[PHP] UPDATE and redirect
Hi all,
I'm new to this list and new to php programming so sorry if I do
something wrong here :)
Ok, now to my problem.
I've created a query to update a mysql db, and it isn't working, and
it's not throwing me any errors, so I need some help to figure out
what's wrong here. My code follows :
?
if($_GET['act'] = 'a'){
$action = 1;
} else if ($_GET['act'] = 'd'){
$action = 0;
}
$id = $_GET['id'];
mysql_connect(localhost,,) or die (mysql_error());
mysql_select_db (taiomara_emailList);
$email_Query = mysql_query(UPDATE 'tb_emails' SET 'bol_active' =
$action WHERE `auto_id` = $id);
mysql_close();
?
The page is executed, but it don't update the table ... I've tried with
the '' and without it ( the phpmyadmin page is where I got the idea of
using the '' ). Any clues ?
Also, how can I make a redirect after the query has run ?
TIA
Marcelo Wolfgang
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] UPDATE and redirect
marcelo Wolfgang wrote:
Hi all,
I'm new to this list and new to php programming so sorry if I do
something wrong here :)
Ok, now to my problem.
I've created a query to update a mysql db, and it isn't working, and
it's not throwing me any errors, so I need some help to figure out
what's wrong here. My code follows :
?
if($_GET['act'] = 'a'){
$action = 1;
} else if ($_GET['act'] = 'd'){
$action = 0;
}
$id = $_GET['id'];
mysql_connect(localhost,,) or die (mysql_error());
mysql_select_db (taiomara_emailList);
$email_Query = mysql_query(UPDATE 'tb_emails' SET 'bol_active' =
$action WHERE `auto_id` = $id);
I think you want to use back ticks for the table and column names, not
single quotes. (On my keyboard this is to the left of the '1' key)
Another good idea when having query problems is to put the query into
its own variable and echo it out..
like:
$sql = UPDATE `tb_emails` SET `bol_active` = $action WHERE `auto_id` =
$id;
echo $sqlbr/\n;
mysql_close();
?
The page is executed, but it don't update the table ... I've tried
with the '' and without it ( the phpmyadmin page is where I got the
idea of using the '' ). Any clues ?
Also, how can I make a redirect after the query has run ?
TIA
Marcelo Wolfgang
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] UPDATE and redirect
marcelo Wolfgang skrev:
Hi all,
I'm new to this list and new to php programming so sorry if I do
something wrong here :)
Ok, now to my problem.
I've created a query to update a mysql db, and it isn't working, and
it's not throwing me any errors, so I need some help to figure out
what's wrong here. My code follows :
?
if($_GET['act'] = 'a'){
$action = 1;
} else if ($_GET['act'] = 'd'){
$action = 0;
}
Don't use =, use == (or in some cases ===).
= is for assignment.
Also, what if $_GET['act'] is neither 'a' or 'd'?
$id = $_GET['id'];
Again, what if $_GET['id'] is null?
mysql_connect(localhost,,) or die (mysql_error());
mysql_select_db (taiomara_emailList);
$email_Query = mysql_query(UPDATE 'tb_emails' SET 'bol_active' =
$action WHERE `auto_id` = $id);
Use backticks if you think you need them
In this case you don't
$sql = UPDATE `tb_emails` SET `bol_active` = $action WHERE `auto_id` =
$id;
echo DEBUG: $sql;
$email_Query = mysql_query( $sql );
This is how to get the error:
if ( !$email_Query )
echo mysql_error();
mysql_close();
?
The page is executed, but it don't update the table ... I've tried with
the '' and without it ( the phpmyadmin page is where I got the idea of
using the '' ). Any clues ?
Also, how can I make a redirect after the query has run ?
header(Location: http://www.foobar.com;);
Will work as long as you don't print out any output whatsoever to the
browser before this line of code.
TIA
Marcelo Wolfgang
/T
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] UPDATE and redirect
Hi, It's fixed, I think the problem where at the '==' ... I have to remember that in PHP this is like ActionScript. Also, what if $_GET['act'] is neither 'a' or 'd'? Again, what if $_GET['id'] is null? The only way to not be 'a' or 'd' or to be null is if someone mess with url, which should throw an error anyway and not run the query. The link that get me to this page where the code is executed is generated to have these options. Thanks for the reply's -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] UPDATE and redirect
2007. 04. 11, szerda keltezéssel 16.57-kor Fredrik Thunberg ezt írta:
marcelo Wolfgang skrev:
Hi all,
I'm new to this list and new to php programming so sorry if I do
something wrong here :)
Ok, now to my problem.
