Firstly, I got a database of which I labelled different id for different content. However, I also made a comment box, of which my comments are all numbered by id=1,2,3... so whenever I submit a comment, it is able to link it back to the correct id I got earlier (not the comment box id), i.e. if I entered in www.example.com/synopsis?id=1, I will go back there. However, I have a delete.php file which is linked to reload.php file, whereby the page is reloaded. From this, it is unable to go back to the synopsis?id=1, instead it's just synopsis?id=
Here is my code for the submit comment button
<form action="synopsis.php?id=<?php $id =$_GET["id"]; echo $id; ?>" method="POST">
and this works.
Here is the reload.php file, which doesn't work, and I want it to be back to synopsis?id=1 everytime I hit delete
<?php
$id=$_GET['id'];
$link = mysql_connect("localhost", "root", "");
$refresh = mysql_query("SELECT id FROM dvd where id=$id",$link);
$row = mysql_fetch_assoc($result);
header("Location:synopsis.php?id=<?php $id =$_GET["id"]; echo $id; ?>");
?>
Please help
Correct string concatenation:
header("Location:synopsis.php?id=" . $id);
You already set the $id variable, you don't need to set it again
$id=$_GET['id'];
$link = mysql_connect("localhost", "root", "");
$refresh = mysql_query("SELECT id FROM dvd where id=$id",$link);
$row = mysql_fetch_assoc($result);
header("Location:synopsis.php?id=". $id);
Duplicate of quotes syntax errors?
Anyways :
<?php
$id=$_GET['id'];
$link = mysql_connect("localhost", "root", "");
$refresh = mysql_query("SELECT id FROM dvd where id=$id",$link);
$row = mysql_fetch_assoc($result);
header("Location:synopsis.php?id=".$_GET['id']);
?>
The <?php is used to switch from HTML to PHP mode, but in this code you're already in PHP mode:
header("Location:synopsis.php?id=<?php $id =$_GET["id"]; echo $id; ?>");
It's also good practice to escape variables when you build a new query string:
header("Location: synopsis.php?" . http_build_query(array(
'id' => $_GET['id'],
)));
Related
I've listed a list of rows from my mySQL database onto an admin page. I now simply want to add an icon beside each row giving the user the option to delete the row in question.
Here's my php delete link:
<i class="icon-circle-blank"></i>
And my delete.php file looks like:
<?php
require_once 'db.php';
global $con;
if(($_GET['action'] == 'delete') && isset($_GET['id'])) {
$id = $_GET['id'];
$sql = "DELETE FROM quotes WHERE id = '$id'";
$query = mysqli_query($con, $sql);
}
header("location: http://localhost:81/logintest/home.php");
mysqli_close($con);
?>
From some reason when I click the link, the page just returns a blank page with no database rows being deleted. What am I overlooking?
Unless you're showing us a pseudo-code, this will not parse the PHP id variable:
delete.php?action=delete&id='$id'
you need either:
delete.php?action=delete&id=<?= $id ?>
or
delete.php?action=delete&id=<?php echo $id; ?>
I'm going crazy here. I have two pages. Page A and Page B. I simply want to set a variable in Page A, pass it to Page B via GET method (URL) and then have code display the variable. I do not get any errors, but the the variable simply will not display. Here is the code:
Page A:
print "" .$name . "<br>";
Page B:
<?php
//db connect info above not shown
$password = "*****";
$usertable = "stories";
$myfield = (int) $_GET['id'];
//Connect to db
mysql_connect($hostname, $username, $password) OR DIE ("Unable to
connect to database! Please try again later.");
mysql_select_db($dbname);
//Fetch from db
$query = "SELECT * FROM stories where story_id = $myfield";
$result = mysql_query($query);
echo "TEXT: ";
if ($result) {
while($row = mysql_fetch_array($result)) {
$name = $row["story_id"];
echo $name;
}
}
?>
All I get returned is "TEXT:"
But it want it to show "TEXT: 4" (because I know 4 is the story_id from page a. I even see the 4 in the URL of page B being successfully passed, but can't get it to display here.
As a second part of the question, my REAL GOAL is not to simply print the story_id, but rather the story text itself (a paragraph of text). This variable is in the same table called story_text. It seems a pipe dream to get the actual story text to display when I can't even simply have the story_id number print as a test.
