I wrote a simple form from which a user will change his/her name , Facebook Name and image
here is the profile.php code with the form
<!!--edit form--!!>
<div id="edit">
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1"
bgcolor="#CCCCCC">
<tr>
<td>
<table width="100%" border="0" cellpadding="1" cellspacing="1"bgcolor="#FFFFFF">
<tr>
<form method="POST" action="save_profile.php">
<td colspan="3"><strong>Username<br><? echo $row['session'];?></strong></td>
<td colspan="3"><strong>Name</strong><input type="text" name="name" id="name"
value="<? echo $row['name'];?>"/><br></td>
<td colspan="3"><strong>Facebook</strong><input type="text" name="fb" id="fb" value="<? echo $row['facebook'];?>"/></td>
<td colspan="3"><strong>Image</strong><input type="text" name="img" id="img" value="<? echo $row['img'];?>"/></td>
<input type="hidden" name="pros" />
<input type="submit" value="Save" />
</form>
and this is the save_profile.php
<?
include"sp-includes/sp-config2.php";
$resultz = mysql_query($slctq);
while($rowqw = mysql_fetch_array($resultz, MYSQL_ASSOC))
{
if($_POST['pros']){
$name=$_POST['name'];
$fb=$_POST['fb'];
$img=$_POST['img'];
$do =mysql_query("UPDATE profile SET name='$name', facebook='$fb', img='$img' WHERE id='$rowqw[id]'");
}
echo $rowqw['id'];
}
?>
I dont Know where i am wrong..
First of all, PLEASE SANITIZE YOUR QUERIES. Your query is completely open for exploitation right now and that might entirely be the reason why it fails.
Write your query like this:
mysql_query('UPDATE profile SET name="'.mysql_real_escape_string($name).'", facebook="'.mysql_real_escape_string($fb).'", img="'.mysql_real_escape_string($img).'" WHERE id="'.mysql_real_escape_string($rowqw['id']).'";');
Also, note that the rowqw index should be written as 'id' instead of id.
The problems with your code:
You are not checking for errors. Use mysql_error().
You are not checking your input (if it's valid or not). You should be binding parameters or escaping with mysql_real_escape_string.
Put the query in a separate string. Something like $query = "UPDATE ..."; $do = mysql_query($query);. It is useful for debugging. You know what the exact query you are sending is.
You are using $rowq[id] the wrong way. When in a string you either use the . notation, you concatenate multiple strings; or you enclose it in {$rowq[id]}.
When you do all this, you'll solve the problems yourself. Read the docs too.
Change the code to
$do = mysql_query("UPDATE profile SET name = '$name', facebook = '$fb', img = '$img' WHERE id = '$rowqw[id]'");
Related
I am working on a project to upload images into a directory and store image paths in database table. The image upload work fine but my text input for name is not working. I need your help.
if(isset($_POST['upload']))
{
$path=$path.$_FILES['file_upload']['name'];
if(move_uploaded_file($_FILES['file_upload']['tmp_name'],$path))
{
echo " ".basename($_FILES['file_upload']['name'])." has been uploaded<br/>";
echo '<img src="gallery/'.$_FILES['file_upload']['name'].'" width="48" height="48"/>';
$img=$_FILES['file_upload']['name'];
$query="insert into imgtables (name,imgurl,date) values('$name',STR_TO_DATE('$dateofbirth','%d-%m-%y'),'$img',now())";
if($sp->query($query)){
echo "<br/>Inserted to DB also";
}else{
echo "Error <br/>".$sp->error;
}
}
else
{
echo "There is an error,please retry or ckeck path";
}
}
?>
The form is as follows:
<form action="gallery.php" method="post" enctype="multipart/form-data">
<table width="384" border="1" align="center">
<tr>
<td width="108">Name</td>
<td><input type="text" name="name"></td>
</tr>
<tr>
<td width="108">Select File</td>
<td width="260"><label><input type="file" name="file_upload"></label></td>
</tr>
<tr>
<td></td>
<td><label><input type="submit" name="upload" value="Upload File"></label></td>
</tr>
</table>
</form>
Obviously the variable $name is empty or undefined and this is why all the other columns are populated and not this one. Also since the query is valid you don't get any error.
You can confirm this with a simple :
echo($name);
Not related to your problem :
Your code seems vulnerable to SQL injection : use prepared statement to prevent this.
