I have a code who prints the status of a player in HTML, but I want to add a button right on the side, and when I click it I want that status to change.
(There's a lot of players on the database and on the HTML, the problem I have is, when I click the button, the status of ALL the players change, so I need to find a way to find the steamid and change the status of that player by the steamid with the button and I don't know how to do it, here's the admin panel I'm trying to do: http://vanityrp.site.nfoservers.com/apply/admin.php)
Admin.php:
<?php
$servername = "localhost";
$username = "------";
$password = "------";
$dbname = "-----";
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "SELECT avatar, name, status FROM Apps";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {
echo "
<form action='../apply/steamauth/status.php' method='post'>
<div class='advert'><img src='".$row["avatar"]. "'>\n</div><br>
<div name='username2' class='advert'>Username: ".$row["name"]. "\n<br></div>
<div class='advert'>Status: <font color='orange'>".$row["status"]."</font></div>\n<br>
<input type='submit' value='Deny' name='deny'/>
<input type='submit' value='Accept' name='accept'/>
<input type='submit' value='Remove' name='remove'/>
</form>
<hr>
";
}
} else {
}
$conn->close();
?>
And now status.php:
<?php
$servername = "localhost";
$username = "-----";
$password = "----";
$dbname = "-----";
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$denied = $_POST['deny'];
$accepted = $_POST['accept'];
$remove = $_POST['remove'];
$username = $_POST['username2'];
if($accepted){
$sql = "UPDATE Apps SET status = replace(status,'Pending','Accepted.');";
$sql = "UPDATE Apps SET status = replace(status,'Denied','Accepted.');";
}elseif($denied){
$sql = "UPDATE Apps SET status = replace(status,'Pending','Denied.');";
$sql = "UPDATE Apps SET status = replace(status,'Accepted','Denied.');";
}elseif($remove){
#$sql = "DELETE FROM Apps WHERE id=$username";
}
$result = $conn->query($sql);
if ($conn->query($sql) === TRUE) {
echo "App has been denied/accepted successfully.";
header( "refresh:3;url=http://vanityrp.site.nfoservers.com/apply/admin.php" );
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
header("refresh:3;url=http://vanityrp.site.nfoservers.com/apply/admin.php");
}
?>
Try the following changes in your code
<form action='../apply/steamauth/status.php' method='post'>
<div class='advert'><img src='".$row["avatar"]. "'>\n</div><br>
<input type="hidden" name="userid" value='".$row["id"]."'/> <!--added a hidden variable "user your id column name in value"-->
<div name='username2' class='advert'>Username: ".$row["name"]. "\n<br></div>
<div class='advert'>Status: <font color='orange'>".$row["status"]."</font></div>\n<br>
<input type='submit' value='Deny' name='deny'/>
<input type='submit' value='Accept' name='accept'/>
<input type='submit' value='Remove' name='remove'/>
</form>
and in status.php
$denied = $_POST['deny'];
$accepted = $_POST['accept'];
$remove = $_POST['remove'];
$username = $_POST['username2'];
$id = $_POST['userid']; // get the hidden variable here
if($accepted){
$sql = "UPDATE Apps SET `status` = 'Accepted.' where id = $id;"; //check the condition
}elseif($denied){
$sql = "UPDATE Apps SET `status` = 'Denied.' where id = $id;";
}elseif($remove){
#$sql = "DELETE FROM Apps WHERE id=$username";
}
Change your query to select the steamid as well
$sql = "SELECT avatar, name, status, steamid FROM Apps";
Then in your form add a hidden input with the steamid as the value.
