Thursday, 15 May 2014

mysql - Updating with a form wont work php -



mysql - Updating with a form wont work php -

i trying create update form update notifications on database wont nil don't error means there nil wrong syntax maybe did wrong on query ?

code :

<?php include 'core/int.php'; admin_protect(); include 'includes/head.php'; include 'head.php'; include 'includes/body.php'; include 'body.php'; ?> <?php if(!isset($_post['submit'])){ $sql="select * notification id = $_get[edit]"; $data=mysql_query($sql); $not_data = mysql_fetch_array($data); } //what want update know vulnerable sql injection sick sanitize later if(isset($_post['submit'])){ $sql = "update notification set name = '$_post[name]' id = '$_post[id]'"; mysql_query($sql); } ?> <pre> <form action="" method="post"> <div class="input-group input-group-lg"> <span class="input-group-addon">name</span> <input type="text" name="name" class="form-control" value="<?php echo $not_data['name'];?>"> </div> <div class="input-group input-group-lg"> <span class="input-group-addon">date</span> <input type="text" name="date" class="form-control" value="<?php echo $not_data['date'];?>"> </div> <div class="input-group input-group-lg"> <span class="input-group-addon">content</span> <textarea type="text" name="content" class="form-control" rows="3"><?php echo $not_data['content'];?></textarea> </div> <div class="input-group input-group-lg"> <select class="form-control" name="active"> <?php if($not_data['active'] == 'active'){ echo ' <option>active</option> <option>not active</option> '; } else if($not_data['active'] == 'not active'){ echo '<option>not active</option> <option>active</option> '; }?> </select> </div> <div class="input-group input-group-lg"> <select class="form-control" name="new"> <?php if($not_data['new'] == 'new'){ echo ' <option>new</option> <option>old</option> '; } else if($not_data['new'] == 'old'){ echo '<option>old</option> <option>new</option> '; }?> </select> </div> <div class="input-group input-group-lg"> <select class="form-control" name="posted_by"> <option>sincearly , duckys inc team</option> <option>sincearly , <?php echo $user_data['username'];?></option> </select> </div> <div> <input type="hidden" name="id" value="<?php echo $_get['edit'];?>"> <input type="submit" value="edit" class="btn btn-primary btn-lg"> </div> <?php print_r($_post);?> </form> </pre>

try adding single quotes statement:

$sql="select * notification id = $_get[edit]";

to:

$sql="select * notification id = '$_get[edit]'";

on side note, opening injections. if $_get['edit'] supposed number, should either if(is_numeric($_get['edit'])) or preg_replace('/[^0-9]/',"",$_get['edit']) @ least.

same goes for:

"update notification set name = '$_post[name]' id = '$_post[id]'";

best case alter safe non-depricated mysql function list pdo or mysqli_. below simple db class give out has has helped folks switch on mysql (in case) pdo:

<?php class dbengine { public $con; public $errors; public function __construct($host="localhost",$db = "dbname",$user="db_username",$pass="mypassword") { seek { $this->con = new pdo("mysql:host=$host;dbname=$db",$user,$pass, array(pdo::attr_errmode => pdo::errmode_warning)); } grab (exception $e) { homecoming 0; } } // simple fetch , homecoming method public function fetch($_sql) { $query = $this->con->prepare($_sql); $query->execute(); $this->errors['fetch'][] = $query->errorinfo(); if($query->rowcount() > 0) { while($rows = $query->fetch(pdo::fetch_assoc)) { $array[] = $rows; } } homecoming (isset($array) && $array !== 0 && !empty($array))? $array: 0; } // simple write db method public function write($_sql) { $query = $this->con->prepare($_sql); $query->execute(); $this->errors['insert'][] = $query->errorinfo(); } } // initiate new dbengine app $query = new dbengine(); include('core/int.php'); admin_protect(); include('includes/head.php'); include('head.php'); include('includes/body.php'); include('body.php'); if(isset($_post['submit'])) $query->write("update notification set name = '".htmlentities($_post['name'], ent_quotes)."' id = '".preg_replace('/[^0-9]/',"",$_post['id'])."'"); else { if(is_numeric($_get['edit'])) $not_data = $query->fetch("select * notification id = '".$_get['edit']."'"); } if(isset($not_data) && $not_data !== 0) { ?> <pre> <form action="" method="post"> <div class="input-group input-group-lg"> <span class="input-group-addon">name</span> <input type="text" name="name" class="form-control" value="<?php echo $not_data[0]['name'];?>"> </div> <div class="input-group input-group-lg"> <span class="input-group-addon">date</span> <input type="text" name="date" class="form-control" value="<?php echo $not_data[0]['date'];?>"> </div> <div class="input-group input-group-lg"> <span class="input-group-addon">content</span> <textarea type="text" name="content" class="form-control" rows="3"><?php echo $not_data[0]['content'];?></textarea> </div> <div class="input-group input-group-lg"> <select class="form-control" name="active"><?php if($not_data[0]['active'] == 'active'){ ?> <option>active</option> <option>not active</option><?php } elseif($not_data['active'] == 'not active'){ ?> <option>not active</option> <option>active</option><?php } ?> </select> </div> <div class="input-group input-group-lg"> <select class="form-control" name="new"><?php if($not_data[0]['new'] == 'new') { ?> <option>new</option> <option>old</option><?php } elseif($not_data[0]['new'] == 'old') { ?> <option>old</option> <option>new</option><?php }?> </select> </div> <div class="input-group input-group-lg"> <select class="form-control" name="posted_by"> <option>sincearly , duckys inc team</option> <option>sincearly , <?php echo $user_data[0]['username'];?></option> </select> </div> <div> <input type="hidden" name="id" value="<?php echo strip_tags($_get['edit']);?>"> <input type="submit" name="submit" value="edit" class="btn btn-primary btn-lg"> </div> </form> <?php print_r($_get); print_r($_post); print_r($query->errors); ?> </pre> <?php } else { ?>invalid id.<?php } ?>

php mysql

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)