<?php
require('conn.php');
session_start();
ini_set('default_charset', 'UTF-8');
conopen();
mysql_query("SET NAMES utf8;");
$idedit = $_SESSION['id'] ;
$firstname = mysql_real_escape_string($_POST['firstnameedit']);
$lastname = mysql_real_escape_string($_POST['lastnameedit']);
$email = mysql_real_escape_string($_POST['emailedit']);
$username = mysql_real_escape_string($_POST['usernameedit']);
$password = mysql_real_escape_string($_POST['passwordedit']);
$query = " UPDATE `users` SET `firstname`= '" . $firstname . "',`lastname`='" . $lastname . "',`email`='" . $email . "',`username`='" . $username . "',`password`='" . $password . "', WHERE id = '" . $idedit . "'";
if (mysql_query($query) === true) {
echo '<meta http-equiv="Refresh" content="0; URL=profile.php" />';
}
else {
echo 'wrong';
}
conclose();
?>
I don't know why the echo output is incorrect. Can anyone tell me what's wrong? I'm trying to redirect to profile.php. What could be causing the query to return false?
You have an extra comma before the where clause.
Try this:
$query = " UPDATE `users` SET `firstname`= '" . $firstname . "',`lastname`='" . $lastname . "',`email`='" . $email . "',`username`='" . $username . "',`password`='" . $password . "' WHERE id = '" . $idedit . "'";
In general, you should learn to print out the query after variable substitution to see what the real query is. Errors are usually obvious when you do this.
I think the problem is the comma in front of the WHERE in your query.
Related
i have two update queries to update mysql db of the system.problem is my second update query works but my first one doesn't execute at all.
cant figure out whats going on...any help would be great
here is my php code.
$dob = $_POST["dob"];
$name = $_POST["name"];
$mob = $_POST["mobileNo"];
$home = $_POST["homeNO"];
$files = $_FILES["filep"]["name"];
echo $files;
$folder = "images/";
$uid = $_SESSION["Uid"];
if($_FILES["filep"]["error"] == 4) {
echo "no file selected";
}
move_uploaded_file($_FILES["filep"]["tmp_name"] , "$folder".$_FILES["filep"]["name"]);
$result = mysqli_query($con,"UPDATE User SET DOB = '" . $uid . "', MOBNO = '" . $mob . "', HOMENO = '" . $home . "',DOB = '" . $dob . "',IMAGE_URL = '" . $files . "' WHERE UID='" . $uid . "'");
$result = mysqli_query($con,"UPDATE User_Credentials SET NAME = '" . $name . "' WHERE CID='" . $uid . "'");
i have checked all the $name,$mob etc variables and value are passing without any problem..
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I have been trying to input data from $_Post variables but I cannot spot where the error is? Hope you can help me.
Below is the code:
$conn = mysql_connect("localhost", "root");
if (isset($_POST['studLog'])) {
$uName = $_POST['uName'];
$pWord = $_POST['pWord'];
mysql_select_db("sis_main", $conn);
if (mysql_num_rows(mysql_query("SELECT * from student where stud_uname='$uName' and stud_pword='$pWord'"))) {
include("stud-view.html");
} else {
echo 'Account doesnt exist!';
echo "<br><br>";
echo "<a href='stud-start.html'>GO BACK!</a>";
}
} else if (isset($_POST['studReg'])) {
mysql_select_db("sis_main", $conn);
$stdID = $_POST['studID'];
$fname = $_POST['firstNme'];
$mname = $_POST['midNme'];
$lname = $_POST['lastNme'];
$stadd = $_POST['stAdd'];
$ctadd = $_POST['ctAdd'];
$bdate = $_POST['bDate'];
$gendr = $_POST['gender'];
$email = $_POST['email'];
$mobno = $_POST['mobNum'];
$uname = $_POST['newUName'];
$pword = $_POST['newPWord'];
$age = birthday($bdate);
if (mysql_query("INSERT INTO student values (`$stdID`,`$fname`,`$lname`, `$mname`,`$stadd`,`$ctadd`,`$age`,`$bdate`,`$gendr`, `$email`,`$mobno`,`$uname`,`$pword`);")) {
echo 'Account Successfully Regsitered!';
} else {
echo 'ERROR: '.mysql_error();
echo "<a href='stud-start.html'>GO BACK!</a>";
}
}
}
ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '#gmail.com, 09981744039, kuyschan, kuyschan)' at line 1
This is suppposed to be a comment, but i have a low reputation here.
