I've created a little login strucuture:
If you had wrote your data into fields you receive a link to confirm the account.
e.g. confirm.php?email=a#a.com
When you visit the link the following code executes:
$sql = mysqli_connect("localhost", "name", "password");
mysqli_select_db($sql, "db");
$set_active = "UPDATE `users` SET `active` = 1 WHERE `email` = ".$_GET['email']."";
mysqli_query($sql, $set_active);
mysqli_close($sql);
But after that the active-value is still 0 like deafult.
The users table:
email (varchar 100) active (int 1)
a#a.com 0
Use a prepared statement:
$stmt = mysqli_prepare($sql, "UPDATE `users` SET `active` = 1 WHERE `email` = ?") or die(mysqli_error($sql));
mysqli_bind_param($stmt, "s", $_GET['email']);
mysqli_stmt_execute($stmt) or die(mysqli_error($sql));
$set_active = "UPDATE `users` SET `active` = 1 WHERE `email` = '".$_GET['email']."'";
You have missed ' in email. So the query is wrong. to check that do:
echo("UPDATE `users` SET `active` = 1 WHERE `email` = ".$_GET['email']."");
This will give you an error.
Things get evaluated in double quotes but not in single
change
set_active = "UPDATE `users` SET `active` = 1 WHERE `email` = ".$_GET['email']."";
to
set_active = "UPDATE `users` SET `active` = 1 WHERE `email` = '".$_GET['email']."'";
Related
How do I update a value in a column I have extracted and selected for MySQL PDO. My current code now.
if ($submitcode != $dbcode)
{
$SQL = $odb -> prepare("SELECT `status` FROM `members` WHERE `username` = :username");
$SQL -> execute(array(':username' => $username));
$status = $SQL -> fetchColumn(0) // ((I want this selected column for status value to change to 1.))
die('Some error message');
}
if ($submitcode != $dbcode)
{
$sql = "UPDATE `members` SET `status` = :status WHERE `username` = :username";
//Prepare UPDATE SQL statement.
$statement = $odb->prepare($sql);
$status = 1;
$statement->bindValue(':username', $username);
$statement->bindValue(':status', $status);
//Execute UPDATE statement.
$update = $statement->execute();
}
I am making profile update Android application. I need assistance to get JSON values, as I am getting null JSON result - can anyone spot a mistake?
Profile Update Response:
{"tag":"profile_update","error":false,"user":{"fname":null,"lname":null,"email":null,"mobile":null,"class":null,"school":null,"uid":null,"profile_pic":null,"created_at":null}}
My PHP code:
public function profileUpdate($fname, $lname, $email, $mobile, $class, $school, $uid, $profile_pic){
$result = mysqli_query($this->con, "SELECT * FROM users WHERE unique_id = '$uid'")
or die(mysqli_error($this->con));
$path = "userImages/$uid.png";
$actual_path = "http://192.168.1.101/cedu/login/$path";
$no_of_rows = mysqli_num_rows($result);
if ($no_of_rows > 0) {
$result = mysqli_fetch_array($result);
$old_email = $result['email'];
$old_profile_pic = $result['profile_pic'];
$status = 0;
$otp = rand(100000, 999999); // otp code
if ($old_email == $email) {
if ($old_profile_pic == $profile_pic){
$result = mysqli_query($this->con, "UPDATE `users` SET `firstname` = '$fname',`lastname` = '$lname', `mobile` = '$mobile',`class` = '$class',`school` = '$school'
WHERE `unique_id` = '$uid'") or die(mysqli_error($this->con));
} else {
$result = mysqli_query($this->con, "UPDATE `users` SET `firstname` = '$fname',`lastname` = '$lname', `mobile` = '$mobile',`class` = '$class',`school` = '$school' , `profile_pic` = '$actual_path'
WHERE `unique_id` = '$uid'") or die(mysqli_error($this->con));
file_put_contents($path, base64_decode($profile_pic));
}
} else {
if ($old_profile_pic == $profile_pic){
$result = mysqli_query($this->con, "UPDATE `users` SET `firstname` = '$fname',`lastname` = '$lname', `email` = '$email', `mobile` = '$mobile',`class` = '$class',`school` = '$school' , `otp` = '$otp', `verified` = '$status'
WHERE `unique_id` = '$uid'") or die(mysqli_error($this->con));
} else {
$result = mysqli_query($this->con, "UPDATE `users` SET `firstname` = '$fname',`lastname` = '$lname', `email` = '$email', `mobile` = '$mobile',`class` = '$class',`school` = '$school' , `profile_pic` = '$actual_path', `otp` = '$otp', `verified` = '$status'
WHERE `unique_id` = '$uid'") or die(mysqli_error($this->con));
file_put_contents($path."user".$uid.".jpg", base64_decode($profile_pic));
}
}
} else {
//
return false;
}
}
I don't know if this relates to your problem, but you might as well change your potentially vulnerable code first, since any bug tracing you do beferehand may need to be done again. Your code is likely to be susceptible to SQL injection. I will add a (non-tested) example below, and you will need to:
understand it
make similar changes across the rest of your application
Here is a statement that is likely to be vulnerable: you're injecting what looks like user input directly into a SQL string:
$result = mysqli_query(
$this->con,
"SELECT * FROM users WHERE unique_id = '$uid'"
) or die(mysqli_error($this->con));
So firstly let's change this to use explicit column names, and to bind:
$statement = mysqli_prepare(
$this->con,
"SELECT email, profile_pic FROM users WHERE unique_id = ?"