<input type='hidden' name='steamid' value='".$row['steamid']."' />
Then in your status.php
$steamid = $_POST['steamid'];
Then create prepared statements to help protect against SQL injection
$sql = "UPDATE Apps SET status = replace(status,'Pending','Accepted.') WHERE steamid = ?";
$stmt = $conn->prepare($sql);
$stmt->bind_param("i", $steamid);
$stmt->execute();
I think this can solve your problem:
<?php
$servername = "localhost";
$username = "------";
$password = "------";
$dbname = "-----";
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "SELECT id, avatar, name, status FROM Apps";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {
echo "
<form action='../apply/steamauth/status.php' method='post'>
<div class='advert'><img src='".$row["avatar"]. "'>\n</div><br>
<div name='username2' class='advert'>Username: ".$row["name"]. "\n<br></div>
<div class='advert'>Status: <font color='orange'>".$row["status"]."</font></div>\n<br>
<input type='submit' value='".$row["id"]. "' name='deny'/>
<input type='submit' value='".$row["id"]. "' name='accept'/>
<input type='submit' value='".$row["id"]. "' name='remove'/>
</form>
<hr>
";
}
} else {
}
$conn->close();
?>
+
<?php
$servername = "localhost";
$username = "-----";
$password = "----";
$dbname = "-----";
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$denied = $_POST['deny'];
$accepted = $_POST['accept'];
$remove = $_POST['remove'];
$username = $_POST['username2'];
if($accepted){
$sql = "UPDATE Apps SET status = replace(status,'Pending','Accepted.') WHERE id='".$accepted."';";
$sql = "UPDATE Apps SET status = replace(status,'Denied','Accepted.') WHERE id='".$accepted."';";
}elseif($denied){
$sql = "UPDATE Apps SET status = replace(status,'Pending','Denied.') WHERE id='".$denied."';";
$sql = "UPDATE Apps SET status = replace(status,'Accepted','Denied.') WHERE id='".$denied."';";
}elseif($remove){
#$sql = "DELETE FROM Apps WHERE id={$remove}";
}
$result = $conn->query($sql);
if ($conn->query($sql) === TRUE) {
echo "App has been denied/accepted successfully.";
header( "refresh:3;url=http://vanityrp.site.nfoservers.com/apply/admin.php" );
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
header("refresh:3;url=http://vanityrp.site.nfoservers.com/apply/admin.php");
}
?>
Try this
if($accepted){
$sql = "UPDATE Apps SET status = replace(status,'Pending','Accepted.') WHERE name='".$username."';";
$sql = "UPDATE Apps SET status = replace(status,'Denied','Accepted.') WHERE name='".$username."';";
}elseif($denied){
$sql = "UPDATE Apps SET status = replace(status,'Pending','Denied.') WHERE name='".$username."';";
$sql = "UPDATE Apps SET status = replace(status,'Accepted','Denied.') WHERE name='".$username."';";
}elseif($remove){
#$sql = "DELETE FROM Apps WHERE id={$remove}";
}
Related
I made a simple HTML web page with a list of emplyees (only two atm).
<form method="post" action = "del.php">
<table border = "1">
<tr>
<th>Employee Name</th>
</tr>
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "lavoratori";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql = "SELECT nome, id FROM operai";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {
echo"<tr>";
echo'<td><input type = "checkbox" name = checkbox[]" value = '.$row['id']."<td>".$row['nome']."</td>";
echo"</tr>";
}
echo"</table>";
}
$conn->close();
?>
<input type = "submit" name = "delete" id = "delete" value = "Delete Records">
</form>
This is del.php
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "lavoratori";
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
if(isset($_POST['delete'])){
$chkarr = $_POST['checkbox'];
foreach($chkarr as $id){
$sql = "DELETE FROM operai WHERE id = .$id.";
$result = $conn->query($sql);
}
header("Location: /test_purpose/home.php");
}
$conn->close();
?>
Can you guys tell me what's going on? I'm new to PHP.
What i'm trying to do is to delete a specific a row from selecting with a checkbox. And it does not work, it redirects me back to the main page, without deleting anything obviously.
This line is wrong:
$sql = "DELETE FROM operai WHERE id = .$id.";
Replace with:
$sql = "DELETE FROM operai WHERE id = {$id}";
You also need to consider SQL Injection: https://stackoverflow.com/a/60496/1403785
i am trying to give use a choice to upgrade some data in mysqli database. Also if a user chooses not to input anything or not to select (a date) anything then database should leave this as it is. I cannot find a problem with my code.
HTML:
<h1>Nastavitve tečajev</h1><br><br>
<form action="viv_settings_tecaji.php" method="post">
Datum termina (izberi ID):
<input type="number" name="ID" required><br><br>
Sprememba tega datuma (če ne želiš spremenit pusti prazno):
<input type="date" name="nov_datum"><br><br>
Sprememba statusa (če želiš da ostane isto vpiši trenutni status!:
<input type="number" name="status"><br><br>
Sprememba števila odprtih mest
<input type="number" name="st_odprtih_mest"><br><br>
<input type="submit">
</form><br>
PHP:
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "viverius_education";
$conn = new mysqli($servername, $username, $password, $dbname);
$update_datum = $_POST['nov_datum'];
$update_status = $_POST['status'];
$update_st_odprtih_mest = $_POST['st_odprtih_mest'];
$update_ID = $_POST['ID'];
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
echo "Connected successfully";
$sql = "UPDATE razpisani_tecaji
SET
DATUM = (case when '$update_datum' = '' then DATUM else '$update_datum' end),
STATUS = (case when '$update_status' = '' then STATUS else '$update_status' end),
ST_ODPRTIH_MEST = (case when '$update_st_odprtih_mest' = '' then ST_ODPRTIH_MEST else '$update_st_odprtih_mest' end),
WHERE ID_TECAJA = $update_ID";
if ($conn->query($sql) === TRUE) {
echo "New record created successfully";
header('Location: viv_settings.php'); exit;
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}$conn->close();
?>
If anyone ever needs: solution.
