Good Day
I have a link that does the following
Find Client
It then runs the required page. I need when the link is used for it to subtract one value from a SQL database I have.
The database has the following Rows
id date credit
$sql = "UPDATE items SET credit = credit - 1";
I have tried entering the above string into the code as such:
Find Client
But can't seem to get it to work.
Please assist all I need is one credit to be deducted when the link is used. but the link must still preform the href as well
EDITED:
$sql = "insert into avis_lbs_log set lng = '".$long."', lat = '".$lat."', distance =
'".$distance."', msisdn = '".$msisdn."', date_time = '".$today."'";
$sql = "UPDATE avis_credit SET cred = cred - 1'";
You have to fire this query in lbs_map.php to decrement the value
//lbs_map.php
<?php
//mysql connection
$sql = "UPDATE items SET credit = credit - 1";
//execute the sql query
//your rest of code
What you need to do is set up code that doesn't contain your statement. This is to prevent SQL injection. A better way of doing it is:
Find Client
Then in your PHP, you can check if $_GET['do'] == 'update' and perform the update.
Related
I have got a problem.
Here is my script
$connect = mysqli_connect("mysql.cba.pl","piotr_luszcz","password","leggendinho");
$result = mysql_query("SELECT * FROM moneytable WHERE name LIKE '$_POST[post_name]'");
if(mysql_num_rows($result) == 0) {
mysqli_query($connect,"INSERT INTO moneytable (name, money) VALUES ('$_POST[post_name]', '$_POST[post_money]')");
} else {
$sql = "UPDATE moneytable SET money = money + '$_POST[post_money]'" ;
}
Here is my problem:
I need to do a html page where im putting name and money that person needs to give me back. Adding person name and money is ok into mysql, but I can't upgrade column money if name in database exists, its just making a new column.
I don't know if I've written "column" correctly, I mean the data you put into database
An UPDATE query should have WHERE condition, otherwise it will affect all the rows in your table.Change your UPDATE query like below:
$sql = "UPDATE moneytable SET money = money + '".$_POST[post_money]."' WHERE name ='".$_POST['name']."'" ;
I've built a simple booking system using SQL, php, and Javascript/Jquery. I'm also using AJAX. The idea is that the user is presented with a list of available timeslots and when the user selects one that chosen timeslot should automatically disappear (the available timeslots reload again via AJAX) and so become unavailable to further users. Each timeslot is output as an html td element containing a link which stores the timeslot 'id' (as set in the database) as an attribute of that hyperlink. When the timeslot is clicked, the timeslot id is sent to the php function below using AJAX. Timeslots are displayed according to whether their visibility column is zero or one as stored in the database.
I am testing this with quite a large group of users and I've noticed that every so often (maybe once every twenty or thirty bookings) the SQL UPDATE query responsible for updating the timeslot availability value to zero does not seem to be doing what it should, and the value remains at one, thus resulting in an occasional double booking.
Otherwise, everything works absolutely fine - I've tested the application with my colleagues as much as I can and I'm unable to replicate the problem, double bookings obviously aren't an option though. Might anyone have an idea of what could be going wrong?
Thanks in advance for any suggestions/help.
public function makebooking($user, $timeslotUID, $timeslot, $edits) {
$username = $user->username;
$user_fn = $user->displayname;
$plgID = $user->plg; //The 'PLG' is the person who the user is booking an appointment with
$user = $edits['user'];
$currentDate = $edits['date'];
$json = new JSON();
$json->user = stripslashes($user);
$json->currentDate = $currentDate;
//Problem seems to occur here..
$q1 = " UPDATE plg_timeslots
SET visible = 0
WHERE id= '$timeslotUID';" ;
$res1 = $this->dbcon->query($q1);
//If the user already has a booking they are rearranging
$currentBooking = $this->getBookings($username, 'STU');
if($currentBooking) {
//Reinstate previous timeslot
$q2 = "UPDATE plg_timeslots
SET visible = 1
WHERE id= '$timeslotUID';" ;
$res2 = $this->dbcon->query($q2);
//Update current booking
$q3 = "UPDATE bookings
SET timeslot_id = '$timeslotUID',
timeslot = '$timeslot',
edited_by = '$user',
edited_when = '$currentDate'
WHERE user_id = '$username' ;";
$res3 = $this->dbcon->query($q3);
} else { //If no booking is present, make a new booking
$q4 = "INSERT INTO bookings (plg_id, user_id, timeslot_id, timeslot,
edited_by, user_fn, edited_when)
VALUES ('$plgId', '$username' ,'$timeslotUID',
'$timeslot', '$user', '$user_fn',
'$currentDate');";
$res4 = $this->dbcon->query($q4);
}
return $json;
}
I have a simple form with a textarea that when submitted updates rows in my database! I want my user to be able to enter single quotes into it but for some reason is not getting parsed!