Please help!
if your url is
http://mysite.net/page-b?var=".$id ."\"
The variable passed will be $var, not $id
$myfield = (int) $_GET['id']; // WRONG
$myfield = (int) $_GET['var']; // RIGHT
Your statement
$myfield = (int) $_GET['id'];
this should be
$myfield = (int) $_GET['var'];
I am new to PHP and just wanting to make a basic page where i can see all the users in the database and delete them. I have come this far but it keeps on telling me that I have an i have and Undefined index: user_id and although it tells me that it has deleted the fields it has not deleted anything. Here is my code:
<?php include_once "includes/scripts.php"; ?>
<?php include_once "includes/connect.php";?>
<?php include_once "includes/cms_page_security.php";?>
<div id="cms_container"><br>
<br>
<h1>MANAGE USERS<img src="images/three_column_grid_line.png" alt="line"></h1>
<p class="logout_btn">Back</p>
<?php
$tbl="users"; // Table name
$sql = "SELECT * FROM $tbl";
$result = mysql_query($sql, $connect);
while($rows = mysql_fetch_array($result)){
?>
<?php
echo $rows['user_id'];
echo $rows['user_name'];
echo $rows['user_password'];
?>
delete
<?php
}
?>
<?php
mysql_close();
?>
</div><!--cms_container-->
</body>
</html>
The page that it should link to that deletes the query:
<?php include_once "includes/connect.php";?>
<?php
$tbl="users";
$user_id= $_GET ['user_id'];
$sql="DELETE FROM $tbl WHERE user_id = '$user_id'";
$result = mysql_query($sql, $connect);
if($result){
echo "Deleted Successfully";
echo "<BR>";
echo "<a href='delete.php'>Back to main page</a>";
}else {
echo "ERROR";
}
?>
<?php
mysql_close();
?>
In delete_user.php you must get user_id
$user_id= $_GET ['id'];
because in your delete link GET variable is "id", not "user_id"
You really should be using PDO instead.
The issue is in the information that you are passing.
The link : delete
is looking for an 'id' but you're later looking for 'user_id'
If you change it to delete, it should work.
I still strongly suggest you look into PDO instead though, it's much more secure and easier to work with.
Example of PDO Delete
public function deleteUser($username, $user_id){
if($this->isAdmin($username) == true){
$query = $this->db->prepare('DELETE FROM users WHERE user_id = ?');
$query->bindValue(1, $user_id);
try{
$query->execute();
}catch(PDOException $e){
die($e->getMessage());
}
}else{
return false;
}
}
I'm running an extra check to make sure the person who is requesting the deletion is an admin member but you should be able to see the structure
In addition to the other answers:
It looks like this line could be a fatal error, if php short tags aren't enabled:
delete
The php manual says:
*PHP also allows for short tags <? and ?>
(which are discouraged because they are only available if enabled with
short_open_tag php.ini configuration file directive, or if PHP was configured
with the--enable-short-tags option.*
http://php.net/manual/en/language.basic-syntax.phptags.php
The SQL query will be successful even if it alters zero rows. You are prefixing your user ids with a space when you are generating your HTML (id= <?), so you aren't matching any rows (since "1" won't be matched by " 1").
Where you are creating your 'Delete' link
delete
You're creating a variable of 'id', but later you look for 'user_id.
Change your link to
delete
Basically I've created two php papes. One selects my entire table, and displays just date, and id number from it. Each date has a link directing to a display.php file. It pulls the ID number with it to the next display.php page. What I want to do on the display.php file is to display the entire row using that PHP.
So I know that Select * from tablename WHERE id=1 will pull that data, but how to get the ID number into there WHERE statement?
This is the main page code:
// SQL query
$strSQL = "SELECT * FROM table1";
// Execute the query (the recordset $rs contains the result)
$rs = mysql_query($strSQL);
// Loop the recordset $rs
while($row = mysql_fetch_array($rs)) {
// DATE
$strName = $row['date'];
// Create a link to display.php with the id-value in the URL
$strLink = "<a href = 'display.php?ID = " . $row['ID'] . "'>" . $strName . "</a>";
// List link
echo "<li>" . $strLink . "</li>";
}
That code links works and goes to display.php.
How would I create the link using the ID number pulling with it. Would I use a post command?
$id= Post['id']
then WHERE id = '$id'
?
TBH I did try that and got nothing. Any suggestions?
USING GET now...still not luck
I've tried the GET statement. In my address bar it shows the ID number. So I see the ID number pulling over with it. I tried even just echoing the ID to see if maybe it was just my code messing up.
<?php
$dbhost = 'localhost';
$dbuser = 'myusername';
$dbpass = 'mypw';
$dbname = 'mydbname';
$id = $_GET['id'];
mysql_connect($dbhost, $dbuser, $dbpass) or die('MySQL connect failed. ' . mysql_error());
mysql_select_db($dbname) or die('Cannot select database. ' . mysql_error());
?>
<body>
ID #<?php echo $id ?>
</body>
</html>
<body>
ID #<?php echo $id ?>
</body>
</html>
Still no luck
So in your display file you'd do something like this
$id = $_GET['ID'];
//DO SANITIZATION ETC ON THE ID HERE TO MAKE SURE ITS SOMETHING WE EXPECTED (AN INT)
$sql = "SELECT STUFF WHERE ID = {$id}"; //FOR BREVITY SAKE DOING AWAY WITH SECURITY
So basically what your first script is doing is passing the id in the url query string, values passed here are accessible in the $_GET super globals array.