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "viverius_education";
$conn = new mysqli($servername, $username, $password, $dbname);
//$update_datum = $_POST['nov_datum'];
$update_status = $_POST['status'];
$update_st_odprtih_mest = $_POST['st_odprtih_mest'];
$update_ID = $_POST['ID'];
//if(!empty($_POST['nov_datum'])) { $update_datum = $_POST['nov_datum']; } else { $update_datum = NULL; }
if(!empty($_POST['status'])) { $update_status = $_POST['status']; } else { $update_status = NULL; }
if(!empty($_POST['st_odprtih_mest'])) { $update_st_odprtih_mest = $_POST['st_odprtih_mest']; } else { $update_st_odprtih_mest = NULL; }
if(!empty($_POST['ID'])) { $update_ID = $_POST['ID']; } else { $update_ID = NULL; }
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
echo "Connected successfully";
$sql = "UPDATE razpisani_tecaji
SET
STATUS = $update_status,
ST_ODPRTIH_MEST = $update_st_odprtih_mest
WHERE ID_TECAJA = $update_ID";
if ($conn->query($sql) === TRUE) {
echo "New record created successfully";
header('Location: viv_settings.php'); exit;
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}$conn->close();
?>
this is form which shows the data which i have to update the data i get correctly i want when i pressed update button the data is update by using up.php file
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "alurdu_db";
$id = $_GET['id'];
mysql_query('SET CHARACTER SET utf8');
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error)
{
die("Connection failed: " . $conn->connect_error);
}
mysqli_set_charset($conn,"utf8");
$sql = "SELECT * FROM news WHERE news_id='$id'";
$result = $conn->query($sql);
if ($result->num_rows >0) {
while($row = $result->fetch_assoc()) {
?>
<form action="up.php" method="post" enctype="multipart/form-data">
<div class="form-group">
<input type="text" class="form-control" name="news_title" value="<?=$row["title"]?>">
<div class="col-md-2 text-center">News Title</div>
<button type="submit" class="btn btn-default text-align" style="background-color:#3c8dbc;color:white" value="">Update</button></a>
</form>
<?php
}
} else {
echo "Wrong Page";
}
$conn->close();
?>
this is up.php file i don't know why it does not getting the id if update without id it update all the data of the table
<?php
$news_title = $_POST["news_title"];
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "alurdu_db";
$news_id = $_GET['id'];
mysql_query('SET CHARACTER SET utf8');
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
mysqli_set_charset($conn,"utf8");
$sql = " UPDATE news SET title='$news_title' WHERE news_id='$news_id' ";
if ($conn->query($sql) === TRUE) {
echo "Updated";
}
else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
?>
Looks like your SQL statement isn't in closed quotes. It should look like this:
$sql = "UPDATE news SET title='" . $news_title . "' WHERE news_id='" . $news_id . "'";
I want to do a query to get the last id (int) in a table to create a new row with that last id + 1 but actually this just put all rows with the same id
my code:
<?php
$servername = "localhost";
$user = "root";
$pass = "dbpass";
$dbname = "site";
$mail = $_POST['mail'];
$password = $_POST['password'];
// Create connection
$conn = mysqli_connect($servername, $user, $pass, $dbname);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
$sqlID = "SELECT MAX(id) FROM `login`;";
if ($result = mysqli_query($conn, $sqlID)) {
$id = mysqli_fetch_row($result);
}
settype($id, "int");
$id = $id + 1;
$sql = "INSERT INTO login (`id`,`mail`,`password`)
VALUES ('".$id."','".$mail."','".$password."');";
if (mysqli_query($conn, $sql)) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . mysqli_error($conn);
}
mysqli_close($conn);
?>
mysqli_fetch_row returns always an array, also if there is only 1 element. So the MAX(id) in in $row[0].
Fixing this, you also don't need to use settype.
