I have a mysql table that is connected to xcode via php, Im trying to update a cell using this code, and is returning nothing in the table.
<?php
$conn = mysql_connect($host, $user, $pass);
#mysql_select_db($db) or die("Unable to find database");
$routeID = $_GET["routeID"];
$newComment = $_GET["newComment"];
$query = "UPDATE routes SET comment = '$newComment' WHERE routeID='$routeID'";
mysql_query($query) or die (mysql_error("error"));
mysql_close();
?>
If I changed $routeID to routeID='routeID' or routeID=routeID it would update the entire comment column and add the actual id into it e.g. test?routeID=1
If I changed $routeID to routeID=1 or 20 etc. it would update the correct row. Any ideas on whats wrong with this.
It appears that your querystring is currently newComment=test?routeID=1, whereas it should be newComment=test&routeID=1.*
Consequently, PHP parses the current querystring as a single name newComment with the value test?routeID=1 rather than two names newComment and routeID with values test and 1 respectively.
However, please note that you absolutely must not simply concatenate values from the querystring directly into your SQL: so doing can lead to bugs if the values are not what was expected, which can be exploited by attackers to compromise your database. See How can I prevent SQL injection in PHP?
Please also note that, as documented under mysql_connect():
Warning
This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used. See also MySQL: choosing an API guide and related FAQ for more information. Alternatives to this function include:
mysqli_connect()
PDO::__construct()
Finally, please note that the (optional) argument to mysql_error() is the MySQL link identifier resource, $conn in your case: passing a string literal such as "error" will result in its failure.
* As documented under Data Handling, the default value for arg_separator.input (which is described as "List of separator(s) used by PHP to parse input URLs into variables.") is "&". This is consistent with the encoding used by browsers to submit form data, signified by the application/x-www-form-urlencoded MIME type.
Related
Is the following update query a legal statement? It replaces the existing value with an empty value instead of the word gossamer. It does not fail as far as I can tell. It changes the value in the database from whatever it was before to empty.
$sqld = "UPDATE mynotes SET notes = 'GOSSAMER' WHERE id = '2039'";
$resupdate = mysql_query($sqld) or die(mysql_error());
if ($resupdate) {
$success=1;
$message .="success with update";
}
The query is part of an an API and it returns a result in JSON. While this makes debugging more time consuming, this should be besides the point. If the above is an entirely legal update statement, then at least I can rule out a syntax issue and search for the problem elsewhere.
I have verified that the above code does work in a standalone php file. Something else in code is causing the issue.
Yes, mysql is deprecated in favor of mysqli and PDO. But upgrading legacy site is not in job scope.
It replaces the existing value with an empty value instead of the word gossamer
Assuming this statement is accurate then either:
1) the attribute 'notes' is of type ENUM whose values do not include 'Gossamer'. But you didn't share the DDL for the table.
2) Your code is not executing the query you've shown us here - the query it is executing should be in your MySQL logs
Following is my script which I am usng to make insertion in my database. I didn't use stripslashes or mysqli_escape because I read that when you are using prepared statement we don't need to use that. The issue I am facing is that will the following method is good in terms of security and whenever I make insertion then for special characters garbage text got stored in my database like following example. Kindly let me know how can I modify the query so it stores the values as they are being saved by user. Thanks,
You shouldn’t move them to the next level of delegation.
$storeit = $_POST['value'];
$stmt = $con->prepare("INSERT INTO db_table (thevalue) VALUES (?)");
$stmt->bind_param("s", $storeit); /// s means only string input is allowed
if ($stmt->execute())
{
echo "true";
}
else
echo "false".$stmt->error;
You have to call $con->set_charset() after connect, and pass the actual encoding of the web page, i.e.:
$con->set_charset('utf8');
if your page is sending utf-8 as content charset.
Your problem seem to be related to encoding.
Be sure that you have the same encoding in:
database
table
database connection
user data (html form)
php file itself when stored
About the input data, you can check and/or adjust the data to whichever character set you want to use. You can check the Multibyte String functions or the iconv functions.
I am trying to get my form to work the way this video works. (If you just move to the last 3-4 minutes you will see his final code.)