Is register_globals turned on? If so you should really consider turning it off. To know why, have a look at Why is REGISTER_GLOBALS so bad?.
I need som help - I really cant see where I do the mistake!
I need to below code to remember the variable for loading the next page. The page loads using a link like:
editgallery.php?folder=big_fish&id=459
Now I want the below codes to remember the folder variable: big_fish for generating the next link. In the bottom of the codes I use a "location" to load the next page. It looks like:
header("Location: galleries.php?folder".$folder." ");
It should send the user back to the page they came from when clicking "update" in the form in the below codes:
if(!$_POST["submit"])
{
include "header.php";
$query = mysql_query("select name, type, folder, description , displaydate from galleries where id = '".$_GET["id"]."' ");
$row = mysql_fetch_row($query);
$name = $row[0];
$type = $row[1];
$folder = $row[2];
$description = $row[3];
$displaydate = $row[4];
?>
<form method="POST" action="<?=$_SERVER["PHP_SELF"]?>" name="myform" id="myform">
<center><table width="<?=$setting["tablewidth"]?>" class="admintable" cellpadding="<?=$setting["cellpadding"]?>">
<tr>
<td class="adminheader" colspan="2"> <b>Edit Gallery:</b></td>
</tr>
<tr>
<td class="admincell"> Name:</td>
<td class="admincell">
<input type="text" name="name" value="<?=$name?>" size="40"></td>
</tr>
<tr>
<td class="admincell"> Category:</td><td class="admincell">
<?=$folder?>
</td>
</tr>
<tr valign="top">
<td class="admincell"> Display Date:</td>
<td class="admincell" align="">
<input style="border-style:hidden" type="text" value="<?=$displaydate?>" id="from" id="<?php echo $_REQUEST["from"]; ?>" name="displaydate" size="40">
(yyyymmdd - Like <?=date('Ymd');?> or <?=date('Y-m-d');?>)</td>
</tr>
<tr valign="top">
<td class="admincell"> Description: </td><td class="admincell">
<textarea id="Enter you description of the photo set here" name="description"><?=$description?></textarea></td>
<!-- http://ckeditor.com/ -->
<script>
CKEDITOR.replace( 'description' );
</script>
</tr>
<tr>
<td class="admincell" colspan="2"><input type="hidden" name="id" value="<?=$_GET["id"]?>"><center>
<input type="submit" name="submit" value="Update"></center></td>
</tr>
</table></center>
</form><center>
<p>
</table></center>
<?
include "footer.php";
}
else
{
mysql_query("update galleries set name = '".$_POST["name"]."', description = '".$_POST["description"]."' , displaydate = '" . $_POST["displaydate"] . "' where id = '".$_POST["id"]."' ");
header("Location: galleries.php?folder".$folder." ");
//header("Location: galleries.php");
}
Can anyone see why the $folder name from the link is not saved for the location link - why cant the codes "transfer" it from the editgallery.php?folder=big_fish&id=459 link and to the location like: ("Location: galleries.php?folder".$folder." ");
Please advice.
You're missing an equals sign:
header("Location: galleries.php?folder".$folder." ");
should be
header("Location: galleries.php?folder=".$folder." ");
You might want to consider using http_build_query to handle building the URL.
You are vulnerable to SQL injection attacks, and have typos:
header("Location: galleries.php?folder=".$folder." ");
^---missing
Essentially you're generating a link that looks like
galleries.php?folderfoo
instead of
galleries.php?folder=foo
Apart from the missing =, I don't see how you are setting your variable (or database connection...).
You probably want something like:
header("Location: galleries.php?folder=" . $_GET['folder']);
You should also switch to PDO or mysqli and prepared statements as the mysql_* functions are deprecated and you have an sql injection problem.
Edit: Note that when a POST request is made / $_POST["submit"] is set, only the last two lines of the script are executed:
A mysql query without a database connection
A header() call with an undefined $folder variable.
I'm just going to re-write my answer here.
Your code could use some cleanup. Here are some items that I would fix:
<input style="border-style:hidden"
type="text"
value="<?=$displaydate?>"
id="from"
id="<?php echo $_REQUEST["from"]; ?>"
name="displaydate"
size="40">
You have two id's there. No bueno.
<textarea id="Enter you description of the photo set here" name="description"><?=$description?></textarea>
Not really a good idea to have your ID contain spaces. Did you mean to use the title attribute?
