I wrote a script for someone where they can easily delete quiz results from a database. The general gist of the script is user enters a username, php script queries the database for quiz results pertaining to the username. Then displays results
User can click delete link. Once this link is clicked, the results are then deleted and the database is re-queried showing updated results.
Everything seems to work fine on this end until I log into phpMyadmin to see that none of the results were deleted.
Question is can this be something wrong with the database itself? Or PHPmyAdmin?
Is there something wrong with how I'm doing my script?
Here is my code in this text file: http://andreawine.ladev.co/code-example.txt
$query1 = "DELETE FROM aw_wpsqt_user_data WHERE quizID='".$_GET['quizID']." AND username='".$_GET['username']."'";
It appears that this line is missing a closing quotation mark around quizID. Try correcting it to be:
$query1 = "DELETE FROM aw_wpsqt_user_data WHERE quizID='".$_GET['quizID']."' AND username='".$_GET['username']."'";
I should also mention that this isn't exactly the safest way to delete information, since it appears that I could use SQL injection for most of these fields (especially considering these $_GET variables appear on the URI! Take a look at http://codex.wordpress.org/WordPress_Coding_Standards#Formatting_SQL_statements for WordPress's standards for SQL statements.
Related
On my games page, I have a page where they play a game. On that page I have a query
$insert_user_activity = mysql_query("INSERT INTO game_activity (user_id,user_full_name,game_id,game_name) values ('$user_id','$full_name','$browser_id','$game_title')");
Which will log it into my database, it's just sitting on its own and when I refresh the page, it is submitted to the database twice for some reason.
The logic of your front controller is wrong.
The page where you are executing this query is called on every request made to your site, no matter whether it's a proper request or a call to a non-existent resource.
You must change the logic of the front controller so it wouldn't run the application for the invalid requests. Otherwise there will be not one but thousands false inserts when the site goes live.
what's the conditions on the page for which the query execute or in other way how are values of the variable you are getting on the page to execute the query if it is so than first check the existence of variables if the variables are set than run the query.
I was having problems with a query that was executed twice in Firefox but in other bowsers (Chrome and IE) did problem did not happen. I was searching for an answer and found this post.
I discovered this:
If i execute a simple insert query it gets inserted twice when i switch on the "net" functionality in Firebug this does not happen. Strange. Just wanted to add this to this post.
Still trying to solve this.
{edit} Update:
I have found a solutions, although it is not a pretty one. I check first wicth an select count if such record exists, if not then it will be inserted otherwise it will not be. Did the trick for me.
I am having an issue when trying to query data from my MySQL database. Here is the PHP that generates the query: $q = "SELECT * FROM tclog" . (isset($id) ? " WHERE tcuid='$id';" : ";");
Here is the query that it generates: SELECT * FROM tclog WHERE tcuid='55609bb380d9a3.92986475';
The peculiar part of this issue is that, from one page, the query runs just fine, yet from another page, the query fails. The only difference between the pages is that one page gets the entire SQL script from a form on itself (with action="" and don't worry, it's password-protected and forces SSL), while another page (the one shown above which doesn't work) generates the script using just the id variable.
Any help would be greatly appreciated.
I discovered the problem. It was actually in the code that calls mysqli_query, not in the query itself. Looks like you all enjoyed laughing at my crappy security anyway.
Enjoy,
MagikM18
I have discovered that some old (2009) code that was written for a website, did, under certain circumstances on a search query save the SQL as a a $_GET variable!
When the search was carried out, the details are POSTED and then sanitized, and the results are paginated with the LIMIT clause in MySQL. If there is more than one page (ie +30 results) the pages are anchor links in the HTML with a GET var containing the SQL statement.
I know, this is absolutely not the way to do this. It's old code I've just seen it by chance. This needs to be fixed.
So I've fixed it, sanitized it and used an alternative method to reload the SQL, BUT:
My question is thus:
The page outputs the data relating to thumbnail images, all data is output as named array var (the original clause is a SELECT * clause), so if someone does abuse the GET variable, the page itself will only output the columns named,
I have managed to DELETE rows from the DB using the GET abuse, I would like to think the abuse is only effective if the result is not involving any returned output (such as DELETE) but I don't know; so given that the user can input anything into the GET clause but only get the displayed output of what's coded (ie named columns in a 30 row array) -- what other abuses can this gaping hole be open to?
Further details: The code is MySQLi
A tool like SQLMAP can probably take over the entire server and do with it whatever the user wants.
Having an unsanitized database input isn´t even hacking anymore, it´s waiting for someone to run a script on your machine and basically own it from that point on.
What the attacker can do depends on your database configuration and database user access. If you create a new user with a permission to only SELECT that one specified table, and use that user for that particular script, the harm it can do is reading data from that table.
Still this is bad practice. Never use it.
I've read a few posts about this that suggest using eval but then say how its dangerous (I don't know why) but I don't think it will work for my current need.
My issue is that I have a blog post db table which has a column that contains all the content of the post. In this content I want to include a poll that lets the user vote a or b. This requires a database call to get the current votes to display to the user after they have voted . I'm guessing javascript would be possible but then anyone could look at the source code and see the query I'm making to the database which is risky. I have the php code working fine I just need a way to process it after code has been obtained from the DB
i have a datatable which connected to DB...
i want make the data inside datatable can be edit and delete...
but of course,,after make change at datatable the data inside DB also change..
what's code to do that...??i've been try like this:
$("#datalist tbody").click(function(event) {
$(oTable.fnSettings().aoData).each(function(){
$(this.ntr).removeClass("row_selected");
});
$(event.target.parentNode).addClass("row_selected");
});
i'm newbie at datatable..that code is what i've been reach..and i dont know how to delete data..
1. i can edit/delete data after click at <tbody>
2. show option to edit/delete data
3. if choose delete show (are you sure to delete this data?)
4. the script connected to DB (so we can control DB data)
5. data at DB updated
Ok, I'm assuming you're using PHP and MySQL... You have to send a SQL query into your database with mysql_query(). Typically an easy way to do this is to go into phpMyAdmin, run the query you want on some debug data, then copy the generated php code:
also, please ignore the disparity in the id field... the idea should still be clear.
The highlighted text in step 2 should be your SQL query to send through PHP. Usually edits/selections/etc. will be shown above the table view in the Browse tab for the SQL query reference.
The next step is to (in best practice) define a $sql variable that contains your query. In this case, I'd put the highlighted text from step 2 into this variable:
$sql = "DELETE FROM faq_1278475018 WHERE id = 9 LIMIT 1";
Then with PHP, run the query: $result = mysql_query($sql);
That deletes things. Keep fiddling with phpMyAdmin and pay attention to the SQL query box to get clues on what SQL queries to run.
The easiest place I've found to follow is w3schools: PHP and MySQL Introduction
That should get you started...
To answer the comment:
You'll want to pass commands to your PHP script using $.post().The syntax is explained here: jQuery $.post()
You also might want to make sure the user is "logged in" in some fashion and that you've taken considerable security measures to ensure that someone doesn't manually post data to your script other than when you want them to.