Find the answer to your Linux question:
Results 1 to 8 of 8
Hey, I'm trying the following code in PHP, but its not taking any effect and I was wondering if anyone can see a problem with it? PHP Code: $query  =  ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Banned
    Join Date
    Aug 2011
    Posts
    43

    Trying to get PHP updating MySQL using MySQL "UPDATE" argument


    Hey,

    I'm trying the following code in PHP, but its not taking any effect and I was wondering if anyone can see a problem with it?
    PHP Code:
    $query "UPDATE `products` set `category` = '".$_POST['category']."' where `id` = '".$_POST['id']."'"

  2. #2
    Penguin of trust elija's Avatar
    Join Date
    Jul 2004
    Location
    Either at home or at work or down the pub
    Posts
    3,485
    Quote Originally Posted by Kolusion View Post
    Hey,

    I'm trying the following code in PHP, but its not taking any effect and I was wondering if anyone can see a problem with it?
    PHP Code:
    $query "UPDATE `products` set `category` = '".$_POST['category']."' where `id` = '".$_POST['id']."'"
    It would help to know what error you are getting and what data you are putting in. A quick way of seeing exactly what query you are going to run is to use

    Code:
    $query = "UPDATE `products` set `category` = '".$_POST['category']."' where `id` = '".$_POST['id']."'";  
    echo $query;
    You can then run the exact query against the DB to see what is going on. By the way, that query is begging to have your entire database deleted. NEVER use raw post values in DB output or html output. In fact never use any untrusted value without filtering it properly.
    What do we want?
    Time machines!

    When do we want 'em?
    Doesn't really matter does it!?


    Conkybots: Interactive plugins for your Conkys!

  3. #3
    Banned
    Join Date
    Aug 2011
    Posts
    43
    Hey elija,

    Great reply dude!

    I echoed out the response and got:
    UPDATE `products` set `category` = 'gloves' where `id` = '1'
    I then entered the above code directly into MySQL and it worked! Now my head is about to explode!!!!!

    Hey, you said something about begging to have my entire databases deleted. lulz
    Thanks for the warning bro!
    Would that be via SQL injection?
    I am new to PHP and MySQL, but am aware of some of these attacks. When my project is finished and fully functional, I am going to study PHP/MySQL attacks and audit my entire code. I believe I can 'strip' form data. I read briefly. Am I right?

  4. #4
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,356
    Imho: If that project is supposed to be seen by more people than you,
    then you might want to read about secure applications first
    and have that security audit before the project goes live.
    You must always face the curtain with a bow.

  5. #5
    Banned
    Join Date
    Aug 2011
    Posts
    43
    Yeah, all these security things will come.

    Building first, security later.. its my preferred work flow.

    Thats but!

  6. #6
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,356
    From common knowlege and personal 13+ years experience: Doesnt work that way
    Security is an integral and basic part of coding, not an AddOn.
    So it needs to be involved in the planning phase already, whether that meets your workflow or not is rather irrelevant.

    If you postpone it, you are guaranteed to find some security issues that would require a rewrite of your project.
    You must always face the curtain with a bow.

  7. #7
    Penguin of trust elija's Avatar
    Join Date
    Jul 2004
    Location
    Either at home or at work or down the pub
    Posts
    3,485
    I agree, security should be built in from the ground up. I always recommend this book as a scary but essential starting point in that regard.

    Also consider using a framework which will have a lot of the security built in. For example, Cake PHP, Symfony or Zend.
    What do we want?
    Time machines!

    When do we want 'em?
    Doesn't really matter does it!?


    Conkybots: Interactive plugins for your Conkys!

  8. #8
    Banned
    Join Date
    Aug 2011
    Posts
    43
    Hey guys,

    Your inputs have all been appreciated.

    The problem wasn't even with the code itself, rather using multiple queries with the same name within the same space, so only the last (which wasn't the query in my OP) was being parsed.

    Thanks again guys!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •