I have the code below which links to a page called deletepage.php which is in my FTP in the right directory. It adds the variable on the end from a database query, that bit works and it opens the page correctly:
X
But now I have this code to run a query on that in the MySQL database but it doesn't actually delete it when it should be deleting it:
$con = mysql_connect("localhost", "will", "blahblah");
if (!$con) {
die('Could not connect: '.mysql_error()); //check for database errors
}
$username = $_GET['user'];
mysql_select_db("themacsp_clipboy", $con);
$sql = ("DELETE * FROM links WHERE link = ".(int)$_GET['plink'] AND username='$username');
mysql_query($sql);
header("location: http://themacsplash.com/userfiles/$username");
?>
I get an error:
Parse error: syntax error, unexpected '=' in >/data/www/vhosts/themacsplash.com/httpdocs/ClipBoy/deletepage.php on line 10
Line 10 is the $sql line ($sql = ("DELETE * FROM links WHERE link = ".(int)$_GET['plink'] AND username='$username');)
How would I fix this?
You were missing some quotes again.
You should probably be doing it step by step, since it's less confusing:
$plink = (int)$_GET['plink'];
$sql = "DELETE FROM links WHERE link=$plink AND username='$username'";
Line should be
$sql = ("DELETE * FROM links WHERE link = ".(int)$_GET['plink'] . "AND username='$username'");
Also you should sanitize those $_GET strings with mysql_real_escape_string() to help avoid SQL injection hacks.
$sql = "DELETE * FROM links WHERE link = ".(int)$_GET['plink']." AND username='".$username."';";
You concatenated the strings and the variables in a wrong way. This'll do.
i think it is in this line
<?php
//replace
//$sql = ("DELETE * FROM links WHERE link = ".(int)$_GET['plink'] AND username='$username');
//with
$sql = "DELETE * FROM links WHERE link = ".(int)$_GET['plink']. "AND username='".$username."'";
?>
Related
I am creating a property profile page for a real estate site. For some reason it wont check the index in the database to see if it is the same value as the ?id= in the address bar. When I use the code select * from properties it doesn't show any error but when I add WHERE index='$prop_id' it kills the page and echo's query error. The database connection file is included at the top off the index.php page. Can anyone help?
<?php
if(isset($_GET['id'])){
$prop_id = mysql_real_escape_string($_GET['id'])or die("get error");
$check = mysql_query("SELECT * FROM properties WHERE index='$prop_id'") or die("query error");
}
?>
index is a reserved keyword. Fix the errors in the query. Missing ' -
"SELECT * FROM properties WHERE `index` = '$prop_id'"
Try as below :
"SELECT * FROM properties WHERE `index` = ".$prop_id;
You forgot one single quote in the query. Please replace your query with the following:
$check = mysql_query("SELECT * FROM properties WHERE index='".$prop_id."'") or die("query error");
I have a query on my page that uses a GET variable to pull data from my table...
If I echo my GET var the data is there so im doing something wrong with my query, instead of or die can I show an error in the browser?
// Get USER ID of person
$userID = $_GET['userID'];
// Get persons
$sql = 'SELECT * FROM persons WHERE id = $userID';
$q = $conn->query($sql) or die('failed!');
$sql = "SELECT * FROM persons WHERE id = $userID";
You must use double quotes to use variables inside the query string.
You can also do this:
$sql = "SELECT * FROM persons WHERE id = ".$userID;
What you should do is this (to protect yourself from sql injection):
$safeuid = $conn->prepare($userID);
$sql = "SELECT * FROM persons WHERE id = ".$safeuid;
You can always debug using this at the top of your php page:
ini_set('display_errors',1);
error_reporting(E_ALL);
Have you tried $q = $conn->query($sql) or die($conn->error()); ?
Yes you can, but you should only do it for debugging. Crackers can gain a lot of insight by purposefully feeding bad input and reading the error.
I'm assuming you're using MySQLi; the command is $conn->error(). So your line would be:
$q = $conn->query($sql) or die($conn->error());
Also, what you're doing wrong is you're using single quotes to define $sql. You need to use double quotes to write $userID into the string. So what you want is:
$sql = "SELECT * FROM persons WHERE id = $userID";
or
$sql = 'SELECT * FROM persons WHERE id = ' . $userID;
You need to use double quotes to evaluate variables within the string. That is,
$sql = 'SELECT * FROM persons WHERE id = $userID';
should be
$sql = "SELECT * FROM persons WHERE id = $userID";
Rather than removing the die you should make sure the query is always valid. In other words: validate the userID parameter. $_GET can contain anything the user wants to provide - it could be an array, it could be a string, it could be a string with a malicious payload that can drop your tables. So check it is an integer. If not, return a relevant message to the user.
Not a php expert but you might try:
// Get USER ID of person
$userID = $_GET['userID'];
// Get persons
$sql = 'SELECT * FROM persons WHERE id = $userID';
$q = $conn->query($sql) or die('failed!' . mysql_error());
The error should append to the end of your die message.
I believe I have a simple syntax problem in my SQL statement. If I run this code, I get an error in the database query.
