Jump to content

Mysql/PHP problem *FIXED*

sk1tL1L

By sk1tL1L
in PHP Coding Help

 Share

Recommended Posts

sk1tL1L Newbie

sk1tL1L

Posted
Posted
The Code:
[quote]<?php
$email=$_POST['email'];
$msn=$_POST['msn'];
$icq=$_POST['icq'];
$aim=$_POST['aim'];
$avatar=$_POST['avatar'];
$query = "UPDATE `user_system` SET `msn` = '$msn', `icq` = '$icq', `aim` = '$aim', email = '$email' WHERE `user_system`.`id` = '$member_id' LIMIT 1 ;";
$result = mysql_query($query) or die("Problem with the query: $query<br>" . mysql_error());
// if successfully updated.
if($result){
echo "Successful";
echo "<BR>";
echo "<a href='mc.php'>Back to Member Control</a>";
}

else {
echo "Error! Please Try Again<br>";
echo $result;
}
?>[/quote]
And it does not enter the data into the database, if i had something in the field already when i submit the update it does not work. The data from the form is not put into the database
Link to comment
Share on other sites
HuggieBear Member

HuggieBear

Posted
Posted
It can also add to the security features by using LIMIT, even if you know there's only going to be one row.  If you've forgotten to sanitise your input by using something like mysql_real_escape_string() then it will limit the damage.

Take the sql you have there as an example...

[code=php:0]$query = "UPDATE `user_system`
                  SET `msn` = '$msn',
                        `icq` = '{$icq}',
                        `aim` = '{$aim}',
                        `email` = '{$email}'
              WHERE `user_system`.`id` = '{$member_id}'";[/code]

Now imagine that I passed [color=red]%' OR ' '=' [/color] as the [color=green]member_id[/color] parameter.

That's going to make my SQL look like this:

[code=php:0]$query = "UPDATE `user_system`
                  SET `msn` = '$msn',
                        `icq` = '{$icq}',
                        `aim` = '{$aim}',
                        `email` = '{$email}'
              WHERE `user_system`.`id` = '%' OR ' '=' '";[/code]

By my calculation that's going to corrupt every single row in your database, by putting LIMIT in there, only one line at a time can be destroyed.

Regards
Huggie
Link to comment
Share on other sites
sk1tL1L Newbie

sk1tL1L

Posted
  • Author
Posted
its still not working, i've even rebuilt the database.
When i click submit on the form. It goes though but does not put the information from the form into the database. If there's something in that row it will be deleted eg.

BEFORE FORM UPDATED
__________________________________________
| msn                                    |  icq              |
|wowwowowwow@wow.com.au | 55674466      |
_________________________________________

AFTER
_________________________________________
| msn                                    |  icq              |
|                                          | 55674466      |
_________________________________________

The MSN Field was updated, but the data was not inserted.
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.