I'm struggling with an update statement using php. The problem occurs when the string in the variable $fltr contains more than one word.
$fltr ="Two Words or More" does not work
$fltr="OneWordOnly" works fine.
require_once('includes/init.php');
$Login = new Login( $db );
if(empty($_SESSION['logged']))
{
$Login->_logout();
}
if(isset($_SESSION['uid']))
{
$userid=(int)$_SESSION['uid'];
}
$fltr = $_GET['filter'];
$fltr= pg_escape_string($fltr);
$deakt="D";
$updSQL="update class_products set FTP ='".$deakt."' where title ='".$fltr."' and owner =".$userid;
$db->query($updSQL) or die ("Error in query: $updSQL " . mysql_error());
$txt='<textarea style="margin-left:250px;margin-top:110px; font-family:verdana:font-size:14px;color:#000;">Search filter {$fltr} is deactivated</textarea>';
$class_tpl->assign('txt', $txt);
//now display the template
$class_tpl->display('cbUpdate.tpl.php');
Normally I would print the $updSQL to see the what the problem is, but I am using this in a LightBox variant and having problems debugging.
Any help is highly appreciated.
My guess is the value is urlencoded, and you need to urldecode it, before escaping.
Related
I've spent today going through tons of similar questions and trying to figure out what is wrong with my code, lots of issues people had with back ticks, quotes, etc but none seem to help or change my cause. My code is no producing any errors, but when I use echo to print out my query results, it seems that the id is not getting a value.
In my delete.php:
<?
ini_set('display_errors',"1");
$username="xxx";
$password="xxx";
$database="xxx";
$conn = new mysqli(localhost, $username, $password, $database);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$id = (int)$_GET['number'];
mysqli_query($conn,"DELETE FROM tourdates WHERE id=".$id."");
$conn->close();
?>
And the delete button in my main.php (the rest of the php is correctly displaying my table with data):
<td><a href='delete.php?number='".$row['id']."'>Delete</a></td>
Can someone help pick out what is causing my rows not to delete when I hit the delete button that I have created, or maybe something that more clearly can help me debug? (I don't want to use checkboxes for this).
EDIT:
I also tried this code (while defining the function as $sql and I'm getting a "Success" message:
if ($conn->query($sql) === TRUE) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
EDIT 2:
I changed the structure following the advice that I should use POST, thinking I might have caught something I didn't notice before, but still not working.
echo "<td><form method='post' action='delete.php'>
<input type='hidden' name='row_id' value=".$row['id']." />
<input type='submit' name='delete_row' />
</form>";
-
if(isset($_POST['delete_row'])) {
$stmt = $conn->prepare("DELETE FROM tourdates WHERE ID = ?");
$stmt->bind_param('i', $_REQUEST['row_id']);
$stmt->execute();
}
If I do it the above way, nothing happens. Also tried this way, and get a syntax error:
if(isset($_POST['delete_row'])) {
$id = $_POST['row_id'];
$sql = "DELETE FROM tourdates WHERE id=".$id;
mysqli_query($conn,$sql);
}
A potential problem that I can see, is that you are not quoting localhost so php will look for a constant called localhost:
$conn = new mysqli('localhost', $username, $password, $database);
^ ^ here
You are also not checking for errors so that is why you don't see any. The easiest way to fix that, is to have mysqli throw exceptions. Just add this to the top of your script:
mysqli_report(MYSQLI_REPORT_STRICT);
I also don't know if you can mix procedural and object oriented mysqli like that. You should probably stick to the OOP version.
Apart from that you should not use a link (GET request) for your delete actions. What if a web-crawler or a browser extension tries to fetch the links? Instead you should use a POST request (like a form with a button).
Edit: There is another problem which causes you not to get your ID and as you cast it to int, you will always get 0:
<td><a href='delete.php?number='".$row['id']."'>Delete</a></td>
^ Oooops, closing the href attribute value here...
Your id gets placed after the value / outside of the quote of the href value. You can easily verify this if you look at the source of your page.