Before i answer your question, please do not use the mysql functions as its no longer supported . Consider a switch to either MYSQLI or PDO. Also, do not trust user input. Meaning do not directly post field values from your form to your database as an attcker can easily exploit it by adding funny javascripts or worse.
To your question,
In your insert statement, you did not specify the columns:
Try:
<?php
$sql = "INSERT INTO student (`studID`, `firstNme`, `lastNme`,`stAdd`,`ctAdd`,`bDate`,`gender`,`email`,`mobNum`,`newUName`,`newPWord`)VALUES
('" . mysqli_real_escape_string($con, $_POST['studID']) . "',
'" . mysqli_real_escape_string($con, $_POST['firstNme']) . "',
'" . mysqli_real_escape_string($con, $_POST['lastNme']) . "',
'" . mysqli_real_escape_string($con, $_POST['stAdd']) . "',
'" . mysqli_real_escape_string($con, $_POST['ctAdd']) . "',
'" . mysqli_real_escape_string($con, $_POST['bDate']) . "',
'" . mysqli_real_escape_string($con, $_POST['gender']) . "',
'" . mysqli_real_escape_string($con, $_POST['email']) . "',
'" . mysqli_real_escape_string($con, $_POST['mobNum']) . "',
'" . mysqli_real_escape_string($con, $_POST['newUName']) . "',
'" . mysqli_real_escape_string($con, $_POST['newPWord']) . "')";
if ($con->query($sql) === TRUE) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
Where $con is your database connection.
<?php
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";
// Create connection
$con = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($con->connect_error) {
die("Connection failed: " . $con->connect_error);
}
i am finding little bit difficult to check duplicate data from database using MYsql,PHP and angular.js.I am explaining my code below.
addUser.php:
<?php
$postdata = file_get_contents("php://input");
$request = json_decode($postdata);
$user_name=$request->user_name;
$user_email=$request->user_email;
$mob_no=$request->mob_no;
$login_name=$request->login_name;
$password=$request->password;
$user_status=$request->user_status;
$con = mysql_connect('localhost', 'root', 'Oditek123#');
mysql_select_db('go_fasto', $con);
$selquery = "SELECT * FROM db_user WHERE login_name='".$login_name."' and mob_no='".$mob_no."' and email='" . $user_email . "'";
$selres = mysql_query($selquery);
if(mysql_num_rows($selres ) > 0)
{
$erresult=mysql_fetch_array($selres);
header("HTTP/1.0 401 Unauthorized");
$erresult['msg'] = 'This user login name or mobile no or email is already exist.';
}else{
$qry ='INSERT INTO db_user (user_name,email,mob_no,login_name,password,user_status) values ("' . $user_name . '","' . $user_email . '","' . $mob_no . '","' .$login_name . '","' . $password . '","' . $user_status . '")';
$qry_res = mysql_query($qry);
$user_type = 5;
$display_name = $user_name."_admin";
$qry ='INSERT INTO db_Admin_Master (user_type,user_name,display_name,password) values ("' . $user_type . '","' . $login_name . '","' . $display_name . '","' .$password . '")';
$qry_res = mysql_query($qry);
$query='SELECT * from db_user order by user_id desc';
$res=mysql_query($query);
$result=mysql_fetch_array($res);
if ($result) {
$result['msg'] = "New User has added successfully";
} else {
header("HTTP/1.0 401 Unauthorized");
$result['msg'] = "Sorry, User could not added ";
}
echo json_encode($result);
}
?>
If you will check my code i am checking three column such as login_name,email and mob_no from database and checking it inside if statement.Here even if i am inserting the same data again it is not checking and else part is executing.Please help me to resolve this issue.
$selquery = "SELECT *
FROM db_user
WHERE login_name='".$login_name."'
OR mob_no='".$mob_no."'
OR email='" . $user_email . "'";
use OR instead of AND try
I am importing employee data from .csv file as bulk operation. There is many fields like First name, Last Name, Email, Contact No, Address etc.
Email field in database is Index/Unique. So i have put validation over it.
But my question is when certain rows contains special characters like matinées#fauts.net or débutante#peured.info [focus é].