If your id is autoincrement, change this:
$sql = "INSERT INTO login (`id`,`mail`,`password`)
VALUES ('".$id."','".$mail."','".$password."');";
to:
$sql = "INSERT INTO login (`mail`,`password`)
VALUES ('".$mail."','".$password."');";
Then get rid of all code from $sqlID to $id + 1; (for tidyness)
I'm having problem with updating information in database. The echo pops out as successful but the database row stays blank - why? PHP code:
<?php
if (isset($_POST['gender'])) {
// Sanitize and validate the data passed in
$gender = filter_input(INPUT_POST, 'gender', FILTER_SANITIZE_STRING);
if ($stmt) {
$stmt->bind_param('s', $gender);
$stmt->execute();
$stmt->store_result();
if ($insert_stmt = $mysqli->prepare("INSERT INTO members gender VALUE ?")) {
$insert_stmt->bind_param('s', $gender);
}
}
echo "<div class='notemarg'> Your gender has been submitted</div>";
}
?>
and input form:
<form action="" method="POST">
<input type="radio" name="gender" value="male"> Male <br>
<input type="radio" name="gender" value="female"> Female <br>
<input type="submit" name="gender" value="Set gender" class="button">
</form>
I want to use mysqli->prepare to prevent SQL injection.
I fixed it with alternative way, where there is pre-defined input by button.
<?php
$servername = "";
$username = "";
$password = "";
$dbname = "";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
if (isset($_POST['Female'])) {
$gender = $_POST['Female'];
$sql = "UPDATE members SET gender = '$gender' WHERE username = '".$_SESSION['username']."'";
if ($conn->query($sql) === TRUE) {
echo "<div class='notemarg'> Your gender has been submitted</div>";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
}
?>
And simple form:
<form action="" method="POST">
<input type="submit" name="Female" value="Female" class="button">
</form>
Thanks to all who wanted to help me, especially to anant kumar singh. I could not get that alter idea without his suggestions. Thanks!
UPDATE #1
It just pops out that echo "error"
<?php
if(isset($_POST['Female'])){
$servername = "";
$username = "";
$password = "";
$dbname = "";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
if (isset($_POST['Female'])) {
$gender = $_POST['Female'];
$stmt = $conn->prepare('UPDATE members
SET gender = ?
WHERE username = ?');
$stmt->bind_param('s', $_POST['Female']);
$stmt->bind_param('s', $_SESSION['username']);
if ($conn->prepare === TRUE) {
echo "<font color='#00CC00'>Your gender has been updated.</font><p>";
} else {
echo "Error: " . $conn->prepare . "<br>" . $conn->error;
}
$conn->close();
}
}
?>
Don't know where is problem...
UPDATE #2
if(isset($_POST['Female'])){
$servername = "";
$username = "";
$password = "";
$dbname = "";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
if (isset($_POST['Female'])) {
$gender = $_POST['Female'];
$sql = "
UPDATE members
SET gender = ?
WHERE username = ?
";
$stmt = $mysqli->prepare($sql);
$stmt->bind_param('s', $_POST['Female']);
$stmt->bind_param('s', $_SESSION['username']);
$stmt->execute();
if ($mysqli->prepare($sql) === TRUE) {
echo "<font color='#00CC00'>Your gender has been updated.</font><p>";
} else {
echo "Error: " . $conn->prepare . "<br>" . $conn->error;
}
$conn->close();
}
}
UPDATE #3
I added also some notes in code so
<?php
// I had here twice the ifisset here and
if(isset($_POST['Female'])){
$servername = "";
$username = "";
$password = "";
$dbname = "";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
//here the second one so I deleted that ifisset here...
$gender = $_POST['Female'];
$sql = "
UPDATE members
SET gender = ?
WHERE username = ?
";
$stmt = $mysqli->prepare($sql);
$stmt->bind_param('s', $_POST['Female']);
$stmt->bind_param('s', $_SESSION['username']);
$ok = $stmt->execute();
if ($ok == TRUE) {
echo "<font color='#00CC00'>Your gender has been updated.</font><p>";
} else {
echo "Error: " .$stmt->error; // This is the line that shows the error
}
$conn->close();
}
?>
I'm not sure what is problem... It pops the error on echo "No data supplied for parameters in prepared statement"
Following an answer being posted with a huge security vulnerability, it is worth taking a moment to fix this. There is a way to fix it so you can use your string concatenation approach, but it is generally not as good as parameterisation.
All you need to do is to take your working query, and convert it to a parameterised form. Something like this:
// Expects valid $mysqli object here
$sql = "
UPDATE members
SET gender = ?
WHERE username = ?
";
$stmt = $mysqli->prepare($sql);
// ** As we discovered, the binding needs to happen in one
// ** call, not across several
$stmt->bind_param('ss', $_POST['Female'], $_SESSION['username']);
$stmt->execute();
Looking at your original code, there seems to have been two problems: the statement wasn't prepared at all (and so the program should have exited with a fatal error) and there was a syntax error in the original SQL statement.
In your new code, you're missing the execute() call.