Anything you access in here and the other super globals should be treated as completely dangerous to your application. You should filter and escape the hell out of it, and then before inserting it into the database you must escape it using the correct mechanism for your database. Otherwise you leave yourself open to SQL injection attacks.
Values passed in the querystring use GET not POST.
Post is for form variables.
You should also be aware of the danger of a SQL injection attack when taking values from the querystring.
This is probably easy for you guys, but I can't understand it.
I want to save the filename of an image to it's own row in the SQL base.
Basically, I log on to the site where I have my own userID.
And each user has its own column for background images. And the user can choose his own image if he wants to. So basically, when the user clicks on the image he wants, a jquery click event occurs and an ajax call is made to a php file which is supposed to take care of the actual update. The row for each user always exist so there's only an update of the data that's necessary.
First, I collect the filename of the css property 'background-image' and split it so I get only the filename. I then store that filename in a variable I call 'filename' which is then passed on to this jQuery snippet:
$.ajax({
url: 'save_to_db.php',
data: filename,
dataType:'Text',
type: 'POST',
success: function(data) {
// Just for testing purposes.
alert('Background changed to: ' + data);
}
});
And this is the php that saves the data:
<?php
require("dbconnect.php");
$uploadstring = $_POST['filename'];
mysql_query("UPDATE brukere SET brukerBakgrunn = '$uploadstring' WHERE brukerID=" .$_SESSION['id']);
mysql_close();
?>
Basically, each user has their own ID and this is called 'brukerID'
The table everything is in is called 'brukere' and the column I'm supposed to update is the one called 'brukerBakgrunn'
When I just run the javascript snippet, I get this message box in return where it says:
Background changed to:
Warning: session_start() [function.session-start]:
Cannot send session cache limiter -
headers already sent (output started
at
/var/www/clients/client2/web8/web/save_to_db.php:1)
in
/var/www/clients/client2/web8/web/access.php
on line 3
This is dbconnect.php
<?php
$con = mysql_connect("*****","******","******");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("****", $con);
require("access.php");
?>
And this is access.php:
<?php
// Don't mess with ;)
session_start();
if($_REQUEST['inside']) session_destroy();
session_register("inside");
session_register("navn");
if($_SESSION['inside'] == ""){
if($_POST['brukernavn'] and $_POST['passord']){
$query = "select * from brukere where brukerNavn='" . $_POST['brukernavn'] . "' and brukerPassord = md5('" . $_POST['passord'] ."')";
$result = mysql_query($query);
if(!$result) mysql_error();
$rows = #mysql_num_rows($result);
if($rows > 0){
$_SESSION['inside'] = 1;
$_SESSION['navn'] = mysql_result($result,"navn");
$_SESSION['id'] = mysql_result($result,"id");
Header("Location: /");
} else {
$_SESSION['inside'] = 0;
$denycontent = 1;
}
} else {
$denycontent = 1;
}
}
if($denycontent == 1){
include ("head.php");
print('
<body class="bodylogin">
content content content
</body>
');
include ("foot.php");
exit;
}
?>
Big security issue!
You didn't quote and escape the input to the MySQL query. I could easily hack the end, stack another query, and delete your entire database!
Also, you're missing the ending parenthesis at the end of mysql_query().
mysql_query("UPDATE brukere SET brukerBakgrunn = $uploadstring WHERE brukerID=" .$_SESSION['id'] ."";
should be
mysql_query("UPDATE brukere SET brukerBakgrunn = $uploadstring WHERE brukerID=" .$_SESSION['id']);
closing parenthesis is missing and the quotes ("") are useless.
Read about SQL injection in order to make your application safe.
EDIT:
<?php
require("dbconnect.php")
?>
<?php
This code sends (the part between ?> and <?php) a newline to the output (it's the same as echo "\n") which is not allowed if you want to write to a session variable consequently.
Remove the empty line before session_start():
?>
<?php
The original error is due to a missing semicolon on the require line.
As others have said, you need to learn about sql injection and using placeholders. Get out of the habit of using submitted data without using placeholders or escaping first.
<?php
//require_once("dbconnect.php");
$uploadstring = $_REQUEST['filename'];
$db_pswd = 'xxx-xxx-xxx';
$db_user = 'john_doe';
$db_table = 'my_table';
$con = mysql_connect( 'localhost' , $user , $pswd );
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db( $db_table , $con );
mysql_query(" UPDATE brukere SET brukerBakgrunn = '".$uploadstring."'
WHERE brukerID = '".$_SESSION['id']."' ");
mysql_close($con);
?>
I think you need to use a fresh code! yours is compromised! ;-))
you forgot the closing ')' in your mysql_query line !
mysql_query("UPDATE brukere SET brukerBakgrunn = $uploadstring WHERE brukerID=" .$_SESSION['id'] );
You don't need the ."" at the end of your query too.
require("dbconnect.php")
should be
require("dbconnect.php");