Jump to content

Updating records from html form

joshgarrod

By joshgarrod
in PHP Coding Help

 Share

Recommended Posts

joshgarrod Regular Member

joshgarrod

Posted
Posted

Hi, I am having problems updating records from a form. The data is displaying in the form, however, upon submitting the form, it appears to have updated but it actually hasn't. Please help:

 

<?php

$ref = (!empty($_GET['ref']))?trim($_GET['ref']):"";
$table = (!empty($_GET['table']))?trim($_GET['table']):"";

if (isset($_POST['submit'])){
$ref=$_POST["ref"];
$title=$_POST["title"];
$descr=$_POST["descr"];
$partno=$_POST["stocknu"];
$price=$_POST["price"];
$category=$_POST["category"];

# setup SQL statement
$query = sprintf("UPDATE `$table` SET `title` = '%s',`descr` = '%s',`stocknu` = '%s',`price` = '%s' WHERE `$table`.`ref` ='%s' LIMIT 1",	mysql_real_escape_string($title),mysql_real_escape_string($descr),mysql_real_escape_string($partno),mysql_real_escape_string($price),mysql_real_escape_string($avail),mysql_real_escape_string($category),mysql_real_escape_string($ref));

#execute SQL statement
$result = mysql_db_query($db,$query,$cid) or die($query."<br>".mysql_error());

# check for error
if (!$result){
	echo("ERROR: " . mysql_error() . "\n$SQL\n");
}
echo "<P>Part updated</P><br />";
}
   
?>
?>

Link to comment
https://forums.phpfreaks.com/topic/181502-updating-records-from-html-form/
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted
it appears to have updated

What exactly do you get as output that tells you this?

 

Is that all the code on the page? Because, without a connection to your database, the code cannot work. Where is $cid being set?

 

Have any mysql_ functions successfully worked on your server in the past or is this the first time you have attempted to run any code using mysql_ functions?

 

There are also a couple of issues with the code -

 

1) You should not supply the table name from external data as that will allow a hacker to UPDATE any table he wants. It is also not possible to prevent sql injection where $table is being used in the query by using mysql_real_escape_string() so you must validate that $table only contains specific values that are allowed.

 

2) mysql_db_query() was depreciated long ago, throws a depreciated error in php5.3, and has been completely removed in php6. You should use mysql_select_db and mysql_query

joshgarrod Regular Member

joshgarrod

Posted
  • Author
Posted

Hi, thanks for your prompt reply. What i mean by "appears" is that there are no error messages and it prints "part updated". I have loads of MySQL functions working with my server.

 

This code is in a password protected area for administrative purposes so hackers will not be able to access. Could you explain in my simpleton language what you mean by this please lol

It is also not possible to prevent sql injection where $table is being used in the query by using mysql_real_escape_string() so you must validate that $table only contains specific values that are allowed.

Is it absolutely necessary to change all of my mysql_db_query() to mysql_select_db and mysql_query as I have many other scripts working with this.

 

 

Thanks for your time

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.