) or die(mysqli_error($this->con));
mysqli_stmt_bind_param($statement, "i", $uid);
mysqli_stmt_execute($statement);
mysqli_stmt_bind_result($statement, $email, $profile_pic);
What's happening here?
We bind an input variable using the i type, which specifies that it is an integer
We run the query using the mysqli_stmt_execute method
We bind a list of output variables, corresponding to each item in the SELECT list
All of the MySQLi "statement" methods are documented here in the PHP manual, and all have very good examples. Do please read up on each of the methods I've used - the manual is one of the best things about PHP!
Stack Overflow also has a set of definitive answers on SQL injection - there are resources there for both PDO and MySQLi.
Once you have made these changes, I recommend stepping through your code, one line at a time, to check that the intermediate values you get are what you expect.
I am trying to enter into a table in with PDO if using an if condition. My code for the function is below:
function add_user_info($conn, $user, $info, $fName, $sName, $past, $pos){
// Prepare and execute statements
$info1 = addslashes($info);
$sql = $conn->prepare("SELECT * FROM `User_Info` WHERE `User` = '$user'");
$sql->execute();
if ($sql->fetch()){
// Update current entry
$sql1 = $conn->prepare("UPDATE `User_Info` SET `Info` = '$info1' AND `Past` = '$past' AND `Position` = '$pos' WHERE `User` = '$user'");
} else {
// Create new entry
$sql1 = $conn->prepare("INSERT INTO `User_Info` (`User`, `Info`, `FName`, `SName`, `Past`, `Position`) VALUES ('$user', '$info1', '$fName', '$sName', '$past', '$pos')");
}
$sql1->execute();
}
The ONLY (I repeat, ONLY) part that is not working for me is on line 9 with the update query. I have narrowed the problem down to it being related with the update of the Info column, and not only that but it is a problem with the string so the variable $info1.
I am trying to pass in a string of text from CKEditor. It is a rich text string and so has HTML tags, quotations, etc in it when passed to the SQL.
The initial creation of the row in the table (line 12 of the function) works PERFECTLY so it is only on the update that the string is seen as funny. When I update with a word in place of $info1 it still does not work.
As shown in phpmyadmin, my table schema is as follows:
Update command multiple set is separated by , not and
UPDATE `User_Info`
SET
`Info` = '$info1' ,
`Past` = '$past' ,
`Position` = '$pos'
WHERE `User` = '$user'"
Change AND to ,
$sql1 = $conn->prepare("UPDATE `User_Info` SET `Info`='$info1', `Past`='$past', `Position`='$pos' WHERE `User`='$user'");
i need to subtract an mysql update. here is the code:
<?php
session_start();
//=============Configuring Server and Database=======
$host = 'localhost';
$user = 'root';
$password = '';
//=============Data Base Information=================
$database = 'login';
$conn = mysql_connect($host,$user,$password) or die('Server Information is not Correct'); //Establish Connection with Server
mysql_select_db($database,$conn) or die('Database Information is not correct');
//===============End Server Configuration============
//=============Starting Registration Script==========
$username = mysql_real_escape_string($_POST['txtusername']);
//=============To Encrypt Password===================
//============New Variable of Password is Now with an Encrypted Value========
$insert = "UPDATE `users` SET `points` = (`points`-5) WHERE `username` = '".$username."'";
$insert = "UPDATE `users` SET `lodd` = (`lodd` +1) WHERE `username` = '".$username."'";
mysql_query($insert);
header('location: succes.php');
?>
the +1 work perfect but it dont work to -5... how can i do so that they get -5 points?
the +1 work correctly because the query with -5 will never be called as it is overwritten by the query that has +1.
you should have this code, (Although this is not the correct one)
$insert = "UPDATE `users` SET `points` = (`points`-5) WHERE `username` = '".$username."'";
mysql_query($insert);
// other codes
$insert = "UPDATE `users` SET `lodd` = (`lodd` +1) WHERE `username` = '".$username."'";
mysql_query($insert);
follow-up question: what are the dataypes of the two columns? are they unsigned or signed?
You're overwriting the first statement with the second. Try this:
$insert = "UPDATE `users` SET `points` = (`points`-5), `lodd` = (`lodd` +1) WHERE `username` = '".$username."'";
mysql_query($insert);
Having some trouble getting this query to work correctly.
mysql_query("DELETE FROM `table` WHERE `id` = '$id' AND 'username' = '$username' ");
tried replacing variables with actual data and running it in phpmyadmin to no success
any thoughts?
You're quoting the username column with ' instead of `
use:
mysql_query("DELETE FROM `table` WHERE `id` = '$id' AND `username` = '$username'");
not:
mysql_query("DELETE FROM `table` WHERE `id` = '$id' AND 'username' = '$username'");
Please, for the love of the internet, don't built an SQL query yourself. Use PDO.