This question already has answers here:
What does ? ... : ... do? [duplicate]
(8 answers)
Closed 8 years ago.
in this i have to check if in fields data is fields then it submit otherwise it can display error with if statements
<?php
include("config.php");
$name=$_POST["name"];
$email=$_POST["email"];
$phone=$_POST["phone"];
$budget=$_POST['budget'];
$insert_query="insert into form(name,email,phone,budget) values ('$name','$email','$phone','$budget')";
$con=mysql_query($insert_query);
?>
take a look at empty() function
http://php.net/empty
if (empty($_POST["name"])) {
die('name is empty');
}
Consider the following...
thispage.php
<?php
$name = (empty($_GET['name'])) ? "Fred" : $_GET['name'];
echo $name;
?>
thispage.php = 'Fred'
thispage.php?Wilma = 'Wilma'
And usual caveats about sql injection, prepared statements, deprecated methods, etc.
First you MUST clean post fields before writing in db. Use function mysql_real_escape_string($var)
And second, you can check field data with function empty, for example:
if (!empty($_POST["name"])) {
$name = mysql_real_escape_string($_POST["name"]);
// your query
} else {
echo 'Name is empty!';
}
Related
This question already has answers here:
Reference - What does this error mean in PHP?
(38 answers)
What to do with mysqli problems? Errors like mysqli_fetch_array(): Argument #1 must be of type mysqli_result and such
(1 answer)
Closed 5 years ago.
I am writing a login form with PHP and Mysql.
I did everything its just the forgot password that is not working.
It sends me email confirmation but it does not update the password in the database.
First is the forgot page, then sends an email and redirect me to the confirm_pass.html page where is the form for the two passwords and on this page executes the confirm_pass.php where is doing everything, except updating the password in the database.
Please help.
<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
// Make sure the two passwords match
if ( $_POST['newpassword'] == $_POST['confirmpass'] ) {
$new_password = password_hash($_POST['newpassword'], PASSWORD_BCRYPT);
$email = $mysqli->escape_string($_POST['email']);
$confirm_code = md5(rand().$password);
$result = "UPDATE `mv_db`.`users` SET `password`='$new_password', `confirm`='$confirm_code' WHERE `email`='$email'";
if ( $mysqli->query($result) ) {
header("location: login.html");
}
}
else {
$_SESSION['message'] = " The two passwords you entered don't match, try again!";
header("location: error.php");
}
}
?>
Your $_POST['email'] is not defined, because there is no "email" field in your HTML form.
So nothing is updated in database, because there is no matching record.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I'm building a website which uses information passed through a URL to pick out information from a database table, but it was brought to my attention that doing this may cause a SQL Injection. As I thought this was only an issue where you were inserting information into a database, I'm a bit confused as to when, how and where you should protect your code.
Currently I have a url which looks like:
www.website.com/article.php?title=title&id=1
Which is shortened in htaccess to www.website.com/article/title/1
In my article.php page I then have:
<?php
if(isset($_GET["id"])){$url_id = $_GET["id"];}else{
header("Location: $site_url");
exit();
};
?>
<?php
if(isset($_GET["title"])){$url_title = $_GET["title"];}else{
header("Location: $site_url");
exit();
};
?>
<?php
$article_sql = "SELECT ...
I currently use mysqli_real_escape_string to prevent SQL Injection threats, but I'm unsure where to use it here. I'm guessing that adding...
...
<?php
if(isset($_GET["title"])){$url_title = $_GET["title"];}else{
header("Location: $site_url");
exit();
};
?>
<?php
$url_id = mysqli_real_escape_string($url_id); // ADDED
$url_title = mysqli_real_escape_string($url_title); // ADDED
?>
<?php
$article_sql = "SELECT
...
Should do the trick, but is this correct?