You need:
<td><a href='delete.php?number=".$row['id']."'>Delete</a></td>
Replace these two parts of code in your php file, first write your host in the quotations
$conn = new mysqli('localhost', $username, $password, $database);
in your where condition you wrote id=".$id."" replace it with id=".$id
write it as:
mysqli_query($conn,"DELETE FROM tourdates WHERE id=".$id);
Edited:
If you want to see error in your query then use the below code:
mysqli_query($conn,"DELETE FROM tourdates WHERE id=".$id) or die(mysqli_error($conn));
why not use try and catch to see your error?
anyways try this
$stmt = $conn->prepare("DELETE FROM tourdates WHERE ID = ?");<br>
$stmt->bind_param('i', $_REQUEST['number']);<br>
$stmt->execute();
could this be the problem ?
$id = (int)$_GET['number'];
May be this would be better... ?
$id = intval($_GET['number']);
Anyway if, echo($query) print an empty id, this is probably because your parameter is not an integer.
I have a table with two value.
ID, Building(is the name of Building)
i write a code with jquery to insert or Update the name of Building (i take the ID value from list1 and the new name from text_build)
function saveBuilding()
{
alert(document.getElementById("list1").value)
alert(document.getElementById("text_build").value)
$.get("saveBuilding.php",{ID:document.getElementById("list1").value, val:document.getElementById("text_build").value},
function(ret) { alert(ret);});
}
where my saveBuilding is:
<?php
$idbuilding=$_GET['ID'];
$name=$_GET['val'];
require_once '../../../dbconnection.php';
$db_server = mysql_connect($db_hostname, $db_username, $db_password);
if (!db_server) die("Unable to connection_aborted to MySQL: " . mysql_error());
mysql_select_db($db_database) or die ("Unable to connection_aborted to MySQL: " . mysql_error());
$query = "UPDATE Building SET Name = '$name' WHERE ID_Building = '$idbuilding';";
$result = mysql_query($query);
if (mysql_error()) {
echo mysql_error();
}
mysql_close();
?>
Now, if i update the value with a new value, it works, if i update the value with a value already used previously, it said that the query is successfully but it dont change nothing.
I try to insert new value by changing the query. and the result is the same.
i also try to add this value directly from mysql and it works!
so which is the problem in my code?
Thanks
MySQL is working as designed (and other rdbms). If you try to change a value to its current value, no error is thrown but nothing happens.
You just need to run
SELECT Name FROM your_table WHERE idbuilding=$id
then compare Name to what is already stored. If it's different, run your UPDATE; if not don't do anything because no action is required.
I solved the problem..
first i verified that the php code works.
and then i verified that the problem was the js.
i dont know why but changing the jquery function $.get in $.post now it work!!
Im having issues with storing source code into a db for a small script bin. The issue is that the printed code in the syntax highlighter used to view from the db has line breaks where it shouldnt, i have seen also in the db the text has stored in the same manner.
I have tried using severalk means to make this work, at first i thought was a wrap issue, so i set wrap to hard on the input form. Then added addslashes and that did not work, ive tried magic_quotes and in this case shown below ive tried mysql_real_escape_string and the text that comes from $content will store in the db with line breaks in places they shouldnt be.
Am i missing something? thanks
This code below is the insert into db and the value concerned is $content
<?php
session_start();
$submit = $_POST['submit'];
$sniptitle = ($_POST['sniptitle']);
$date = date("Y-m-d H:i:s");
$user = $_SESSION['username'];
$lang = ($_POST['lang']);
$con=mysqli_connect("localhost","xxxx","xxxx","xxxx");
$content = mysql_real_escape_string($_POST['snipcontent']);
// ^^^HERE IS THE ISSUE ^^^
if(isset($_POST['submit'])) {
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
mysqli_query($con,"INSERT INTO code_lib ( snip_title , snip_content , posted_by , lang , datetime )
VALUES ('$sniptitle' , '$content' , '$user' , '$lang' , '$date' )");
mysqli_close($con);
header ("Location: xxx"); // Move back to a page
exit();
}
?>
mysql_real_escape_string shouldn't be used with mysqli by any means
thevertheless, it shouldn't be an issue either
most likely your "solution" is paired with stripslashes on fetch
So, the right solution would be
turning magic quotes off
and using mysqli_real_escape_string
Ok i have this code.
