Simple Get function not working from URL

[Queueon]

Hi,

 

I'm going crazy with the following issue. I kept it simple for you to understand it quickly.

 

The URL: http://localhost/savescores.php?score=222

 

<?php

$score = strip_tags(mysql_real_escape_string($_GET['score']));

ECHO "Test 1";
ECHO "<h1>Your score is " . $_GET["score"] . "</h1>"; //Working!

ECHO "Test 2";
ECHO "<h1>Your score is $score</h1>";  //Not working!

?>

So the first echo test is working but its gets the information in another way as you can see.
I need the second test to work because then I will be able to write the variable back into a database using url vars on a later stage.

When I change the var $score manually to e.g. $score = '222'. Then all is working fine. I need it to work with the use of the URL.

Anyone who can help?

 

[Psycho]

Have you connected to the database? If not, mysql_real_escape_string() will not work (But, you should not be using the mysql_ functions anymore anyways). My guess is that the function is failing and returning FALSE (The Boolean value, not the string). Try running this to verify what, exactly $score contains:

var_dump($score);

Edited November 3, 2015 by Psycho

[mac_gyver]

mysql_real_escape_string() requires a database connection to work. therefore, you are getting a null value in $score and should be getting several php error messages.

 

so, three problems -

 

1) you need to have php's error_reporting set to E_ALL and display_errors set to ON in the php.ini on your development system so that php would help you by reporting and displaying all the errors that it detects. you will save a ton of time.

 

2) don't use any database escape string function until right before you put data into your sql query statement (it's actually better to use prepared queries anyways.)

 

3) the msyql_ functions are obsolete and will be removed from php soon. you need to learn using the PDO (the best choice) or the mysqli_ database functions so that what you are learning isn't already out of date.

[Queueon]

Thanks for the answers. As you might have noticed I'm a newbie and didn't realise that GET needs a connection.

However, in my original code I'm having the same issue. The DB is updated with nothing or an empty string. At least it is connected.

<?php

$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "dbname";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}

//$id = strip_tags(mysql_real_escape_string($_GET['id']));
$score = strip_tags(mysql_real_escape_string($_GET['score']));

$sql = "UPDATE users SET score_03='$score' WHERE id=2";

if ($conn->query($sql) === TRUE) {
echo "Record updated successfully";
} else {
echo "Error updating record: " . $conn->error;
}

$conn->close();
?>

I will take your suggestions in consideration and step back to learn more about PDO or mysqli.

Thanks a lot.

[Ch0cu3r]

 

As you might have noticed I'm a newbie and didn't realise that GET needs a connection.

No, You misunderstood Psycho and mac_gyver replies please read them again.

 

 

I'm having the same issue. The DB is updated with nothing or an empty string. At least it is connected.

Yes you are connected to the DB using mysqli (mysql improved). But you are using mysql_real_escape_string function which is not compatible with MySQLi Improved.  The mysql_ functions and mysqli_ functions (note the i after mysql) are not compatible with each other.

 

The mysql improved equivalent is mysqli_real_escape_string (has an i after mysql).

 

However reading your post score should only contain a number, then you should not be using mysqli_real_escape_string. This function is should only be used for escaping string values, such as a persons name, contents of a blog post etc. Not for numbers. What you should do is only insert the new score value if $_GET['score'] is in fact a number.

// validate $_GET['score'] exists and consist of digits
if(isset($_GET['score']) && ctype_digit($_GET['score']))
{
   // assign $_GET['score'] to $score and convert to an integer (whole number)
   $score = intval($_GET['score']);

   $sql = "UPDATE users SET score_03='$score' WHERE id=2";

   if ($conn->query($sql) === TRUE) {
      echo "Record updated successfully";
   } else {
      echo "Error updating record: " . $conn->error;
   }
}
else
{
    echo "Submitted score is invalid";
}

Edited November 4, 2015 by Ch0cu3r

[Queueon]

Alright I tested your code and it's working exactly how I need it.

In the meanwhile, for me this is still a real brain breaker and luckily for now I don't need much more code for my application (Construct 2).

 

I think I would have been trying for another few weeks by myself.

 

In the other hand, it's definitely interesting to know more about MySQL.

Do you have a book or site as a reference for me to start reading from the beginning and not dive straight into it like I'm doing now?

 

Many thanks Ch0cu3r, Psycho and Mc_gyver for your help. I'd need pay you a beer someday.