<input type="hidden" name="id" value="<?=$_GET["id"]?>">
This is good. And I think this is where your main problem lies. You need to add another hidden input with folder
<input type="hidden" name="folder" value="<?=$_GET["folder"]?>">
This way, when the form is posted, the folder will be sent in the form of $_POST['folder'].
Then, here:
header("Location: galleries.php?folder".$folder." ");
Should become:
header("Location: galleries.php?folder=".$_POST['folder']);
Try that and let us know what happens please.
In the same server, I have a page called mkwars and another called generatedtab. Inside mkwars I have a lot of input fields that contains numeric numbers.I need to transfer the datas from those inputs, to another new inputs located in the page generatedtab.
This is the HTML code:
<table border="0" id="table1" align="center" cellspacing="0" cellpadding="3" width="100%">
<tr>
<td width="50%" valign="top"><b>Home Clan:</b> <input type="text" id="clan1" name="clan1" onchange="nomewar();"/></td>
<td><b>Opponent Clan: </b> <input type="text" id="clan2" name="clan2" onchange="nomewar();"/></td>
</tr>
</table>
//other code
<form method="post" action="savewar.php">
<input type="submit" Value="Generate Table" style="height:70px;width:800px" />
</form>
And here you can see the PHP file:
<?
$percorso = file("war/filedb.txt");
while(list(,$value) = each($percorso)){
list($clan1, $clan2) = split("[:]", $value);
$params["clan1"] = trim($clan1);
$params["clan2"] = trim($clan2);
#print results
echo $params["clan1"]." - ".$params["clan2"]."<br />";
}
?>
war is a folder inside my server. When I click the button Generate Table I can't see the file (war/filedb.txt). Could you help me? I thought that the PHP way was the better, but if you think that I should do something else, tell me.
I'm not exactly clear on what you're trying to do here. I think you want to fill out the html form and have the php script save the new input into a file on the server, and then print out the contents of the file. If that's correct, here are a few things you need to fix.
1) On your html page, the <form> tag must enclose all of the input fields you want to post back to the server. so:
<form method="post" action="savewar.php">
<table border="0" id="table1" align="center" cellspacing="0" cellpadding="3" width="100%">
<tr>
<td width="50%" valign="top"><b>Home Clan:</b> <input type="text" id="clan1" name="clan1" onchange="nomewar();"/></td>
<td><b>Opponent Clan: </b> <input type="text" id="clan2" name="clan2" onchange="nomewar();"/></td>
</tr>
</table>
<input type="submit" Value="Generate Table" style="height:70px;width:800px" />
</form>
2) In your php script, you need to use the superglobal $_POST or $_REQUEST variable to catch the data from the posted form. For example:
$clan1 = $_POST['clan1'];
$clan2 = $_POST['clan2'];
3) In your php script, you need to open the file for writing and append the new data to the end of the file:
$fileappendpointer = fopen("war/filedb.txt",'a');
$newline = $clan1 . " - " . $clan2 . "<br>";
fwrite($fileappendpointer, $newline);
4) Then you can easily read out the contents of the file:
fclose($fileappendpointer);
$filereadpointer = fopen("war/filedb.txt",'r');
$contents = fread($filereadpointer,filesize("war/filedb.txt"));
fclose($filereadpointer);
print $contents;
Hi I'm trying to update a single field from a HTML form, for some reason one of the session variables I am passing to the update query is not being accepted. I have already echoed the variable in the page so am fairly certain it exists in memory.
NB, I know my code is horrifically insecure but I'm learning PHP and once I've got the basics working Ill go over it and bring it upto best practice standards.
E2A: If I do var_dump($filename); before trying to run the query it returns string(6) "356/18", after the query it returns NULL. I'm not unsetting the variable anywhere so where could it be going!
Here is my form:
<form method="post" action="">
<p>Your username is: <?php echo $_SESSION['userid'] ?> Your company ID is: <?php echo $companyid['id']?></p>
<h3>Please enter note for file: <?php echo $filename; ?></h3>
<table width="200" cellpadding="5">
<tr>
<th width="18%" align="right" nowrap>Add Note: </th>
<td width="82%" nowrap>
<input type="text" name="note" />
</td>
</tr>
<tr>
<td colspan="2" width="100%" nowrap>
<input type="submit" value="Submit" name="Submit" />
</td>
</tr>
</table>
</form>
Here is my UPDATE query:
$sql = "UPDATE fields SET Notes = ('".mysql_real_escape_string(stripslashes($_REQUEST['note']))."')