$user = $_GET['linevar'];
echo $user; // testing - url variable echos correctly
$sql = "SELECT * FROM `userAccounts` WHERE `name` = $user";
$result = mysql_query($sql) or die("Error in db query");
If I replace $user in the $sql string with 'actualName' or a known record in my table, the code works fine. Am I using the $ variable incorrectly in the SQL string?
You need to surround the value that you're getting from $user with quotes, since it's probably not a number:
$sql = "SELECT * FROM `userAccounts` WHERE `name` = '$user'";
Just as a note, you should also read up on SQL injection, since this code is susceptible to it. A fix would be to pass it through mysql_real_escape_string():
$user = mysql_real_escape_string( $_GET['linevar']);
You can also replace your or die(); logic with something a bit more informative to get an error message when something bad happens, like:
or die("Error in db query" . mysql_error());
You need escape the get input, then quote it.
// this is important to prevent sql injection.
$user = mysql_real_escape_string($_GET['linevar']);
$sql = "SELECT * FROM `userAccounts` WHERE `name` = '$user'";
This should work:
$sql = "SELECT * FROM `userAccounts` WHERE `name` = '" . $user . "'";
I've followed all the mySQL tutorials correctly but it still won't update the values in my table, can someone please help me?, these are my values below:
$editid = $_GET['id'];
$newtitle = $_POST['title'];
$newsneak = $_POST['sneak'];
$newbody = $_POST['body'];
$connect = mysql_connect("localhost","username","password") or die("Couldn't Connect. ");
mysql_select_db("dr") or die ("Couldn't Find DB.");
$query = mysql_query("SELECT * FROM news WHERE id=$editid");
$numrows = mysql_num_rows($query);
if($numrows=!0)
{
$querytitle = mysql_query("UPDATE news SET title=$newtitle WHERE id=$editid");
$querysneak = mysql_query("UPDATE news SET summary=$newsneak WHERE id=$editid");
$querybody = mysql_query("UPDATE news SET body=$newbody WHERE id=$editid");
header("Location: ../index.php");
}
On your select (add myql_error to check error):
$result = mysql_query("SELECT * FROM news WHERE id='$editid'");
if (!$result) {
die('Invalid query: ' . mysql_error());
}
On your update:
$querytitle = mysql_query("UPDATE news SET title='$newtitle' WHERE id='$editid'");
$querysneak = mysql_query("UPDATE news SET summary=$newsneak WHERE id='$editid'");
$querybody = mysql_query("UPDATE news SET body='$newbody' WHERE id='$editid'");
use single quote around input data also use mysql_real_escape_string(); avoid sql injection.
PHP mysql_real_escape_string
As per #Tchalvak suggestion to include mention of binding, these are more updated tools against SQL Injections plus better optimization, but keep in mind PDO and MySQLi are supported if you have PHP 5+:
PHP PDO
and
PHP MySQLi
Can I add as well once you finish debugging to please remove any mysql_error() output? This is awesome info for attackers since it reveals database details. Either log it or don't show errors...adds a little extra security.
You want to use the mysql_error function to see what error your query returns.
As integration pointed out by Jeremy Conley, pay attention to don't let the mysql_error function output get published in your production HTML.
After I upload a photo to a server, I want to save it in the user's database in MySQL, but for some reason, it is not working. Below is the code for uploader.php:
session_start();
if(!$_SESSION['userid']) {
header("Location: index.php");
exit;
}
$con = mysql_connect("host","db","pw");
if (!$con)
{
die('Could not connect: ' .mysql_error());
}
mysql_select_db("db", $con);
$sess_userid = mysql_real_escape_string($_SESSION['userid']);
$query = "SELECT * FROM Members WHERE fldID='$sess_userid' UPDATE Members SET PortraitPath = 'profileportraits/' . '$_FILES[file][name]'");
$result = mysql_query($query) or trigger_error(mysql_error().$query);
$row = mysql_fetch_assoc($result);
I'm sure there is something very wrong with my query, but I can't figure out what it is. The photo is definitely being saved into the folder. But I simply want to update its path in the user database for later use. Thank you!
as it was mentioned already, you cannot use these two queries at once.
but there is also weird syntax: you're trying to use PHP's concatenation operator inside of mysql query.
And you did not escape a string parameter - very bad!
So, looks like you need something like
$sess_userid = mysql_real_escape_string($_SESSION['userid']);
$PortraitPath = mysql_real_escape_string('profileportraits/' . $_FILES['file']['name']);
$query = "UPDATE Members SET PortraitPath = '$PortraitPath' WHERE fldID='$sess_userid'";
You can do two separate queries:
UPDATE Members SET PortraitPath = 'profileportraits/' . '$_FILES[file][name]'
WHERE fldID='$sess_userid';
And:
SELECT * FROM Members WHERE fldID='$sess_userid'
It seems you tried to put two queries(SELECT and UPDATE) into one query which will result in invalid query error.
Just wondering why you need two queries since you already know the userid and all you want is to update. All you need is to update the file path
UPDATE Members SET PortraitPath = 'profileportraits/' . '$_FILES[file][name]' WHERE fldID='$sess_userid';