<? //process.php, this will be use in updating, adding, deleting items and content
$a = $_POST['hid'];
$b = $_POST['doctitle'];
$c = $_POST['doccontent'];
if (isset($_POST['hid']) && ($_POST['doctitle']) && ($_POST['doccontent']))
{
$con = mysql_connect("localhost","root","");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("juliver", $con);
mysql_query("UPDATE doc SET title='$b', content='$c' WHERE id='$a'");
echo "<h2>Successfully updated.</h2>";
mysql_close($con);
}
else
{
echo "not been set, failed to process. please try again.";
}
?>
I want to update the specified row on the table doc, it should update the title in this $b and the content in this $C via id $a. but nothing happen, is there wrong in my code?, nxt is I want to know if the record has been update. thanks in advance.
If id is an integer column you shouldn't use ' around it's value:
WHERE id=$a
You can check number of affected rows using mysql_affected_rows() function:
$rowsAffected = mysql_affected_rows($con);
You should also check the query string and try to execute it on MySQL manually (on PhpMyAdmin, or something similar), to check if it works fine then.
Your code has no anti-SqlInjection parts. You should use PDO or any kind of escape function to make it more secure.
Are you sure that the if statement is firing (ie is $_POST['hid'] and the other post vars set)? Also, why do you run isset() on 'hid' and not the other 2 vars?
Oh, and as stated above, you should always sanitize your vars to protect against MySQL injection. You can always use mysql_real_escape_string
I have a couple of easy problems.
First I am trying to get names from database where surname='lion'. I wrote php a file but it didn't work:
$con = mysql_connect("localhost","yata_ali","password");
if (!$con){
die('error: ' . mysql_error());
}
mysql_select_db("yatanada_iBess", $con);
$degisken = mysql_query("select name from people where surname LIKE '%lion%'");
if(mysql_query){
return "$degisken";
}
mysql_close($con);
?>
I wrote this code and tried to use $degisken in my xcode project. But it didn't work.
shortly i am trying to use the names whichs surname =lion in my ios project and i know i should use url.but i couldn find the code part that return name what shall i write at the end of php code ? return or something else to use in xcode.
how can i send response in php? i wonder that. what shall i write "return $name" or something else. i know call url. but i dont know whats the full php code that i shall use
You can't use PHP in an iOS project. You'll need to write some objective-c to call a URL on a server which returns this data in some sort of format (xml? json?) and then have the iOS app parse the response.
I don't think you understand how to use the mysql_* functions in PHP. Take a look at the examples on this page for guidance: http://www.php.net/manual/en/function.mysql-query.php
$degisken= mysql_query("select name from people where surname='lion'");
if ($degisken){
while($row = mysql_fetch_assoc($degisken))
{
echo $row["name"] . "<br/>";
}
}
There are a lot of errors, in your code, but the most serious are that
(a) you are running an invalid test:
if (mysql_query){ //YOU CANNOT DO THIS
(b) You cannot return "$degisken"; because $degisken is a MySQL
resource, not a string.
(c) You should not close your mysql
connection after returning something. You don't necessarily need to
close it at all, but if you're going to, close it after the query
because anything after the return won't be evaluated (assuming the
return is triggered).
(d) If you're looking for cases where the surname='lion' then don't use wildcards in the MySQL query. where surname LIKE '%lion%' will match 'scalion','lioness','slioner', etc.
Your code should look something like this:
$con = mysql_connect("localhost","yatanada_ali","sifre");
if (!$con) {
die('error: ' . mysql_error());
}
mysql_select_db("yatanada_iBess", $con);
$degisken = mysql_query("select name from people where surname LIKE '%lion%'") or die('Error: '. mysql_error());
if (mysql_num_rows($degisken)){
//your query could return lots of results, so you may want to loop through results:
while($row = mysql_fetch_array($query)){
$name = $row['name'];
//do something with the name... I'm going to echo it.
echo $name . "<br />";
}
}