Trying to get PHP updating MySQL using MySQL "UPDATE" argument

**Kolusion** · 09-20-2011

Hey,

I'm trying the following code in PHP, but its not taking any effect and I was wondering if anyone can see a problem with it?

PHP Code:

 $query = "UPDATE `products` set `category` = '".$_POST['category']."' where `id` = '".$_POST['id']."'";

***elija*** · 09-21-2011

Originally Posted by Kolusion

Hey,

I'm trying the following code in PHP, but its not taking any effect and I was wondering if anyone can see a problem with it?

PHP Code:

 $query = "UPDATE `products` set `category` = '".$_POST['category']."' where `id` = '".$_POST['id']."'";

It would help to know what error you are getting and what data you are putting in. A quick way of seeing exactly what query you are going to run is to use

Code:

$query = "UPDATE `products` set `category` = '".$_POST['category']."' where `id` = '".$_POST['id']."'";  
echo $query;

You can then run the exact query against the DB to see what is going on. By the way, that query is begging to have your entire database deleted. NEVER use raw post values in DB output or html output. In fact never use any untrusted value without filtering it properly.

**Kolusion** · 09-21-2011

Hey elija,

Great reply dude!

I echoed out the response and got:

UPDATE `products` set `category` = 'gloves' where `id` = '1'

I then entered the above code directly into MySQL and it worked! Now my head is about to explode!!!!!

Hey, you said something about begging to have my entire databases deleted. lulz
Thanks for the warning bro!
Would that be via SQL injection?
I am new to PHP and MySQL, but am aware of some of these attacks. When my project is finished and fully functional, I am going to study PHP/MySQL attacks and audit my entire code. I believe I can 'strip' form data. I read briefly. Am I right?

***Irithori*** · 09-21-2011

Imho: If that project is supposed to be seen by more people than you,
then you might want to read about secure applications first
and have that security audit before the project goes live.

**Kolusion** · 09-21-2011

Yeah, all these security things will come.

Building first, security later.. its my preferred work flow.

Thats but!

***Irithori*** · 09-21-2011

From common knowlege and personal 13+ years experience: Doesnt work that way

Security is an integral and basic part of coding, not an AddOn.
So it needs to be involved in the planning phase already, whether that meets your workflow or not is rather irrelevant.

If you postpone it, you are guaranteed to find some security issues that would require a rewrite of your project.

***elija*** · 09-21-2011

I agree, security should be built in from the ground up. I always recommend this book as a scary but essential starting point in that regard.

Also consider using a framework which will have a lot of the security built in. For example, Cake PHP, Symfony or Zend.

**Kolusion** · 09-21-2011

Hey guys,

Your inputs have all been appreciated.

The problem wasn't even with the code itself, rather using multiple queries with the same name within the same space, so only the last (which wasn't the query in my OP) was being parsed.

Thanks again guys!

Thread Tools

Display

Trying to get PHP updating MySQL using MySQL "UPDATE" argument

Posting Permissions