I've created a query to update a mysql db, and it isn't working, and
it's not throwing me any errors, so I need some help to figure out
what's wrong here. My code follows :
?
if($_GET['act'] = 'a'){
$action = 1;
} else if ($_GET['act'] = 'd'){
$action = 0;
}
Don't use =, use == (or in some cases ===).
= is for assignment.
Also, what if $_GET['act'] is neither 'a' or 'd'?
$id = $_GET['id'];
Again, what if $_GET['id'] is null?
and what if $_GET['id'] is something like
1; DROP TABLE tb_emails;
??
SQL injection just waits to happen
greets
Zoltán Németh
mysql_connect(localhost,,) or die (mysql_error());
mysql_select_db (taiomara_emailList);
$email_Query = mysql_query(UPDATE 'tb_emails' SET 'bol_active' =
$action WHERE `auto_id` = $id);
Use backticks if you think you need them
In this case you don't
$sql = UPDATE `tb_emails` SET `bol_active` = $action WHERE `auto_id` =
$id;
echo DEBUG: $sql;
$email_Query = mysql_query( $sql );
This is how to get the error:
if ( !$email_Query )
echo mysql_error();
mysql_close();
?
The page is executed, but it don't update the table ... I've tried with
the '' and without it ( the phpmyadmin page is where I got the idea of
using the '' ). Any clues ?
Also, how can I make a redirect after the query has run ?
header(Location: http://www.foobar.com;);
Will work as long as you don't print out any output whatsoever to the
browser before this line of code.
TIA
Marcelo Wolfgang
/T
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] UPDATE and redirect
and what if $_GET['id'] is something like 1; DROP TABLE tb_emails; ?? SQL injection just waits to happen I think tha tit will be too much of a hacker effort just to kill a table of contact emails, and also he will have to guess ( is there other way ? ) the table name, but just to be on a safer side: - Is there a way to say that id can only be a number ? something like $id:Number = $_GET['id']? TIA -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] UPDATE and redirect
Marcelo Wolfgang wrote:
and what if $_GET['id'] is something like
1; DROP TABLE tb_emails;
??
SQL injection just waits to happen
I think tha tit will be too much of a hacker effort just to kill a
table of contact emails, and also he will have to guess ( is there
other way ? ) the table name, but just to be on a safer side:
- Is there a way to say that id can only be a number ?
something like $id:Number = $_GET['id']?
TIA
If your id should only have digits in it, use
if (! ctype_digit($_GET['id'])) {
print invalid parameter error message or exit or whatever;
}
This doesn't work with negative integers - it really checks to make sure
that there are only digits, but it is very handy for validating GET or
POST variables.
There are other ctype functions as well...
Lori
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] UPDATE and redirect
2007. 04. 11, szerda keltezéssel 17.36-kor Marcelo Wolfgang ezt írta: and what if $_GET['id'] is something like 1; DROP TABLE tb_emails; ?? SQL injection just waits to happen I think tha tit will be too much of a hacker effort just to kill a table of contact emails, and also he will have to guess ( is there other way ? ) the table name, but just to be on a safer side: - Is there a way to say that id can only be a number ? something like $id:Number = $_GET['id']? that was just an example, any kind of hacker SQL code can be put there... if $id should be a number typecast it to int like this: $id = (int) $_GET['id']; greets Zoltán Németh TIA -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] UPDATE and redirect
and what if $_GET['id'] is something like 1; DROP TABLE tb_emails; ?? SQL injection just waits to happen Something I just thought, he could do a drop table inside an update statement ? because the query is : UPDATE tb_emails SET bol_active = $action WHERE auto_id = $id so if he changed the $action or the $id, it will be inside the UPDATE, doesn't changing any of the variables to a DROP TABLE just give an error ? TIA Marcelo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] UPDATE and redirect
Marcelo Wolfgang wrote: and what if $_GET['id'] is something like 1; DROP TABLE tb_emails; ?? SQL injection just waits to happen Something I just thought, he could do a drop table inside an update statement ? because the query is : UPDATE tb_emails SET bol_active = $action WHERE auto_id = $id so if he changed the $action or the $id, it will be inside the UPDATE, doesn't changing any of the variables to a DROP TABLE just give an error ? TIA Marcelo No. That's why he put the semi-colon after the 1. It becomes update tb_emails set bol_active = $action where auto_id = 1; drop table tb_emails; That's two separate statements that will be happily executed if you're not careful. Try it (on a scratch table). Lori -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
