Halisco Posted March 4, 2009 Share Posted March 4, 2009 I hope i can explain this clearly. What i am doing is sending serveral <input> values using the <form method="get"> metohd. Its placing all my input vaues into the URL and i am taking that data and entering it into a databasae. What i am wondering is if i can somehow get the info from the URL into an array. The URL Looks like this: http://localhost/profile.php?ID=3096&EditSection=Personal&FirstName=Dion&LastName=Simons&AccountNum=549382 Here is my script: function UpdateInfo() { $con = mysql_connect("Host","User","Password"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("DbName", $con); mysql_query("UPDATE Table1 SET FirstName = '$_GET[FirstName]' WHERE ID = '$_GET[iD]'"); mysql_query("UPDATE Table1 SET LastName = '$_GET[LastName]' WHERE ID = '$_GET[iD]'"); mysql_query("UPDATE Table1 SET AccountNum= '$_GET[AccountNum]' WHERE ID = '$_GET[iD]'"); mysql_close($con); } As you can see all of the database fields have the same name as the _GET fields. Im trying to take the array created from the URL to use in thie function so i dont have to put a line of script for each field/_Get value. Can anyone help me out? I have not idea where to start with this one. Oh by the way these are not all the fields i am using there are over 30. I just used 3 to keep the post small. Quote Link to comment Share on other sites More sharing options...
Mchl Posted March 4, 2009 Share Posted March 4, 2009 1. Passing variables from GET directly into query is asking for SQL injection. Use at least mysql_real_escape_string to escape potentially malicious data. 2. You can use UPDATE table1 SET col1 = value1, col2=value2, ... coln = valuen WHERE ... $FirstName = mysql_real_escape_string($_GET[FirstName]); $LastName = mysql_real_escape_string($_GET[LastName]); $AccountNum= mysql_real_escape_string($_GET[AccountNum]); $ID = mysql_real_escape_string($_GET[iD]); mysql_query("UPDATE Table1 SET FirstName = '$FirstName', LastName = '$LastName', AccountNum= '$AccountNum' WHERE ID = '$ID'"); Quote Link to comment Share on other sites More sharing options...
waterssaz Posted March 4, 2009 Share Posted March 4, 2009 Any variables sent via $_Post or $_Get are sent as an array ]<?php foreach($_GET as $variable => $value) { echo "<tr><td>" . $variable . "</td>"; echo "<td>" . $value . "</td>"; } ?>[/code Quote Link to comment Share on other sites More sharing options...
Maq Posted March 4, 2009 Share Posted March 4, 2009 Assuming ALL of your column names are the same as the GET variables names, you can use something like this if you don't know which variables you're going to be getting: foreach($_GET as $key => $value) { $sql = "UPDATE Table1 SET $key = '$value' WHERE ID = '{$_GET[iD]}'"; $result = mysql_query($sql) or die(mysql_error()); } $key = name of the GET var $value = value of the GET var Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted March 4, 2009 Share Posted March 4, 2009 You can use PHP to create the query for you: <?php $qtmp = array(); foreach ($_GET as $fld => $val) if ($fld != 'Submit' && $fld != 'ID') // or whatever your submit button is named $qtmp[] = $fld . " = '" . mysql_real_escape_string(trim(stripslashes($val))) . "'"; $query = 'UPDATE Table1 SET ' . implode(', ',$qtmp) . " where ID = '" . mysql_real_escape_string($_GET['ID']) . "'"; $rs = mysql_query($query) or die("Problem with the query: $query<br>" . mysql_error()); ?> Ken Quote Link to comment Share on other sites More sharing options...
Halisco Posted March 4, 2009 Author Share Posted March 4, 2009 You can use PHP to create the query for you: <?php $qtmp = array(); foreach ($_GET as $fld => $val) if ($fld != 'Submit' && $fld != 'ID') // or whatever your submit button is named $qtmp[] = $fld . " = '" . mysql_real_escape_string(trim(stripslashes($val))) . "'"; $query = 'UPDATE Table1 SET ' . implode(', ',$qtmp) . " where ID = '" . mysql_real_escape_string($_GET['ID']) . "'"; $rs = mysql_query($query) or die("Problem with the query: $query<br>" . mysql_error()); ?> Ken Exactly what i was looking for !!!! Thankyou very much!!!! Quote Link to comment Share on other sites More sharing options...
Mchl Posted March 4, 2009 Share Posted March 4, 2009 Still this is a potential security vulnerability. It's enough to put a field that's not a column name into url, and the query will fail (additionally echoing it in the error message). In my opinion, there should be check for proper column names (using in_array for example) Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted March 5, 2009 Share Posted March 5, 2009 I usually use a switch statement where I just have cases for valid field names. If an unknown name is put in nothing happens. My solution was just a quick example of what could be done. Ken Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.