When i try to pass values in href
$query_string =
'id=' . urlencode($id) .
'&name=' . rawurlencode($name) .
'&dob='. $dob .
'&email='. rawurlencode($email);
print "<a href='update.php?$query_string'>Update Details</a>
<br>Student ID: $id
<br> Student Name: $name
<br> Date Of Birth: $dob
<br> Email ID: $email
<br>";
I can see the url as this in the address bar:
localhost/student_portal/update.php?id=abc&name=Giridharan%20Rengarajan&dob=1993-07-22&email=rgiridharan.93%40gmail.com
in the update.php i am updating the values in the database with respect to the id mentioning in the link
$sql="UPDATE student_details SET student_name='$name',student_dob='$dob',student_emailid='$email' WHERE student_id='$id'";
echo $sql;
$stmt = mysqli_prepare($con, $sql);
if(mysqli_stmt_execute($stmt)==TRUE){
$_SESSION['updateflag'] = 1;
header("location:index.php");
}
So if i change the id in the link the details of the another user is updated. I want to avoid this.
Check to see if the user ID is associated with that email first.
$db->query("SELECT id FROM student_details WHERE student_id='$id' AND student_emailid='$email'");
if ($db->numRows()) {
// do update here
}
Alternatively, you can do:
SELECT id FROM student_details WHERE student_emailid='$email' and update that ID.
Finally, use POST and bind your params as others have suggested. (If you F5 the page, it'll update again if the action is GET. POST is marginally more difficult to tamper with, but should NOT be relied upon as a security measure in itself.)
Related
I host multiple servers for multiplayer games and I am requiring some help with creating a PHP MySQL script.
I have made scripts for the game servers that output a few variables to a php script. These variables include the player name, a GUID number (Game User ID) and a couple other unimportant things. These are sent to the php script every time a player joins the server.
Anyway what I basically need it to do is every time a player joins the server it saves the player name, guid and join date/timestamp to a row in a MySQL table. The player will always have only one GUID code, which is sort of like their cd-key. What I have at this current time:
if ( $action == "save")
{
$name = mysql_real_escape_string($_GET['name']);
$guid = mysql_real_escape_string($_GET['guid']);
}
mysql_query("INSERT INTO `players` (`name`, `guid`) VALUES ('$name', '$guid') ON DUPLICATE KEY UPDATE `last_joined`=CURRENT_TIMESTAMP")or die(mysql_error());
echo "-10";
die();
Now, this works great as it is. But what I need it to do is; if the player comes on the server with a different name, it will log that instance into a new row and if they come on again with the same name it will update the same row with the current time stamp. And for instance, if they change their name back to the first name they use it will update the row that has that name recorded with the current time stamp.
The only thing I have tried is making the 'name' column, a primary key and on a duplicate entry it would update it. However if I did that and another player came on the server with the same name it would just update the last player's data.
So it needs to record every username a player uses.
There's probably quite a simple solution but I've never had the time to learn to MySQL and I need this done soon.
Thanks for any help.
Make the GUID the primary unique key.
Then instead of just inserting the row, check if that guid exists in the database first and then if it does, update the row. If it doesn't then you can insert it.
You can take a shot for this:
$guid = mysqli_real_escape_string($conn, $_GET["guid"]);
$name = mysqli_real_escape_string($conn, $_GET["name"]);
if (!empty($guid) && !empty($name)) {
//Check if the user exists
$sql = "SELECT COUNT(*) AS cnt FROM players WHERE guid = " . $guid;
$res = mysqli_query($conn, $sql);
$row = mysqli_fetch_assoc($res);
if ($row['cnt']) {
//If yes, update
$sql = "UPDATE players SET `last_joined` = NOW()
WHERE `guid` = " . $guid;
} else {
//If no, insert
$sql = "INSERT INTO players (`guid`, `name`, `last_joined`)
VALUES (" . $guid . ", '" . $name . "', NOW())";
}
mysqli_query($conn, $sql);
echo "-10";
die();
} else {
echo 'Missing parameter';
die();
}
NOTE:
I am using mysqli fucntions, because mysql functions are deprecated. You can use PDO also.
I want to update an already existing table it only has email and I want to add first name and last name does this code work to do so?
