i need to subtract an mysql update. here is the code:
<?php
session_start();
//=============Configuring Server and Database=======
$host = 'localhost';
$user = 'root';
$password = '';
//=============Data Base Information=================
$database = 'login';
$conn = mysql_connect($host,$user,$password) or die('Server Information is not Correct'); //Establish Connection with Server
mysql_select_db($database,$conn) or die('Database Information is not correct');
//===============End Server Configuration============
//=============Starting Registration Script==========
$username = mysql_real_escape_string($_POST['txtusername']);
//=============To Encrypt Password===================
//============New Variable of Password is Now with an Encrypted Value========
$insert = "UPDATE `users` SET `points` = (`points`-5) WHERE `username` = '".$username."'";
$insert = "UPDATE `users` SET `lodd` = (`lodd` +1) WHERE `username` = '".$username."'";
mysql_query($insert);
header('location: succes.php');
?>
the +1 work perfect but it dont work to -5... how can i do so that they get -5 points?
the +1 work correctly because the query with -5 will never be called as it is overwritten by the query that has +1.
you should have this code, (Although this is not the correct one)
$insert = "UPDATE `users` SET `points` = (`points`-5) WHERE `username` = '".$username."'";
mysql_query($insert);
// other codes
$insert = "UPDATE `users` SET `lodd` = (`lodd` +1) WHERE `username` = '".$username."'";
mysql_query($insert);
follow-up question: what are the dataypes of the two columns? are they unsigned or signed?
You're overwriting the first statement with the second. Try this:
$insert = "UPDATE `users` SET `points` = (`points`-5), `lodd` = (`lodd` +1) WHERE `username` = '".$username."'";
mysql_query($insert);
Related
I am making profile update Android application. I need assistance to get JSON values, as I am getting null JSON result - can anyone spot a mistake?
Profile Update Response:
{"tag":"profile_update","error":false,"user":{"fname":null,"lname":null,"email":null,"mobile":null,"class":null,"school":null,"uid":null,"profile_pic":null,"created_at":null}}
My PHP code:
public function profileUpdate($fname, $lname, $email, $mobile, $class, $school, $uid, $profile_pic){
$result = mysqli_query($this->con, "SELECT * FROM users WHERE unique_id = '$uid'")
or die(mysqli_error($this->con));
$path = "userImages/$uid.png";
$actual_path = "http://192.168.1.101/cedu/login/$path";
$no_of_rows = mysqli_num_rows($result);
if ($no_of_rows > 0) {
$result = mysqli_fetch_array($result);
$old_email = $result['email'];
$old_profile_pic = $result['profile_pic'];
$status = 0;
$otp = rand(100000, 999999); // otp code
if ($old_email == $email) {
if ($old_profile_pic == $profile_pic){
$result = mysqli_query($this->con, "UPDATE `users` SET `firstname` = '$fname',`lastname` = '$lname', `mobile` = '$mobile',`class` = '$class',`school` = '$school'
WHERE `unique_id` = '$uid'") or die(mysqli_error($this->con));
} else {
$result = mysqli_query($this->con, "UPDATE `users` SET `firstname` = '$fname',`lastname` = '$lname', `mobile` = '$mobile',`class` = '$class',`school` = '$school' , `profile_pic` = '$actual_path'
WHERE `unique_id` = '$uid'") or die(mysqli_error($this->con));
file_put_contents($path, base64_decode($profile_pic));
}
} else {
if ($old_profile_pic == $profile_pic){
$result = mysqli_query($this->con, "UPDATE `users` SET `firstname` = '$fname',`lastname` = '$lname', `email` = '$email', `mobile` = '$mobile',`class` = '$class',`school` = '$school' , `otp` = '$otp', `verified` = '$status'
WHERE `unique_id` = '$uid'") or die(mysqli_error($this->con));
} else {
$result = mysqli_query($this->con, "UPDATE `users` SET `firstname` = '$fname',`lastname` = '$lname', `email` = '$email', `mobile` = '$mobile',`class` = '$class',`school` = '$school' , `profile_pic` = '$actual_path', `otp` = '$otp', `verified` = '$status'
WHERE `unique_id` = '$uid'") or die(mysqli_error($this->con));
file_put_contents($path."user".$uid.".jpg", base64_decode($profile_pic));
}
}
} else {
//
return false;
}
}
I don't know if this relates to your problem, but you might as well change your potentially vulnerable code first, since any bug tracing you do beferehand may need to be done again. Your code is likely to be susceptible to SQL injection. I will add a (non-tested) example below, and you will need to:
understand it
make similar changes across the rest of your application
Here is a statement that is likely to be vulnerable: you're injecting what looks like user input directly into a SQL string:
$result = mysqli_query(
$this->con,
"SELECT * FROM users WHERE unique_id = '$uid'"
) or die(mysqli_error($this->con));
So firstly let's change this to use explicit column names, and to bind:
$statement = mysqli_prepare(
$this->con,
"SELECT email, profile_pic FROM users WHERE unique_id = ?"
