I am a newbie. Sorry for my bad English.
$release = mysql_real_escape_string($_POST["release"]);
$numid = mysql_real_escape_string($_POST["numid"]);
$sql1 = mysql_query("UPDATE gg_cars SET release1='".$release."',numid='".$numid."' WHERE `avtor_id` = '".$_SESSION["id"]."' AND cat='1' ");
When user writes something in one row, all rows have the same meaning.
For example: If user writes in second row in "Release car to": John, and submits it, after refresh, all rows have written John in "release car to".
There are a few issues with this code:
It uses the old mysql methods instead of mysqli.
The where clause is using $_SESSION["id"] - which is a single value based on the session information instead of coming from the POST. This is the real cause of the submitted information being written to all rows.
Real escape string should be used on all variables being passed to the query.
Related
I want a straightforward answer with an example (NO LINKS please) to see how I can retrieve a specific person's last name from a table in a MySQL database using PHP and save it into a variable (i.e. $_Session). I have been looking for this question and I don't get anything related to one row in PHP. If this can be done better with mysqli* functions then I would be glad to see it.
Example
$getData = "SELECT lastname FROM person WHERE name='$name'";
$getData_q = mysql_query($getData) or die('Error');
Then i want something like this:
$_SESSION['lastame']=$getData_q; <- Please correct me,
I'm not asking to get a lastname from an input, I'm asking to get it from the table person in the database with the SELECT.
Use
$getData_q = mysqli_fetch_object($getData_q);
$_SESSION['lastame']=$getData_q->lastame;
But ensure that that num rows is greater than 0 and data would return a single row.
This code works but the problem is that if several people use it simultaneously it will cause problems in the sense that some people wont be registered. So I need to rewrite this in a way that all queries per person are executed and finished before the queries of the next person start.
First, the code reads from the database in order to get to the string of all the people that are registered so far.
$sql_s = $con -> query("select * from schedule where date='$date'");
$row_schedule = $sql_s->fetch_array(MYSQLI_BOTH);
$participants = $row_schedule['participants'];
$participants is a string that looks something like "'Sara':'Richard':'Greg'"
Now the current user (Fredrik) wants to add its name to the string like this
$current_user='Fredrik';
$participants_new=add_participant($participants,$current_user);
add_participant is a php function that adds 'Fredrik' to the participant string. Then I want to replace the old participant string with the new one in the SQL database like this
$sql = $con->query("UPDATE schedule SET participants='{$participants_new}' where date='{$date}'");
The specific problem is that if another person (Linda) reads the database before Fredrik executes
$sql = $con->query("UPDATE schedule SET participants='{$participants_new}' where date='{$date}'");
Linda won't get a string that includes Fredrik, she will get "'Sara':'Richard':'Greg'". And when she has added her name it will look like "'Sara':'Richard':'Greg':'Linda'" and when she updates the database like this
$sql = $con->query("UPDATE schedule SET participants='{$participants_new}' where date='{$date}'");
The string including Fredrik ("'Sara':'Richard':'Greg':'Fredrik'") will be overwritten with ("'Sara':'Richard':'Greg':'Linda'") and noone will ever know that Fredrik registered in the class.
Thus, how can I rewrite this code such that all Fredrik's queries are executed before Linda's queries start?
Your question is very good example, showing why one should always learn database design basics and always follow them.
A separator-delimited string in a database is a deadly sin. For many reasons, but we are interesting in this particular case.
Had you designed your database properly, adding participants into separate rows, there would be not a single problem.
So, just change your design by adding a table with participants, and there will be not a single problem adding or removing any number of them.
Here is an approach to do it :
Theoritically Explanation :
Something like this could work.That everytime when user executes the query so it should check for time the request was made to update the query so.Now there must be time difference between user requests for updation query.
Note : Still It's not guaranteed that it will work as because when you will be having internet problems and the user who submitted the request at first but having internet problems and that's why his update query execution is delayed during that time and the other user comes and he sent request late for the updation query but he was having no internet connection problem so his query will be updated before and I think hence that way first user query will get failed..!
Here is the Code :
<?php
// You need to add another column for saving time of last query execution
$current_time=time();
$current_date=date("Y-m-d",$t);
$query_execution_new_time = $current_time.":".$current_date;
if (empty($row_schedule['query_execution_time'])) {
$sql = $con->query("UPDATE schedule SET query_execution_time='{$query_execution_new_time}' where date='{$date}'");
} else {
$query_execution_time = explode(":",$row_schedule['query_execution_time']);
if ($query_execution_time[0] < $current_time) {
$con->query("UPDATE schedule SET participants='{$participants_new}' where date='{$date}'");
$sql = $con->query("UPDATE schedule SET query_execution_time='{$query_execution_new_time}' where date='{$date}'");
}
}
?>
Try this
No need to fetch first all participants and then update.
only update new participant user.
you can concat result of previous one result saved in database column field.
update schedule
set participants = case when participants is null or participants =''
then CONCAT(participants,'Fredrik') // assume Fredrik a new participant
else CONCAT(participants,':','Fredrik')
end
where date='$date';
That way even if you have multiple participants came at the same time the queries won't run at exactly the same time and so you'll get the correct user at the end.
you don't need to worry about multiple users clicking on them unless you've got millions of users
I have 1 HTML document (it is .php, but I'll refer to it as HTML doc) with 3 different fill-in-forms which each has their own PHP script for inserting the data into a database. Each form has its own script and its own table in the database.