You already use mysqli_ so take advantage of it. Here is simple example based on code you provide:
<?php
// $mysqli is the connection
$article_sql = $mysqli->prepare("SELECT * FROM table WHERE url_id = ? AND url_title = ?");
$article_sql->bind_param("is", $url_id, $url_title);
$article_sql->execute();
$result = $article_sql->get_result();
while ($row = $result->fetch_array(MYSQLI_NUM)) {
foreach ($row as $r) {
print "$r ";
}
print "\n";
}
This question already has an answer here:
Update query with two post array's
(1 answer)
Closed 7 years ago.
I am trying to bring an id from a hidden form on a previous page and using it as a variable as part of an update query.
The path to this point is....:
Log in to admin area (using a different table)...
Search 'businesses' database for entry...
Entry displays with an update button, the update button has a hidden ID... value that gets posted to this page through "submit"...
if(isset($_POST["submit"]) && isset($_POST["submituname"]))
{
$id = $_POST["id"];
$name = $_POST["uname"];
}
$query = mysqli_query($db, "UPDATE businesses SET username='$name' WHERE id='$id'");
if($query)
{
$msguname = "<p>Your username has now been updated.</p>";
}
Thanks
You need to use isset() on both variables to check them both.
if(isset($_POST['submit']) && isset($_POST["submituname"]))
You're sql query is current open to injection attack, make sure you use PDO or mysqli_real_escape_string().
Few mistakes..
Is that all functions must be inside your IF.. (so they are triggered only when its a post request and etc.
You must set isset to both post params which you are checking
What will you do if id is not set ? In that case I am giving a small easy trick by using filter_input which return NULL on not set param (another thing is escaping but I will leave you small task to learn how to escape vars..)
Last thing is your if($query) .. this is wrong check if you have any success.
Here is a working copy
if(isset($_POST['submit']) && ($_POST["submituname"])) {
$id = filter_input(INPUT_POST, 'id');
$name = filter_input(INPUT_POST, 'name');
$query = mysqli_query($db, "UPDATE businesses SET username='{$name}' WHERE id={$id}");
if(mysqli_affected_rows($db) === 1){
$msguname = "<p>Your username has now been updated.</p>";
}
}
This question already has answers here:
PHP to check if a URL contains a query string
(4 answers)
Closed 8 years ago.
I would like to check the url to see if it contains a certain value. If yes run the code. Below is how my url would look like.
www.url.com/test/stats.php?player=neo
www.url.com/test/stats.php?player=morpheus
www.url.com/test/stats.php?player=anderson
$userName = $_GET['player'];
I would like to do something like
if ( urlheader contains $userName ) {
//run some code
}
I think what you are trying to do is this. However it won't work with $_POST
if($_GET['player']){
$username = $_GET['player']
//Do your stuff with $username here
}
Try something like below
$userName = $_GET['player'];
if (strpos($url,$userName) !== false) {
//your scripts
}
or
$userName = $_GET['player'];
if($userName == 'Your checking value')
{
//your scripts
}
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Practises for getting information from $_GET/$_POST and saving it to a database?
Just wondering what exactly I should look out for with regards to safety in MySQL database insertions for users entering strings.
Currently all I'm doing is mysql_real_escape_string($string) for every $_GET or $_POST input I wish to put in the database. Is that cool? What else do I need to do?
$stmt = mysqli_prepare($con,"INSERT INTO friend_request (ToUID, FromUID) VALUES (?,?)");
mysqli_stmt_bind_param($stmt, "ii", $fid, $uid); //i-> Integer, S -> string
mysqli_stmt_execute($stmt);
if (mysqli_stmt_affected_rows($stmt))
echo 'Request Sent';
else
echo 'Something went wrong !';
This is my process:
//check to see if the request came from your server or not
$server = substr($_SERVER[HTTP_REFERER],0,LENGTH OF INCOMING PAGE);
$prevPage = ""; //the incoming page
if ($server != $prevPage) {
header("Location: $prevPage");
exit;
} else {
//pull and sanitize the data
include('link.php'); //include the link to your database
$var = $link->mysql_real_escape_string($_POST['data']);
//check for null values in required fields
//run the data through a regular expression check
//then store the information
There is so much more you could do to validate the data being entered.