i want to update my sql many times and for that i am creating a script. i created a from with things that need to be updated. i tried this coding: $f=mysql_db_query("database_name","SELECT runs FROM table_name WHERE player=$_POST[name]"); mysql_db_query("database_name","UPDATE table_name SET runs=$f+$_POST[runs] WHERE player=$_POST[name]"); Code (markup): when i use this runs are updated but the are not added with previous data. actually i have problem with SELECT as well like if: runs=1 $_POST[runs]=5 updated runs=5 can anyone help?
mysql_db_query("database_name","UPDATE table_name SET runs=runs+$_POST[runs] WHERE player=$_POST[name]"); Code (markup):
First of all, DON'T use mysql_db_query, it is deprecated, and is removed in PHP 6.0.0. So it's not future/upgrade proof Secondly, try this: mysql_query("UPDATE table_name SET runs = (runs+".$_POST['runs'].") WHERE player = '".$_POST['name']." LIMIT 1'); Code (markup): I've put the calculation of runs int parentheses, parsing the variable outside the string (make sure that $_POST['runs'] is an int![/b]), and $_POST['name'] is also parsed outside the sql string. Also put in LIMIT 1 to make sure it doesn't affect multiple rows. Remember to strip and escape your post-variables before using them in an sql string (as well as checking if 'runs' is an integer with is_numeric()). Also remember that you cannot use $_POST[runs]. You have to use $_POST['runs']. It might now show an error, but is saves an error in the log which makes parsing slower.
Yes, you shouldn't be inserting unsanitised POST data directly into your SQL query, that could be asking for trouble!
i have this script that is suppose to update database well it updates ok but when done all i get is a blank page. can you see any errors cheers Doug <body> <? // START PHP CODES. THIS PART MUST ON THE TOP OF THIS PAGE. // Connect database. include("connectdb.php"); // ***** This part will process when you Click on "Submit" button ***** // Check, if you clicked "Submit" button if($_POST['Submit']){ // Get parameters from form. $id=$_POST['id']; $item=$_POST['item']; // Do update statement. mysql_query("update products set item='$item' where id='$id'"); // Re-direct this page to select.php. header("location:select.php"); exit; } // ************* End update part ************* // *** Select data to show on text fields in form. *** // Get id parameter (GET method) from select.php $id=$_GET['id']; // Get records in all columns from table where column id equal in $id and put it in $result. $result=mysql_query("select * from products where id='$id'"); // Split records in $result by table rows and put them in $row. $row=mysql_fetch_assoc($result); // Close database connection. mysql_close(); ?> <!-- END OF PHP CODES AND START HTML TAGS --> <html> <body> <!-- set this form to POST method and target this form to itself ($PHP_SELF;)--> <form id="form1" name="form1" method="post" action="<? echo $PHP_SELF; ?>"> <p>Record : <!-- name of this text field is "name" --> <input name="id" type="text" id="id" value="<? echo $row['id']; ?>"/> <br /> <p>Item : <!-- name of this text field is "name" --> <input name="item" type="text" id="item" value="<? echo $row['item']; ?>"/> <br /> <p> <input type="submit" name="Submit" value="Submit" /> </p> </form> </body> </html> PHP:
That is because the html output is started before you change the header. <body> <? ..... header("location:select.php"); exit; } Code (markup): Se how <body> is written before headers are sent. Headers should always be sent first This will work: <? // START PHP CODES. THIS PART MUST ON THE TOP OF THIS PAGE. // Connect database. include("connectdb.php"); // ***** This part will process when you Click on "Submit" button ***** // Check, if you clicked "Submit" button if($_POST['Submit']){ // Get parameters from form. $id=$_POST['id']; $item=$_POST['item']; // Do update statement. mysql_query("update products set item='$item' where id='$id'"); // Re-direct this page to select.php. header("location:select.php"); die(); } // ************* End update part ************* // *** Select data to show on text fields in form. *** // Get id parameter (GET method) from select.php $id=$_GET['id']; // Get records in all columns from table where column id equal in $id and put it in $result. $result=mysql_query("select * from products where id='$id'"); // Split records in $result by table rows and put them in $row. $row=mysql_fetch_assoc($result); // Close database connection. mysql_close(); ?> <!-- END OF PHP CODES AND START HTML TAGS --> <html> <body> <!-- set this form to POST method and target this form to itself ($PHP_SELF;)--> <form id="form1" name="form1" method="post" action="<? echo $PHP_SELF; ?>"> <p>Record : <!-- name of this text field is "name" --> <input name="id" type="text" id="id" value="<? echo $row['id']; ?>"/> <br /> <p>Item : <!-- name of this text field is "name" --> <input name="item" type="text" id="item" value="<? echo $row['item']; ?>"/> <br /> <p> <input type="submit" name="Submit" value="Submit" /> </p> </form> </body> </html> PHP: However, it amazes me how many uses unsanitized inputs. It would take me 15 seconds to hack your site because of that. That's a serious security issue!
I'm no hacker, OK, but I just want to reiterate that it's not safe to put POST data direct into your query like that. Here's a lame example that wouldn't work, but illustrates the point - what if someone came along and entered the words " 'ADMIN' AND ADMIN=TRUE" into the Name field. The query would now read, "WHERE player = 'ADMIN' and ADMIN = TRUE". Supposing you kept such data in that table, a hacker might be able to list data from your dbase that you didn't want shown, or even do some real damage. Sure, the chances of someone having a pop at your site are small, and there probably isn't much damage they could do, but it's just the principle - you should always use a function like http://php.net/manual/en/function.mysql-real-escape-string.php to make the data safe before putting it in a query. Also, a good practice is to check whether the string is valid - for example, if it has spaces in then reject it outright since user/player names should not have them. Just good practice, though I bet if I looked at some of my old code I would find some similar things... I only recently found a search box on one of my sites that was TOTALLY unsanitised...
Good advice but here players are names i added in the sql. i am using this script for personal use only so no one knows my link where i am using the script anyways thx. or if i take your advice wrong plz tell me
Oh, just making sure you know about this - generally people react with horror when they see $_POST getting put direct in the sql - it's just a matter of good practice. You are probably right that there is not much damage could be done that way, though I am not sure if for example someone can inject "DROP table" or "DROP dbase" this way. That would be worse. But if it's private anyway, no big deal.
markowe: I wrote that in my first post arpit32: Every post parameter can be interacted with - if a hacker sees that you're using the post value "player", it takes two seconds to hack, even if it's a hidden field (you can just use the Firebug plugin in Firefox to change that anyways!) or set somewhere else. Post is a part of the http-stream, which means it is open for the public to interact with (making your solution with unsanitized use of inputs very vulnerable)