I'm having issues updating a row in my mysql database.
I created a textarea which contains data from a news article. If i edit the data and try to update it, nothing happens.
I'm aware that the mysql extension is depreciated so please dont comment on that.
<?php
include 'db.php';
$data = mysql_query("SELECT news_content FROM news WHERE id= 1") ;
$info = mysql_fetch_array($data);
$news= $info['news_content'];
?>
<h3>EDIT NEWS ARTICLE</h3>
<form id="EditNews" name="EditNews" method="POST"action="edit.php">
<textarea rows="40" cols="90" name="editnewstext"><?php echo $news?></textarea>
<input type="submit" name="Edit_News" id="Edit_News">
<?php
if(isset($_POST['Edit_news'])) {
$contents= $_POST['editnewstext'];
$sqlupdate = "UPDATE news SET news_content ='$contents' WHERE id=1";
mysql_query($sqlupdate) or die(mysql_error());
}
<input type="submit" name="Edit_News" id="Edit_News">
^^^^^^^^^^
if(isset($_POST['Edit_news'])) {
^^^^^^^^^
Case mis-match. PHP array keys are CASE-SENSITIVE.
That being said, your code is wide open for SQL injection attacks. Enjoy getting your server pwn3d.
Related
I have a very simple PHP form:
<form action="listtenants.php" method="post">
Search for Tenant: <input name="term" type="text" value="" />
<input name="Submit" type="submit" />
</form>
At first I thought, the data was posting incorrectly; but after viewing the headers with LiveHTTP headers, it turns out it is posted correctly.
Here is my PHP script. Like I said, the query works correctly in MySQL workbench; however in the PHP script, every row is returned. Does anyone know why this could be? Even echoing the posted variable returns the expected string. Not sure what gives here.
<html>
<body>
<?php
$connect = mysql_connect("host","user","pass");
mysql_select_db("db", $connect);
$term = $_GET['term'];
$query = "SELECT itemid, first, last FROM tenants where CONCAT(first, last) LIKE '%$term%'";
$getUserid = mysql_query($query);
//$i = 0;
$records = mysql_num_rows($getUserid);
while($row_sections = mysql_fetch_array($getUserid))
{
echo "$row_sections[0] $row_sections[1] $row_sections[2]";
?>
<br><br>
<?php
}
?>
</body>
</html>
This is a terrible query and highly dangerous. BUT.. ..your issue is simple.
Your form submits via _POST, and your looking for variables using _GET.
$term = $_GET['term'];
will always be empty, so your query matches on '%%' - ie: everything!
Change it to:
$term = $_POST['term'];
..then go read about MySQL injections and follow the links in the comments to your post.
<html>
<head>
</head>
<body>
<form action="login_process.php" method="post">
SID: <input type="text" name="sid">
<br />
Password: <input type="text" name="pw">
<br />
<input type="submit" value="Login">
</form>
</body>
</html>
login_process.php FILE
<html>
<head>
</head>
<body>
<?php
include ("connection.php");
$sid = $_POST['sid'];
$pw = $_POST['pw'];
setcookie("username", "$sid". time()+86400);
$result = mysqli_query($con, "SELECT SID FROM student_table WHERE SID='$sid' and password='$pw'") or die('Query failed');
if(!$result){
echo "Failed";
} else {
echo "success". $_COOKIE['username'];
$_SESSION['username'] = $sid;
}
?>
</body>
</html>
I have data in my student_table. But no matter what input i give it says success. even if i click login button without any input it still says success. please help.
You should use quotes when you assign values in sql queries .
SELECT
SID
FROM
student_table
WHERE
SID = '$sid' and password = '$pw'
Also look forward Prepared Statements to protect yourself from sql injections.You should also add the code below to fetch selected row :
while ($row = mysqli_fetch_array($result)) {
$_SESSION['username'] = $row['SID'];
}
Start learning basic debugging:
When a query fails bad, just do this:
Instead of running it (mysql_query, or mysqli_query or whatever you have), ECHO it:
echo "SELECT SID FROM student_table WHERE SID='$sid' and password='$pw'";
After you submit the form, you will be shown the query that runs, go to phpmyadmin or whatever you use and run the query manually. See if there are errors and also see easier what's going on. Advisable when you do work like this, FIRST try the queries in phpmyadmin then apply them in the code, after you are confident they are ok.
This is not really an answer but more about how to find out what is going wrong when you code does not work as you expect.
First, always put you SQL into a variable by itself. Why, so you can 'var_dump' it and see what is happening. So, try this:
$sql = "SELECT SID FROM student_table WHERE SID=$sid and password=$pw";
var_dump($sql, 'my_query'); // you will see what PHP created.
then try the answer provided:
$sql = "SELECT
SID
FROM
student_table
WHERE
SID = '$sid' and password = '$pw'";
At least you will see what is likely to be incorrect.
var_dump($sql, 'the answer_query'); // you will see what PHP created.
$result = mysqli_query($con, $sql) or die('Query failed');
The outer quote marks must be " (double quote) not " ' " (single quote) both of which are perfectly valid PHP. the former allows variables to be replaced in strings.
The latter will treat eveything as a literal string.
I have a car rental system I am working on. When a user rents a car, the system should first check if the number of available cars is greater than 0, if yes, then make the adjustment "AVAILABLE = AVAILABLE+1" (in the MySQL table which keeps track of cars), which means, rent the car to the user. Also, I am trying to record which car went to which user. So I have another database table called rentalrecords which takes in the values of the Username of the logged in user, and ID of the car rented. Now, the problem is, my 'IF-ELSE' part is not executing as desired.
