than sorry. You say [php codes are disallowed and wont function if posted in these pages] So why do you use eval then?
Back to your code. The parts that you have posted look safe to me (as for the eval part). But what if there is some small sql injection hole somewhere else in your application that lets the attacker change rows? The attacker will be able to put php code in your database and later execute it with your eval statement.
I would say: No, this code is not safe.
Also, do not echo user given content in your errors, this can lead to an xss vulnerability.
$name="document.write(get_name());";
echo $n= $name; // Here it prints name also (correct one)
$sql=mysql_query("INSERT INTO tab1 (name,visited_time) values ('$n',NOW())");
Ideally this should print got name from the function but it inserting
document.write(get_name());
Note : get_name function is returning the value correctly. and function is mandatory. Only the problem is it inserting document.write(get_name()); instead it's value.
It looks like you missed an important chapter about PHP / JS programming...
PHP code is executed server side.
JavaScript code is executed client side.
Steps to solve this are:
whenever you need this query to be executed, you need to make a call from JavaScript to PHP and pass the variables to the PHP. You can do this with an asynchronous call with jquery for example:
// JS, executed on client side
var name = get_name(); // this javascript function must exist
$.get("path/to/your/page.php", {"name":name});
More info about jQuery here: http://api.jquery.com/jQuery.get/
then, in PHP, you get this value from the global $_GET and you can use it:
// php code that will be executed when path/to/your/page.php will be called
$name = $_GET['name'];
$sql = "INSERT INTO tab1 (name,visited_time) values ('" . $name . "',NOW())";
$rs= mysql_query($sql);
And that will do what you expect.
You can use this code to implement the logic, but it requires lots of improvements then:
It is highly unsecured and leaves room for the most simple SQL injection attack. You must "quote" all values you use in your SQL queries (you can't trust any data coming from the client)
$_GET['name'] may not exist or contain what you except so you need to use function like isset and to do more tests after to verify that nobody is trying to hack your variable
you should POST method and not GET since this HTTP call will result in changing the state of the datbase
mysql_query is deprecated: http://us2.php.net/manual/en/function.mysql-query.php you should use mysqli_query or PDO...
I'm not gonna talk about all these topics, they are highly covered on the web and a simple search your favorite search engine will give all the information you need.
Note: I wrote that "JavaScript code is executed client side". This is not exactly true since it is possible to build a server in JavaScript but this is far far far away from you concern and that wouldn't even change the fact that you still need to send the value from the client to the server with the kind of logic I just described.
Can the PHP superglobal $_GET be used and work as intended outside of the form tags? For example, can I do $_GET('select box id') outside of the form tags and have it work as intended?
<?php
---Placeholder for DB login info---
switch($_GET['select box id'])
{
case "text shown for second option of select box":
$query = mysql_query("placeholder for actual query");
$row = mysql_fetch_row($query);
$textboxValue = $row[0];
break;
}
?>
Can the PHP superglobal $_GET be used and work as intended outside of the form tags?
Yes. The position of PHP code within HTML is entirely irrelevent except in determining where output will appear in a document.
$_GET['select box id']
Form controls use their names for submission keys, not ids.
mysql_query
Read the big red warning box on the documentation page for that function.
If this is for login info, you should not be using a get request anyway--you should be using post.
But at any rate, yes it should work. As long as the data is sent with the query, it should work.
That said, you may also want to do some research into some basic security aspects, such as validating and sanitizing inputs. Otherwise, you may wind up opening yourself up to some rather nasty attacks.
I would recommend the book Essential PHP Security from O'Reilly Press. I would also look into using something like MySql PDO for making database queries, as it tends to be more reliable and secure than simply using mysql_query.
Superglobal means available for use anywhere/everywhere.
I'm sending the variable like this:
xmlhttp.open("GET","insert-karma.php?pid=<? echo $pid; ?>",true);
The AJAX part doesn't seem to be the problem, if I check the Sript the PHP is echoing the integer correctly. (It displays the url as: insert-karma.php?pid=5). However the PHP isn't getting the variable. (I tried echoing and it does't show anthing)
This is the PHP file:
// Connect to db;
$pid = $_POST['pid'];
$sql="UPDATE Poems SET Karma = Karma + 1 WHERE Pid = '$pid'";
// Disconnect form database;
What am I doing wrong? How do I manage to send $pid to the PHP update-karma.php?
try $pid = $_GET['pid']
or
$pid = $_REQUEST['pid'];
You are sending the variable using GET, so in your php you have to use the $_GET variable
$pid = $_GET["pid"];
Also avoid using your variable directly in your sql query. you will be vulnerable to sql injection.
if using mysql:
$pid = mysql_real_escape_string($_GET["pid"]);
or in case you are passing an integer:
$pid = (int)$_GET["pid"];
first you should not use PHP in you ajax requests it's just make things more complicated and PHP is for server side scripting in the first place
secound , you should use xmlhttp.open("POST","insert-karma....) if u plain to use POST
Third the only important difference (not the only but the important) between POST and Get is :
GET requests can be cached
GET requests can remain in the browser history
GET requests can be bookmarked
GET requests can be distributed & shared
GET requests can be hacked lool
so u cant use Get For unsecured and dangerous action like LOGIN OR ...
POST Can handel too long Data
Post is more secured Cuz it's not gonna be cached or saved in history or bookmarked
u can clearly notice that POST's dont display in the browsers address bar but Get do
'www.anything.com/index.php?bla=bhe'
i hope that i am helping here !! :)
Just a suggestion here since you have already got the answer. Try to use some javascript library to aid you while you are writing your JS code.
I would suggest jquery
And also please read what is the difference in GET, POST requests and when it should be used.
i would like to ask if someone knows what went wrong with my program.
you see, after i upload a file, the uploaded file is moved to the created folder document, the the other information like, uploadname and employee id that is supposed to be inserted in the database did not insert it. the file was copied to the document but info did not insert. i hope someone could help me. no errors where found in my code
*CASE CLOSED, but thanks for the help
First: You have only written insert query, you don't actually call mysql_query($insert_query);
Second: Are you sure all those inputs are valid? Try putting $company_id in single quotes too.
Also is there any error or warning message showing up?
NOTE: Remember to escape and validate your input! Look through this page: http://php.net/manual/en/security.database.sql-injection.php
You should add the following line at the end of the code.
mysql_query ($insert_query, $conn) or die (mysql_error());
It will try to insert the record otherwise will show the error in the page, so you can debug to identify the issue and fix easily.