This is what I have as my parsing file..
<?php
$sql = "SELECT * FROM testimonials WHERE id='$pid'";
$pid = $_POST['pid'];
$testtitle = htmlentities($_POST['ts_tt']);
$testbody = htmlentities($_POST['ts_tb']);
$compowner = htmlentities($_POST['ts_co']);
$ownertitle = htmlentities($_POST['ts_ot']);
$compname = htmlentities($_POST['ts_cn']);
$compwebsite = htmlentities($_POST['ts_cw']);
include_once "../php_includes/db_conx.php";
$sql = "UPDATE testimonials SET testtitle='$testtitle', testbody='$testbody', compowner='$compowner', ownertitle='$ownertitle', compname='$compname', compwebsite='$compwebsite' WHERE id='$pid'";
if (!mysql_query($sql, $connection)){
die('Error: ' . mysql_error());
}
echo 'Testimonial has been Edited successfully. <br /><br />Click Here';
exit();
?>
Any Ideas all!
Many thanks
- Phillip
Use
addslashes
available in php. This escapes special characters.
use mysql_real_escape_string($textareadata) in query... it will work...
First off if your environment allows it you should divorce yourself from mysql_ functions. They are deprecated and will not be available in the next release of PHP. You should switch to either PDO or mysqli.
Here is more information on why you shouldn't use mysql_* function.
Secondly, you are accepting user input and not escaping it to safely be inserted into the database. In this case it just caused your query to fail but if someone where to have a little technical know how they could have done any number of things to erase or change data in your database. This is called an SQL Injection and is one of the more common ways that websites get hacked.
There is two main points where your script can use a little more guarded treatment. The first is this one.
$sql = "SELECT * FROM testimonials WHERE id='$pid'";
It should be
$sql = "SELECT * FROM testimonials WHERE id='".mysql_real_escape_string($pid)."'";
The second is
$sql = "UPDATE testimonials SET testtitle='$testtitle', testbody='$testbody', compowner='$compowner', ownertitle='$ownertitle', compname='$compname', compwebsite='$compwebsite' WHERE id='$pid'";
Which should be
$sql = "UPDATE testimonials SET testtitle='".mysql_real_escape_string($testtitle)."', testbody='".mysql_real_escape_string($testbody)."', compowner='".mysql_real_escape_string($compowner)."', ownertitle='".mysql_real_escape_string($ownertitle)."', compname='".mysql_real_escape_string($compname)."', compwebsite='".mysql_real_escape_string($compwebsite)."' WHERE id='".mysql_real_escape_string($pid)."'";
Note you may also find that you have to move the database connection include up before your first call to mysql_real_escape_string.
To describe more on how this exploit can happen lets take your first query as assume you are getting pid from a text field.
$sql = "SELECT * FROM testimonials WHERE id='$pid'";
Me being an evil hacker can simply type in
0'; update testimonials set testbody = '<script>window.location.href="http://www.compeditors-website.com";</script>';
And what will get sent to your database is.
SELECT * FROM testimonials WHERE id='0'; update testimonials set testbody = '<script>window.location.href="http://www.competitors-website.com";</script>';
And now when anyone goes to your testimonials page they will be redirected to your competitors website.
I'm not sure how to accomplish this issue which has been confusing me for a few days. I have a form that updates a user record in MySQL when a checkbox is checked. Now, this is how my form does this:
if (isset($_POST['Update'])) {
$paymentr = $_POST['paymentr']; //put checkboxes array into variable
$paymentr2 = implode(', ', $paymentr); //implode array for mysql
$query = "UPDATE transactions SET paymentreceived=NULL";
$result = mysql_query($query);
$query = "UPDATE transactions SET paymentdate='0000-00-00'";
$result = mysql_query($query);
$query = "UPDATE transactions SET paymentreceived='Yes' WHERE id IN ($paymentr2)";
$result = mysql_query($query);
$query = "UPDATE transactions SET paymentdate=NOW() WHERE id IN ($paymentr2)";
$result = mysql_query($query);
foreach ($paymentr as $v) { //should collect last updated records and put them into variable for emailing.