$UpdateQuery = "UPDATE aznet_data_spare_inventory SET ID='$_POST[id]', Shelf='$_POST[shelf]', Device Type='$_POST[device type]' WHERE ID='$_POST[hidden]'";
If I take out the Device Type portion of my update query, the ID and Shelf updates will work, but when I try to make device type work it just breaks. I guess I'm just wondering if there is rules against spaces or something along those lines.
first of all consider using MySQLi or PDO instead of MySQL, then try to debug your code
$UpdateQuery = "UPDATE aznet_data_spare_inventory SET ID='$_POST[id]', Shelf='$_POST[shelf]', Device Type='$_POST[device type]' WHERE ID='$_POST[hidden]'";
if(mysql_query($UpdateQuery,$con)){
//query is ok
echo "item is updated";
}else{
die(mysql_error());
}
Note, MySql extension is deprecated and you should consider using MySqli or PDO. And you should never put user input data, e.g. $_POST, directly into your query. Research proper ways to sanitize that data.
I don't see you closing the <tr> tag in your while loop. Nor do you close any of your <input> tags.
and yes, MySql column names should not have any spaces either. Try renaming Device Type to Device_Type. If you checked if mysql_query() returned false and output mysql_error(), it would probably give some error details.
Can anybody help me to insert blob data in Mysql using MDB2 through php ?
I want to insert file into database using MDB2.
MBD2 setup is works fine.
This may help, as I had trouble with this for anyone in the future, note the quote sets the 'blob' type when sprintf injected each string generated by the quote functions. The key part appears to be using "file://" with a reference to a file for it to work this way.
$database is a mdb2 object as typically given in other examples online.
// NOTE BELOW: The quote function or lower layers - requires the file reference as below
// I could not pass the raw bytes through that were in a variable for some reason, as the
// quote method appeared to modify the bytes - maybe as it assumes a charset?
$sql = 'UPDATE %s SET %s=%s WHERE iconid=%d';
$sql = sprintf ($sql,
$database->quoteIdentifier('chanicon'),
$database->quoteIdentifier('icondata'),
$database->quote("file://".$_FILES['userfile']['tmp_name'][0], 'blob'),
$database->quote($_REQUEST['iconid'], 'integer')
);
I'm using ajax to gather the ckeditor data to be submitted. The problem is only the content before the first apostrophe is being submitted to the database. What could I be doing wrong?
Edit:
$date = strtotime($formData['date']);
$article=mysql_real_escape_string($formData['article'],$DBconnect);
$DBconnect=mysql_connect($dbVals['host'],$dbVals['user'],$dbVals['pass']);
mysql_select_db($dbVals['db'], $DBconnect);
$SQLstring="INSERT INTO PressRelease (ip, tym, title, date, article) VALUES('${_SERVER['REMOTE_ADDR']}', ".time().",'${formData['title']}', '$date', '$article')";
I'm fairly new at this so if there is anything else you need to see in order to help let me know.
It sounds like you aren't escaping the text data before you insert it into the database. Use this function on the data before you pass it into your SQL query:
http://www.php.net/manual/en/function.mysql-real-escape-string.php
Edit: sorry, that's assuming you are using MySQL.
A different, more complicated, and arguably superior method to the one suggested by Mark, is using Parameterized Statements.
To borrow an example from Wikipedia:
<?php
$db = new mysqli("localhost", "user", "pass", "database");
$stmt = $db -> prepare("SELECT priv FROM testUsers WHERE username=? AND password=?");
$stmt -> bind_param("ss", $user, $pass);
$stmt -> execute();
?>
It leaves the escaping up to the MySQL driver, severely reducing the chance of SQL Injection and things like accidental double-escaping.
Note that this is not possible using the old MySQL functions. You need the Improved MySQLI functions/object, or something like PDO.
If I understand correctly the following is the case:
You've got a textarea that's "taken over" by CKeditor
You're reading the content of that textarea with Javascript
You're sending the gathered content to the server with AJAX
If you alert() the content that Javascript gets from the textarea, you can see whether step 2 succeeds. If not, please post your Javascript.
If step 2 is correct, then maybe there's a problem server side, dump your db query to look at that.
Update:
Make sure you when you're developing that you turn on all errors and notices. And if you're doing stuff which you can't "see" easily, like AJAX, make sure to keep an eye on your server's error log.
In your code example line 2 you use $DBconnect, and then in line 4 you define what that is. As you can see in the PHP.net entry for mysql_real_escape_string if the function cannot find a connection to the database the function generates an error and returns FALSE. The FALSE is put into your database and that's what goes into your database.
My advice to you is: try harder at debugging. Test all your assumptions, test the value of variables at every step, check if they have the value you expect them to have. Use var_dump(), print_r(), echo and die(). Or if you want something more advanced use a debugger (I don't).