<div id="stylized" class="myform">
<form id="form" name="form" method="POST" action="renting.php" >
<h1>Rent a Car</h1>
<label>Car ID
<span class="small">eg. Enter 1 for Mer1</span>
</label>
<input type="text" name="ID" id="ID" />
<input type="submit" style="margin:30px 100px;" name="submit" value="Check-Out">
<div class="spacer"></div>
</form>
</div>
Now,the action of this form, which is renting.php, is as follows:
<?php
session_start();
if(!session_is_registered(theUSERNAME)){
header("location:customer_login.php");
}
mysql_CONNECT("xx", "xx", "xx") OR DIE("Unable to connect");
mysql_SELECT_DB("xx") OR DIE("Unable to select database");
$ID = $_POST['ID'];
$result = mysql_query("SELECT AVAILABLE FROM car WHERE ID='$ID'");
if(mysql_fetch_array($result)>0)
{
$query="UPDATE car SET AVAILABLE=AVAILABLE-1 WHERE ID='$ID'";
mysql_query($query);
$query = "insert into rentalrecords (USERNAME,ID,RENTED_ON) values ('$_SESSION[theUSERNAME]','$_POST[ID]',CURDATE())";
$result = mysql_query($query);
header("location: list_Clogged.php");
}
else
{
echo "<script>alert('The car you chose is currently unavailable!'); location.href='rent.php';</script>";
}
?>
Even though I have available=0, it still is NOT executing the else part and no matter what, it always executes the IF part. The ID and AVAILABLE are the attributes of my MySQL table called 'car' and the in rental records table i just want to insert these values. I am aware that the script is vulnerable to injection at the moment, but first I want to get things working! Any immediate help would be much appreciated.
You're trying to count a resource...
if(mysql_fetch_array($result)>0)
You need to obtain the results and then count an item within those results:
$res = mysql_fetch_assoc($result);
if($res[0]['AVAILABLE'] > 0)
Note $res[0] means first row of the results. You can also use mysql_fetch_row to obtain a single result.
Keep in mind, mysql_ functions shouldn't be used at all. Look into switching to mysqli or PDO.
Also, you need to sanitize input. You're just blindly accepting $_POST['ID']
The mysql_fetch_array function doesn't do what you think it does; it returns an array, not a single value.
I have troubles about php & mysql. I've to retrieve all records from DB1's table and then I have to insert them again to DB2's table.
<?php
require_once 'includes/config.php';
include 'includes/header.php';
if(isset($_POST['go'])){
$query = mysql_query("SELECT id,username,password FROM $db_database1.account")
or die(mysql_error());
echo "Record ".mysql_num_rows($query)." retrieve";
while($result_row = mysql_fetch_array($query, MYSQL_ASSOC)){
$account_ID = $result_row['id'];
$username = $result_row['username'];
$password = $result_row['password'];
$query = mysql_query("INSERT INTO $db_database2.account(uid,username,password) VALUES('$account_ID','$username','$password')")
or die(mysql_error());
$selectId = mysql_insert_id();
}
}
mysql_close($conn);
?>
<div class="wrapper">
<div class="content">
<form method="post" action="<?PHP $_SERVER['PHP_SELF'];?>">
<input type="submit" name="go" value="Go" />
</form>
</div>
<?php include 'includes/footer.php';?>
According to this code just one record was inserted. How can I insert all retrieved records?
To insert records into another table you need one single query, run from mysql console without PHP:
INSERT INTO db_database2.account SELECT id,username,password FROM db_database1.account
Notes on your code
you have to escape strings you are adding to the query
for some reason you are inserting into the same database
asking for the mysql_insert_id() makes no sense as you are apparently inserting a_i id already
there is no use for storing second mysql_query result into variable
yet this variable gets overwritten <- here is the reason your code runs once.
there is no use for echoing $_SERVER['PHP_SELF'] here. just leave form action blank.
yet you are actually leaving form action blank as you just forgot to echo this variable
I see no use for all the form and HTML here. Can't you just run this code without forms?
as it seems that whole mess is just to hash passwords, you need no extra tables then
just simple
UPDATE account SET password = md5(concat(id,username,password));
always have a database backup before such manipulations
I have this form:
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" enctype="multipart/form-data">
<input type="file" name="file" />
<input type="submit" name="change" value="Update Image!" />
</form>
and this action here :
if(isset($_POST['change']))
{
$id = $_POST['id'];
$img = "photo_gallery/" .$_FILES["file"]["name"];
$query = "UPDATE gallery SET image =\"{$img}\" WHERE id = $id";
$up = mysql_query($query, $connection);
if(!$up){
echo die(mysql_error());
echo "error,not updated!";
}
}
The error is:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
Any help for finding the error please!
You are not passing the id value in your form.
As a side note: you are exposed to a SQL injection attack both via the id parameter, as well as the file parameter... And if you pass the id in the form you may allow to maliciously alter images that were not intended to update.
=== Below: edited by someone else. As a note: htmlentites will not guard against SQL injection (use mysql_real_escape), and md5 will guard against injection but not against file overwriting (if someone uploads a file with the same name it will clash). Moreover, if you pass the ID in the form, one can change it and alter an unintended image. ===
Try to secure your code :
if(isset($_POST['change']))
{
$id = htmlentities($_POST['id']);
$img = "photo_gallery/" .md5($_FILES["file"]["name"]);
$query = "UPDATE gallery SET image =\"{$img}\" WHERE id = $id";
$up = mysql_query($query, $connection);
if(!$up)
{
echo die(mysql_error());
echo "error,not updated!";
}
}