1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Simple PHP Problem

Discussion in 'PHP' started by nickharper, Oct 11, 2007.

0
  1. #1
    Hi,

    I currently have this:

    mysql_query("UPDATE drink SET `count=count+1` WHERE id = '$_GET["id"]'");
    PHP:
    What is wrong with it?

    Thanks

    Edit: This has been fixed
     
    nickharper, Oct 11, 2007 IP
  2. tamen

    tamen Peon

    Messages:
    182
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Try this:
    
mysql_query("UPDATE drink SET `count=count+1` WHERE id = '.$_GET["id"].'");
    PHP:
     
    tamen, Oct 11, 2007 IP
  3. nico_swd

    nico_swd Prominent Member

    Messages:
    4,153
    Likes Received:
    344
    Best Answers:
    18
    Trophy Points:
    375
    #3
    nico_swd, Oct 11, 2007 IP
  4. tamen

    tamen Peon

    Messages:
    182
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Ah yes. Missed the quotes. I mainly use single-quotes.

    And I see its fixed already.
     
    tamen, Oct 11, 2007 IP
  5. zenglider

    zenglider Peon

    Messages:
    18
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #5
    Wow this line of code is ripe for being exploited. You're taking input directly from a get which isn't good. This code can possibly be used for sql injection. Vet the input before you use it.

    
$id = mysql_real_escape_string(stripslashes($_GET["id"]));
mysql_query("UPDATE drink SET count = count + 1 WHERE id = '$id'");
    PHP:
    Never trust input from a user.


    Zen
     
    zenglider, Oct 11, 2007 IP
  6. nico_swd

    nico_swd Prominent Member

    Messages:
    4,153
    Likes Received:
    344
    Best Answers:
    18
    Trophy Points:
    375
    #6
    This won't work either because "count" is a registered keyword, and needs to be enclosed in backticks.
     
    nico_swd, Oct 11, 2007 IP
  7. roosevelt

    roosevelt Active Member

    Messages:
    73
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    91
    #7
    This will get rid of the count problem

    $id = mysql_real_escape_string(stripslashes($_GET["id"]));
mysql_query("UPDATE drink SET drink.count = drink.count + 1 WHERE drink.id = '$id'");
    PHP:
     
    roosevelt, Oct 11, 2007 IP