) or die(mysqli_error($this->con));
mysqli_stmt_bind_param($statement, "i", $uid);
mysqli_stmt_execute($statement);
mysqli_stmt_bind_result($statement, $email, $profile_pic);
What's happening here?
We bind an input variable using the i type, which specifies that it is an integer
We run the query using the mysqli_stmt_execute method
We bind a list of output variables, corresponding to each item in the SELECT list
All of the MySQLi "statement" methods are documented here in the PHP manual, and all have very good examples. Do please read up on each of the methods I've used - the manual is one of the best things about PHP!
Stack Overflow also has a set of definitive answers on SQL injection - there are resources there for both PDO and MySQLi.
Once you have made these changes, I recommend stepping through your code, one line at a time, to check that the intermediate values you get are what you expect.
I have 2 queries. Query #1 updates some things in the database, and Query #2 inserts some data into the table.
Code:
function add_like($id) {
$connection = new mysqli($host, $username, $password, $database);
$id = $connection->real_escape_string($id);
$query = $connection->query("UPDATE `posts` SET `post_likes` = `post_likes` + 1 WHERE `id` = '$id'");
$likes_query = $connection->query("INSERT INTO `likes` VALUES (".$_SESSION['user_login'].", $id)");
}
The first query ($query) should add 1 like to the database. So starting at 0 it should +1. Instead, it does +12.
The second query ($likes_query) does not INSERT INTO likes.
Any help would be much appreciated. Thanks!
UPDATE:
Changed the second query to:
$likes_query = $connection->query("INSERT INTO `likes` (`user_id`, `post_id`) VALUES ('$user', '$id')");
Final code:
function add_like($id) {
if (isset($_SESSION['user_login'])) {
$user = $_SESSION["user_login"];
}
else {
$user = "";
}
$connection = new mysqli($host, $username, $password, $database);
$id = $connection->real_escape_string($id);
$query = $connection->query("UPDATE `posts` SET `post_likes` = `post_likes` + 1 WHERE `id` = '$id'");
$likes_query = $connection->query("INSERT INTO `likes` (`user_id`, `post_id`) VALUES ('$user', '$id')");
}
All issues fixed. Thanks for all your comments!
I've created a little login strucuture:
If you had wrote your data into fields you receive a link to confirm the account.
e.g. confirm.php?email=a#a.com
When you visit the link the following code executes:
$sql = mysqli_connect("localhost", "name", "password");
mysqli_select_db($sql, "db");
$set_active = "UPDATE `users` SET `active` = 1 WHERE `email` = ".$_GET['email']."";
mysqli_query($sql, $set_active);
mysqli_close($sql);
But after that the active-value is still 0 like deafult.
