Hi guys. I have a problem with php coding: <?php $host="localhost"; // Host name $username="root"; // Mysql username $password="13524"; // Mysql password $db_name="chat_db"; // Database name // Connect to server and select databse. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); ?> Code (markup): I'm making a little chat script which handle user's information: nickname, gender, birthday, bla bla. Registration form works fine. But when user are on their user panel, they can't edit their profile. Take into account, this is just a pretty simple and testing my first script. Here is the code snippet: <form action="changeuser.php" method="GET"> <input type="text" name="my_name"> <br> <input type="text" name="my_birthday"><br> <input type="text" name="my_points"><br> <input type="submit" value="submit"> </FORM> Code (markup): After that: <? $sel = "SELECT id, name, birthday, points FROM chat_users ORDER BY id;"; $result = mysql_query($sel); while ($cht = mysql_fetch_object($result)) { echo $cht->id.". "; echo "<a href=\"changeuser.php\">".$cht->name."</a><br>"; } mysql_close($db); ?> Code (markup): But when I click then on user's name and try to edit I use this code: if ($_POST['submit']) { $username = $_POST['my_name']; $upd= "UPDATE chat_users SET name = '$username',birthday = '$birthday',points = '$points' WHERE name = $_POST['my_name']"; Code (markup): I can't get it working. I can display the usernames as links and then clicking on their nicks I want to edit their names and other data. Any help please?
Try this $name = $_POST['my_name']; $upd= "UPDATE chat_users SET name = '$username', birthday = '$birthday', points = '$points' WHERE name = '$name'"; mysql_query($upd); Code (markup):
Why would you advise him to use an SQL statement that will expose his web site to an SQL Injection attack? Bad code. Don't use.
I was simply helping him, he asked why his code wasn't working and I simply modified his code, to make the sql safe is up to him and not something i should have to worry about. You on the other hand is not contributing to the the thread at all, why not give him an example of how to make it safe since its so important?
I think I just did contribute. The SQL Code contains a security hole. Google "SQL Injection". It's dangerous to allow to inject a variable directly in to SQL code that is defined by the visitor. Anyone can add to the SQL statement giving them full access to your database to perform any CRUD functions that you can.
I am completely aware of what sql injection is. Since NetStar doesn't seem to want to contribute here is some help even though i think its up to the user to figure this out. use mysql_escape_string() around your $name variable before using it in the sql statement, I also like to use htmlentities and trim if you are planning on displaying the inputted value anywhere on the site. When I do work on my own sites or clients sites I like to use a complete function to do several of these things and log possible hacking attempts by parsing. good?
not working $name = $_POST['my_name']; $upd= "UPDATE chat_users SET name = '$username', birthday = '$birthday', points = '$points' WHERE name = '$name'"; Just a question, lets say $oldname="oldname" - the name that already exist on actual database and this one should be changed. When i Use WHERE statement should I compare this WHERE with $oldname or with the new value typed by user while changing the user?? I'm confused about it.
You should compare it with the old name, probably better to use the users id if you have ids in your table
here you go, http://sourcecodedb.com please tell me if you can get any sql in there, and tell me if its not enough?
$nameid = mysql_result(mysql_query("SELECT ID FROM chat_users WHERE name = '$oldname'"), 0); // Before using mysql_result you could do an if statement with mysql_num_rows to see if there actually is a match. $name = $_POST['my_name']; $upd= "UPDATE chat_users SET name = '$username', birthday = '$birthday', points = '$points' WHERE ID = '$nameid'"; mysql_query($upd); PHP: Yes, maybe something like that ^ Actually, is it the new name that's being posted? then do this: $nameid = mysql_result(mysql_query("SELECT ID FROM chat_users WHERE name = '$oldname'"), 0); // Before using mysql_result you could do an if statement with mysql_num_rows to see if there actually is a match. $name = $_POST['my_name']; $upd= "UPDATE chat_users SET name = '$name', birthday = '$birthday', points = '$points' WHERE ID = '$nameid'"; mysql_query($upd); PHP: