Simple PHP Problem

Discussion in 'PHP' started by nickharper, Oct 11, 2007.

0
  1. #1
    Hi,

    I currently have this:

    mysql_query("UPDATE drink SET `count=count+1` WHERE id = '$_GET["id"]'");
    PHP:
    What is wrong with it?

    Thanks
     
    nickharper, Oct 11, 2007 IP
  2. nico_swd

    nico_swd Prominent Member

    Messages:
    4,153
    Likes Received:
    344
    Best Answers:
    18
    Trophy Points:
    375
    #2
    The backticks have to go around the field name only.
    The $_GET variable with the double quoted key will cause a parse error.
    The variable is (seemingly) not filtered and could allow SQL injection.

    Try this instead.
    
mysql_query("
    UPDATE drink
    SET `count` = (`count` + 1)
    WHERE id = " . intval($_GET["id"])
) OR die(mysql_error());
    PHP:
    (Assuming $_GET['id'] will always hold a numeric value.)
     
    nico_swd, Oct 11, 2007 IP