WHERE companyId='".$companyid['id']."' AND fileNumber ='".$filename."'";
if($result = mysql_query($sql)) {
echo "<h1>Thank you</h1>Your information has been entered into our database<br><br>";
echo $sql;
echo $filename;
} else {
echo "ERROR: ".mysql_error();
}
} else {
echoing $sql produces the following:
UPDATE fields SET Notes = ('asdasda') WHERE companyId='11' AND fileNumber =''
and here is the bit where I instantiate the POST vars.
include "header.php";
$checkFiles = "checkFiles.php";
// Catches form input from previous page and stores it into session variable called filename for future reference;
$_SESSION['filename']=$_POST['filename'];
$filename = $_SESSION['filename'];
//User id stuff from previous page too;
$userid = $_SESSION['userid'];
$id = mysql_query("SELECT id FROM users WHERE DXNumber='".$userid."'");
// Returns pointer so fetch it as an array and insert it into variable $companyid for later use;
$companyid = mysql_fetch_array($id);
You need to include session_start() on the top of each file.
Just do:
AND fileNumber ='".$_SESSION[filename]."'";
In your update query.
If that doesn't work, make sure that a value for $_SESSION[filename] is being set.
<h3>Please enter note for file: <?php echo $filename; ?></h3>
Create a input box
<input type="text" name="filename" value="<?php echo $filename; ?>"/>
Then filename value will be pass to $_POST array
I have a small section of code. When the table is empty this code works fine and enters in to the table fine. But then if i try again then this fails with the error?
What am i doing wrong?
Thanks
// On my Function page
function admin(){
connect();
$query = mysql_query("INSERT INTO results
(t_id, pos1, pos2, pos3)
VALUES ('$_POST[t_id]','$_POST[pos1]','$_POST[pos2]','$_POST[pos3]')")
or die ("Error.");
$b = "Updated fine</b></a>.";
return $b;
exit();
}
// Then on my main page
<?php
include ('functions.php');
if (isset($_POST['admin'])){
$admin = admin();
}
?>
<div id="content">
<div id="admin">
<form action="" method="post">
<table width="100%" border="0" align="center" cellpadding="3" cellspacing="1">
<tr>
<td width="100%"><?php echo "$admin"; ?></td>
</tr>
<tr>
<td width="100%"><label>Track <input type="text" name="track" size="25" value="<? echo $_POST[t_id]; ?>"></label></td>
</tr>
<tr>
<td width="100%"><label>Position 1<input type="text" name="pos1" size="25" value="<? echo $_POST[pos1]; ?>"></label></td>
</tr>
<tr>
<td width="100%"><label>Position 2 <input type="text" name="pos2" size="25" value="<? echo $_POST[pos2]; ?>"></label></td>
</tr>
<tr>
<td width="100%"><label>Position 3 <input type="text" name="pos3" size="25" value="<? echo $_POST[pos3]; ?>"></label></td>
</tr>
<tr>
<td width="100%"><input class="save" type="submit" value="" name="admin"></td>
</tr>
</table>
</form>
</div>
</div>
Without seeing your table schema, I can only think you have UNIQUE t_id and you want to insert the same ID into it.
Several way to debug:
Use or die ("Error: " . mysql_error()); instead of just or die ("Error.");
Check your table schema: SHOW CREATE TABLE tablename and write it down on your question, so we can see if it's causing error.
It is hard to guess. Maybe you are entering the same values twice, and they happen to violate some unique constraint?
But you make another mistake: you forget to call mysql_real_escape(). That is bad.
Can you tell us of the error? It sounds like you're hitting a primary key violation, perhaps by trying to insert the same id more than once.
That aside, your code is riddled with security holes.
You should not be inserting variables straight from the POST into your query. All I have to do is submit '; DROP DATABASE and I can completely wreck your system.
Additionally, you're injecting values directly from POST into input fields, meaning I can set up a button on my site that submits " <script type='text/javascript'>window.location='http://mysite.com'</script> or something along those lines and take over your page.
This may sound terse, but you should do some googling or pick up a book regarding textbook security issues with websites.
EDIT: Just saw your comment about learning security. My advice is to be proactive about this sort of thing, because being reactive is often too late to fix problems.