The users table:
email (varchar 100) active (int 1)
a#a.com 0
Use a prepared statement:
$stmt = mysqli_prepare($sql, "UPDATE `users` SET `active` = 1 WHERE `email` = ?") or die(mysqli_error($sql));
mysqli_bind_param($stmt, "s", $_GET['email']);
mysqli_stmt_execute($stmt) or die(mysqli_error($sql));
$set_active = "UPDATE `users` SET `active` = 1 WHERE `email` = '".$_GET['email']."'";
You have missed ' in email. So the query is wrong. to check that do:
echo("UPDATE `users` SET `active` = 1 WHERE `email` = ".$_GET['email']."");
This will give you an error.
Things get evaluated in double quotes but not in single
change
set_active = "UPDATE `users` SET `active` = 1 WHERE `email` = ".$_GET['email']."";
to
set_active = "UPDATE `users` SET `active` = 1 WHERE `email` = '".$_GET['email']."'";
I had been trying many methods to update a specific row in my sql data base named juytdb having table users having colum names username and email. First I tried to connect and connection was successfull,
$localhost = "localhost";
$dbuser = "google";
$dbpass = "";
$dbname = "juytdb";
$connect = mysql_connect($localhost ,$dbuser ,$dbpass);
mysql_select_db($dbname, $connect);
Now while I wanted to update a specific row I used
session_start();
$username = $_SESSION['var']; //acutally users are logged so I just need to add their email
$email = $_POST['email']; //value I got from an inputbox
UPDATE users
SET email='google#gmail.com';
WHERE username='billy';
this does not work, I also tried
$sql = "UPDATE 'users' SET 'email' = '$email' WHERE 'username' = '$username'";
mysql_query($sql);
additionally the default values of email is set to "not added"
You have single quotes where you should have backquotes. Try this:
$sql = "UPDATE `users` SET `email` = '$email' WHERE `username` = '$username'";
Try this:
$sql = "UPDATE users SET email = '".$email."' WHERE username = ".$username;
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
The coding below works like when a user clicks submit, he get one ticket (lodd) and loses five points because he bought one ticket for five points. But I miss when a user don't get five points he can't buy. I want that if the user doesn't get enough points then an echo says (example):
Sorry, but you need at least five points to buy a ticket.
How can I do that? Now people only go in minus if they buy more than they have.
<?php
session_start();
//=============Configuring Server and Database=======
$host = 'localhost';
$user = 'root';
$password = '';
//=============Data Base Information=================
$database = 'login';
$conn = mysql_connect($host,$user,$password) or die('Server Information is not Correct'); //Establish connection with the server
mysql_select_db($database,$conn) or die('Database Information is not correct');
//===============End Server Configuration============
//=============Starting Registration Script==========
$username = mysql_real_escape_string($_POST['txtusername']);
//=============To Encrypt Password===================
//============New Variable of Password is Now with an Encrypted Value========
$insert = "UPDATE `users` SET `points` = (`points`-5) WHERE `username` = '".$username."'";
mysql_query($insert);
// Other code
$insert = "UPDATE `users` SET `lodd` = (`lodd` +1) WHERE `username` = '".$username."'";
mysql_query($insert);
mysql_query($insert);
header('location: succes.php');
?>
This is the code that give people one ticket for five points:
$insert = "UPDATE `users` SET `points` = (`points`-5) WHERE `username` = '".$username."'";
mysql_query($insert);
// Other code
$insert = "UPDATE `users` SET `lodd` = (`lodd` +1) WHERE `username` = '".$username."'";
mysql_query($insert);
mysql_query($insert);
First, mysql_* are deprecated so you should look at changing them at some point. One option is to use: MySQLi
Back to your question, you could do this:
$insert = "UPDATE `users` SET `points` = (`points`-5) WHERE `username` = '".$username."' and points > 5";
mysql_query($insert);
if (mysql_affected_rows() > 0)
{
// other codes
$insert = "UPDATE `users` SET `lodd` = (`lodd` +1) WHERE `username` = '".$username."'";
mysql_query($insert);
}else{
echo "You don't have enough points";
}