I need an ID or username I can give the user on the first form's submission, and then store the ID/username variable and insert it into form 2 and in form 3. So what I need is to have a variable pass from one script to two other scripts.
I tried giving a ID/username in the first script, then in the second script I just collect it via SQL from the table. It doesn't seem to work.
Script 1: $personID = 'a1';
Script 2:
$today = date("Y/m/d");
$personID = mysql_query("SELECT personID FROM reviewpi WHERE date >= '$today' ");
Please help?
For those who would like to know how I did it, here is what I did.
In the first scripts I added
session_start();
$_SESSION['personID'] = 'a1b2c3';
and in the 2nd and 3rd script I added
session_start();
$personID = $_SESSION['personID'];
then in my SQL insert statement on each script page (even script1)
$mysqli->query("INSERT into reviewdc ( personID ) VALUES ( '{$_SESSION['personID']}' )" );
My question was probably a stupid and answered question for some of you, but I couldn't find any research on how exactly to do it, and I tried most of the solutions given on other posts, none of them worked.
Thanks for those who helped.
Your query tries to get the ID, based on today's date.
That is not a good approach at all, what if you had multiple persons that day?
Since you are just trying to carry the id over from page to page, a session would be the right tool.
Set the session:
session_start();
$_SESSION['personID'] = 'a1';
Get the session:
session_start();
$personID = $_SESSION['personID'];
If you find your self needing to get the data of that person.
Simply retrieve the ID and query your DB again.
SELECT *
FROM reviewpi
WHERE personID = ?
Please note:
You need to stop using mysql, it's deprecated
Use mysqli or PDO(recommended)
Use prepared statement to avoid SQL injection attacks
I have made a form page with some radio buttons, text/textarea inputs and a total amount (price) at the end.
It is working/possible to input this into a table in MYSQL with a unique ID (AUTO INCREMENT at 100000).
Here is the situation:
When I submit my page i would like to automatically navigate to another page that still holds the "UNIQUE ID" and the "TOTAL AMOUNT (price)" so I could use it there to put it into another variable that i have to use for the redirection to the payment website.
I thought just to read the last entry in my database but what if 2 people are paying at the same time (no option!).
My unique ID is made into the database itself maybe that is my problem?
Is there somebody who could help me and provide me a walktrough?
Ex. My code:
if(isset($_POST['verzenden'])) {
$firstname = htmlentities ($_POST['firstname']);
$name = htmlentities ($_POST['name']);
$con= mysqli_connect("sqladres","username","password","databasename");
$query = 'INSERT INTO `inputorder`
(`contact_firstname`, `contact_name`)
VALUES ("'.$firstname.'","'.$name.'")';
Now I think I have to use $_SESSION to generate a session ID and also to write the amount (price) into this session and take it to the action page. But I've never used it before and really dont know how to use it in a good safe way!
see similar question to get last insert id:
How do I get the last inserted ID of a MySQL table in PHP?
To redirect with your variables you can use get method as:
header("Location:yourwebsite.com/payment.php?uniqe_id=". $uniqe_id . "&total=" . $total);
I am developing Android application that sends HTTP requests to a server using php and mysql.
The user has to fill in two fields. let's say A and B these will be added to two columns of a table (col A and col B. However, I want to add the contents of A to B after that. it works fine.
I am having a problem in checking the duplicates of A in B. The result i want is A as the user enters and B of the content of A+B with no duplicates.
This is what i am using
$A = $_POST['A'];
$last_inserted_id = mysql_insert_id();
$updateTable = mysql_query("UPDATE Table SET B=IFNULL(CONCAT(B, '$A'), '$A')WHERE _id='$last_inserted_id'");
To make it clearer, B contains only words not a sentence, however, A is a sentence.
so I stemmed the sentence A .. for example A="I want to learn programming" -$A= "learn programming".
So if B is programming .. the final result must be learn and programming only . Now I'm getting learn programming learn.
If this record was just inserted, you probably could've put that data in there in the first place. If this is a subsequent request, then mysql_insert_id() cannot be trusted, as other records might've been inserted.
Is there anything that precludes you from putting the data in there in the first place?
If you want a method to append to an existing field, you could simplify this by defaulting B to be an empty string, making the IFNULL check on your CONCAT call redundant.