UPDATE table
SET fname='$fname', lname='$lname'
WHERE email= '$_SESSION['email'].';
Or can I also use this
$sql="INSERT INTO $tbl_name(fname, lname)VALUES( '$fname, $lname')" WHERE email= '$_SESSION['email'].';
Your UPDATE has a syntax error (problem with apostrophes.)
INSERT will not update but multiply rows. That is not what you want to have.
Here is my suggested query:
$sql="UPDATE table SET fname='$fname', lname='$lname' WHERE email='".$_SESSION["email"]."'" ;
Fix your quotes, like so:
$sql="INSERT INTO $tbl_name(email) VALUES ( '" . $email . "') WHERE email = '" . $_SESSION['email'] . "'";
Try like this: In case of simple Update Query
$user_email = $_SESSION['email'];
$fname = 'Thierry';
$lname = 'Henry';
UPDATE table
SET fname='$fname', lname='$lname'
WHERE email= '$user_email';
Insertion is not a good idea here. It might duplicate your records.
If you want to be more specific than Go like this: Just providing your general syntax. No real time Syntax:
$user_email = $_SESSION['email'];
$fname = 'Thierry';
$lname = 'Henry';
$check_user = 'SELECT * FROM table WHERE email = "user_email"';
if($check_user)
{
YOUR UPDATE QUERY
}
else
{
YOUR INSERT QUERY
}
In case you are using mysql_ functions you should also escape the input:
$email = mysql_real_escape_string($_SESSION['email']);
Disclaimer for idiots: This does not imply I suggest to use mysql_* functions. Use mysqli or PDO instead.
You should also check against NULL and empty values in your query.
$sql = "REPLACE INTO " . $table . "
SET email='" . $email . "'
WHERE email='" . $email . "'
AND email IS NOT NULL
AND email != ''";
From http://dev.mysql.com/doc/refman/5.0/en/replace.html:
REPLACE works exactly like INSERT, except that if an old row in the
table has the same value as a new row for a PRIMARY KEY or a UNIQUE
index, the old row is deleted before the new row is inserted.
Please don't downvote if this doesn't exactly fit, just use INSERT or UPDATE with the same syntax then.
I'm building a simple bug tracking tool.
You can create new projects, when you create a project you have to fill in a form, that form posts to project.class.php (which is this code)
$name = $_POST['name'];
$descr = $_POST['description'];
$leader = $_POST['leader'];
$email = $_POST['email'];
$sql="INSERT INTO projects (name, description, leader, email, registration_date)
VALUES ('$name', '$descr', '$leader', '$email', NOW())";
$result = mysql_real_escape_string($sql);
$result = mysql_query($sql);
if($result){
header('Location: ../projectpage.php?id='.mysql_insert_id());
}
else {
echo "There is something wrong. Try again later.";
}
mysql_close();
(It's not yet sql injection prove, far from complete...)
Eventually you get redirected to the unique project page, which is linked to the id that is stored in the MySQL db. I want to show the name of that project on the page, but it always shows the name of the first project in the database.
(here I select the data from the MySQL db.)
$query = 'SELECT CONCAT(name)
AS name FROM projects';
$result = mysql_real_escape_string($query);
$result = mysql_query ($query);
(here I show the name of the project on my page, but it's always the name of the first project in the MySQL db)
<?php
if ($row = mysql_fetch_array ($result))
echo '<h5>' . $row['name'] . '</h5>';
?>
How can I show the name of the right project? The one that is linked with the id?
Do I have the use WHERE .... ?
Yes, You have to use the WHERE to specify which project You want to get. I'm also not sure why are You using CONCAT function when You want to get only one project.
Other important thing is that You have to use mysql_real_escape_string() function on parameters before You put them in the query string. And use apropriate functions for specific type of data You receive.
