Jump to content

Recommended Posts

The Code:
[quote]<?php
$email=$_POST['email'];
$msn=$_POST['msn'];
$icq=$_POST['icq'];
$aim=$_POST['aim'];
$avatar=$_POST['avatar'];
$query = "UPDATE `user_system` SET `msn` = '$msn', `icq` = '$icq', `aim` = '$aim', email = '$email' WHERE `user_system`.`id` = '$member_id' LIMIT 1 ;";
$result = mysql_query($query) or die("Problem with the query: $query<br>" . mysql_error());
// if successfully updated.
if($result){
echo "Successful";
echo "<BR>";
echo "<a href='mc.php'>Back to Member Control</a>";
}

else {
echo "Error! Please Try Again<br>";
echo $result;
}
?>[/quote]
And it does not enter the data into the database, if i had something in the field already when i submit the update it does not work. The data from the form is not put into the database
Link to comment
https://forums.phpfreaks.com/topic/28215-mysqlphp-problem-fixed/
Share on other sites

Try to change your query to:

[code]

$query = "UPDATE `user_system` SET `msn` = '$msn', `icq` = '{$icq}', `aim` = '{$aim}', email = '{$email}' WHERE `user_system`.`id` = '{$member_id}'";

[/code]

Why LIMIT 1 ?? Are there multiple records with the same id ?
(If so, why call it id ?)
It can also add to the security features by using LIMIT, even if you know there's only going to be one row.  If you've forgotten to sanitise your input by using something like mysql_real_escape_string() then it will limit the damage.

Take the sql you have there as an example...

[code=php:0]$query = "UPDATE `user_system`
                  SET `msn` = '$msn',
                        `icq` = '{$icq}',
                        `aim` = '{$aim}',
                        `email` = '{$email}'
              WHERE `user_system`.`id` = '{$member_id}'";[/code]

Now imagine that I passed [color=red]%' OR ' '=' [/color] as the [color=green]member_id[/color] parameter.

That's going to make my SQL look like this:

[code=php:0]$query = "UPDATE `user_system`
                  SET `msn` = '$msn',
                        `icq` = '{$icq}',
                        `aim` = '{$aim}',
                        `email` = '{$email}'
              WHERE `user_system`.`id` = '%' OR ' '=' '";[/code]

By my calculation that's going to corrupt every single row in your database, by putting LIMIT in there, only one line at a time can be destroyed.

Regards
Huggie
its still not working, i've even rebuilt the database.
When i click submit on the form. It goes though but does not put the information from the form into the database. If there's something in that row it will be deleted eg.

BEFORE FORM UPDATED
__________________________________________
| msn                                    |  icq              |
|wowwowowwow@wow.com.au | 55674466      |
_________________________________________

AFTER
_________________________________________
| msn                                    |  icq              |
|                                          | 55674466      |
_________________________________________

The MSN Field was updated, but the data was not inserted.
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.