This will stops php script execution unexpectedly without error log. I have also go through Apache Error Log/PHP Error Log but there is no errors. Please help me to prevent this.
I have also tried to set character encoding scheme to UTF-8 or Westorn-ISO-800 etc, but this will not work.
Code snippet:
` $firstname = $sd[0];
if ($firstname != '' || !empty($firstname)) {
$lastname = $sd[1];
$email = $sd[2];
if ($sd[3] != '' && $sd[3] != NULL) {
$password = md5( $sd[3]);
}
$contactno = $sd[4];
$internalextension = $sd[5];
$companyid = $this->session->userdata('companyid');
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
return array("status" => FALSE, "message" => "Error while Importing Employee. Please Check Your .csv "
. "file; <br/> Your file contains Invalid Email Id at Line number" . ($count + 1) . ". Email: $email");
} else {
if ($count != 500) {
$query = $query . "(NULL, '" . $firstname . "', '" . $lastname . "', '" . $email . "', "
. "'" . $password . "', '" . $salt . "', 1, '" . $contactno . "',"
. "'" . $internalextension . "', 4, " . $companyid . ", '" . my_datenow() . "'),";
} else {
$query = $query . "(NULL, '" . $firstname . "', '" . $lastname . "', '" . $email . "', "
. "'" . $password . "', '" . $salt . "', 1, '" . $contactno . "',"
. "'" . $internalextension . "', 4, " . $companyid . ", '" . my_datenow() . "');";
echo $query;
}
}
} else {
return array("status" => FALSE, "message" => "Error while Importing Employee. Please Check Your .csv file; First Name should not be blank.");
}`
You can use htmlspecialchars() before assigning value to variable for example
$firstname = htmlspecialchars($sd[0]);
htmlspecialchars — Convert special characters to HTML entities
reference : http://php.net/manual/en/function.htmlspecialchars.php
this script is simply not working... can anyone tell me what I'm doing wrong?
$id = $_POST['id'];
$name = $_POST['name'];
$date = $_POST['date'];
$shortdesc = $_POST['shortdesc'];
$link = $_POST['link'];
$target = $_POST['target'];
$sort = $_POST['sort'];
$html = $_POST['html'];
include('appvars.php');
$query = "UPDATE insight SET name='".$name."' AND SET date='". $date . "' AND SET html='" . $html . "' AND SET shortdesc='" . $shortdesc . "' AND SET link='" . $link . "' AND SET target='" . $target . "' AND SET sort='" . $sort . "' WHERE id='" . $id . "'";
mysqli_query($dbc, $query);
You aren't escaping your values so you are vulnerable to SQL injection and also construction of invalid statements. For example, if any of your input strings contain an apostrophe then it could cause your code to fail.
Have a look at prepared statements that will make it much easier to construct your queries with parameters.
In your query you will also need to use commas instead of AND SET.
$query = "UPDATE insight SET name='foo', date='2012-12-10' WHERE id=42";
The syntax for UPDATE is described in the MySQL documentation:
UPDATE syntax
Use it like this,
$query = "UPDATE insight SET name='".$name."' ,date='". $date . "' ,html='" . $html . "' ,shortdesc='" . $shortdesc . "' ,link='" . $link . "' ,target='" . $target . "' ,sort='" . $sort . "' WHERE id='" . $id . "'";
Its working ... check now
$id = $_POST['id'];
$name = $_POST['name'];
$date = $_POST['date'];
$shortdesc = $_POST['shortdesc'];
$link = $_POST['link'];
$target = $_POST['target'];
$sort = $_POST['sort'];
$html = $_POST['html'];
include('appvars.php');
$query = "UPDATE insight SET name='".$name."' ,date='". $date . "' ,html='" . $html . "' ,shortdesc='" . $shortdesc . "' ,link='" . $link . "' ,target='" . $target . "' ,sort='" . $sort . "' WHERE id='" . $id . "'";
mysqli_query($dbc, $query);
I aint a pro at mysql, but a try.
I guess id is an integer. So, dont quote it.
Try this,
$query = "UPDATE insight SET name='".$name."' , date='". $date . "' , html='" . $html . "' , shortdesc='" . $shortdesc . "' , link='" . $link . "' , target='" . $target . "' , sort='" . $sort . "' WHERE id=". $id ;
I think the SQL syntax is not correct, you can use it like this: UPDATE tablename SET rowname = value , ....