So Your statement for getting the project should look like this:
SELECT name FROM projects WHERE id = ' . intval($_GET['id'])
Also when before You use the mysql_fetch_assoc() function, check if there are any records in the result with
if(mysql_num_rows($result) > 0)
{
$project = mysql_fetch_assoc($result);
/* $project['name'] */
}
try this
// first get the id, if from the url use $_GET['id']
$id = "2";
$query = "SELECT `name` FROM `projects` WHERE `id`='".intval($id). "'";
$result = mysql_query(mysql_real_escape_string($query));
use mysql_fetch_row, here you'll not have to loop through each record, just returns single row
// if you want to fetch single record from db
// then use mysql_fetch_row()
$row = mysql_fetch_row($result);
if($row) {
echo '<h5>'.$row[0].'</h5>';
}
$row[0] indicates the first field mentioned in your select query, here its name
The might be of assistance:
Your are currently assing a query string parameter projectpage.php?id=
When you access the page the sql must pick up and filter on the query string parameter like this:
$query = 'SELECT CONCAT(name) AS name FROM projects WHERE projectid ='. $_GET["id"];
$result = mysql_real_escape_string($query);
$result = mysql_query ($query);
Also maybe move mysql_insert_id() to right after assigning the result just to be safe.
$result = mysql_query($sql);
$insertId = mysql_insert_id();
Then when you assign it to the querystring just use the parameter and also the
header('Location: ../projectpage.php?id='.$insertId);
i created update code for updating password in a table using id.This is the url from where i am getting id using $_GET but its not working.
http://www.example.com/en/resetPaSS.php?id=1&token=779d2aa48de104db46d66e29de576aac
The code:
if(isset($_POST['sub']))
{
$pass_hash = PassHash::hash($_POST['pass']);
$sql = "UPDATE user SET password='$pass_hash' WHERE id='$_GET[id]'";
$resu = mysqli_query($link,$sql);
//echo $sql;
if(!$resu)
{
$error="Unable to change Password. Try Again!";
}
else
{
echo"changed";
}
}
I also echo $sql and it shows UPDATE user SET password='$2a$10$bed9ad8e6cb910e0f1f12uXJldZLQ79f5HVrIiIAIZeZ9088Rre9.' WHERE id=''
Also tried $_REQUEST but still not works.
EDIT:
I am using this url for reseting password to send to the user which is created using
http://www.example.com/en/resetPaSS.php?id=$id&token=$token
try this:
$sql = "UPDATE user SET password='$pass_hash' WHERE id='" . mysqli_real_escape_string($_GET['id']) . "'";
If you use a form, then the id is not in the action url. You can also post the id by using a hidden input field
You must use prepared statement to prevent sql injection:
$sql = "UPDATE user SET password='?' WHERE id=?";
$stmt = $link->prepare($sql);
/* bind parameters */
$stmt->bind_param("si", $pass_hash, $_GET['id']);
/* execute query */
$stmt->execute();
EDIT
By clicking the link you will be go to your page where a form is. You have to edit the the id to the form or action url to make your script working by doing the following steps
make a variabele named id like this:
$id = isset($_GET['id']) ? $_GET['id'] : $_POST['id'];
also add hidden field to the form:
<input type="hidden" name="id" value="<?php echo $id; ?>">
Change the query bind_param to:
$stmt->bind_param("si", $pass_hash, $id);
If you know, that id is number, do this:
$id = intval($_GET['id']);
$sql = "UPDATE user SET password='$pass_hash' WHERE id='$id';";
I have the code below that lists all of the data from columns: Firstname & Surname, I also want it so that when they are clicked it takes you to a "profile" page where you can see the rest of their data. I have made a link directly to the profile.php page and before it I set it so that $_POST = id, I'm hoping to have it so that the $_POST['id'] will be changed to the users when they click on the link.
<?PHP
$result = mysql_query("SELECT id, firstname, surname FROM members WHERE createdby = '" . $_SESSION['myusername'] ."'");
if (!$result) {
echo 'Could not run query: ' . mysql_error();
exit;
}
while($row = mysql_fetch_row($result))
{
$id=$row[0];
$_POST['id'] = $id;
echo ("<a href=profile.php>".$row[1]." ".$row[2]."</a></br>");
}
?>
It loads the page up fine and all works just it's not setting $_POST to $id.
EDIT: I'm now using $_GET["id"] which works, but it only echoes out that value I can't use it in a query:
$id=$_GET["id"];
$sql="SELECT * FROM $tbl_name WHERE id='$id'";
$result=mysql_query($sql);
Setting a value for $_POST["id"] will work on that very page but it does not mean that when you redirect to another page after that then your $_POST value will be automatically sent to that page. Rather you can try $_GET for this purpose. You can modify your link to be like
profile.php?id=$id
and on your profile.php page you can use $_GET["id"] rather than $_POST
Use session in place of post -- $_SESSION['id']