$query = "SELECT id, refid, affid FROM transactions WHERE id = '$v'";
$result = mysql_query($query) or die("Query Failed: ".mysql_errno()." - ".mysql_error()."<BR>\n$query<BR>\n");
$trans = mysql_fetch_array($result, MYSQL_ASSOC);
$transactions .= '<br>User ID:'.$trans['id'].' -- '.$trans['refid'].' -- '.$trans['affid'].'<br>';
}
}
Unfortunately, it then updates ALL the user records with the latest date which is not what I want it to do. The alternative I thought of was, via Javascript, giving the checkbox a value that would be dynamically updated when the user selected it. Then, only THOSE checkboxes would be put into the array. Is this possible? Is there a better solution? I'm not even sure I could wrap my brain around how to do that WITH Javascript. Does the answer perhaps lie in how my mysql code is written?
--
Edit: Ok, just more information. The SQL Queries I have going on - the first two are to wipe everything clean (in case a checkbox is UNCHECKED) and then next they are updating the SQL queries based on which checkboxes are checked upon post.
However, I'm thinking this is a bad way to do it. Why force the database to first wipe out ALL data for paymetreceived, paymetdate? The problem with this, also, is that *all the subsequent checkboxes, regardless of how long ago they were checked, get updated in the SQL query as it is now.*There's got to be a way to update it better. I'm just not sure HOW to do it. any ideas?
You are not filtering by id in this queries:
$query = "UPDATE transactions SET paymentreceived=NULL";
$query = "UPDATE transactions SET paymentdate='0000-00-00'";
Try adding: WHERE id IN ($paymentr2)";
The problem is in your first 2 sql UPDATE statements. You don't provide a WHERE clause, so that's going to update all your records. You could add:
WHERE id IN ($paymentr2)
to your first two UPDATE statements
Hey, I have a field called STATUS and it is either 1 to show or 0 to hide. My code is below. I am using an edit in place editor with jQuery. Everytime you update it creates a new ROW which I want, but I want only the new one to have STATUS = 1 and the others to 0. Any ideas on how I would do that?
<?php
include "../../inc/config.inc.php";
$temp = explode("_", $_REQUEST['element_id'] );
$field = $temp[0];
$id = $temp[1];
$textboxval = stripslashes(mysql_real_escape_string(preg_replace('/[\$]/',"",$_REQUEST["update_value"])));
$query = "INSERT INTO notes ($field,status,date,c_id) VALUES ('$textboxval','1',NOW(),'$id')";
mysql_query($query);
echo($_REQUEST['update_value']);
?>
I am not sure exactly what you mean - do you want to make all the entries except the new one have status = 0? If so, just issue an update before the insert:
UPDATE notes SET status = 0
However, I should also note that you have a potential SQL injection to worry about. By stripping slashes after applying "mysql real escape string", you are potentially allowing someone to put text in your SQL statement that will execute an arbitrary SQL statement.
Something like this, sorry for the post before, I mis read it the first time then went back:
<?php
include "../../inc/config.inc.php";
$temp = explode("_", $_REQUEST['element_id'] );
$field = $temp[0];
$id = $temp[1];
$textboxval = mysql_real_escape_stringstripslashes((preg_replace('/[\$]/',"",$_REQUEST["update_value"])));
// set older entries to 0 - to not show but show in history
$hide_notes = "UPDATE notes SET status = 0";
mysql_query($hide_notes);
// add new entry with status of 1 to show only latest note
$query = "INSERT INTO notes ($field,status,date,c_id) VALUES ('$textboxval','1',NOW(),'$id')";
mysql_query($query);
echo($_REQUEST['update_value']);
?>
i just ran in to a problem I didn't of the set up of my table doesn't allow me to show more than one client a time and i will be having numerous clients, my bad on planning ha
You really want to get the ID of the newly generated row and then trigger an UPDATE where you all rows where the ID is not the new row, e.g.
UPDATE notes SET status = 0 WHERE id != $newly_generated_id
If the ID column in your table is using AUTO_INCREMENT you can get its ID via "SELECT LAST_INSERT_ID()" and then use the return value in that statement in your UPDATE statement.
Pseudo code:
$insert = mysql_query("INSERT INTO ...");
$last_id = mysql_query("SELECT LAST_INSERT_ID()");
$update = mysql_quqery("UPDATE notes SET status = 0 WHERE id != $last_id");
The only caveat to this approach is where you might have a brief moment in time where 2 rows have status=1 (the time between your INSERT and the UPDATE). I would wrap all of this in a transaction to make the whole unit more atomic.