#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Location
    Edinburgh
    Posts
    19
    Rep Power
    0

    Update Record in DB


    Hi there

    I'm working on a project and so far everything is going well. But!

    When i view a record from the database and try and edit the section status, its not updating in the mysql server.

    it runs through the code and completes but no changes are made in the database. Any ideas?

    Here is my update code.

    Code:
    <?php
    
    $host="localhost"; 
    $username="#####"; 
    $password="######"; 
    $db_name="#####"; 
    $tbl_name="######"; 
    
    
    mysql_connect("$host", "$username", "$password")or die("cannot connect");
    mysql_select_db("$db_name")or die("cannot select DB");
    
    $sql="UPDATE $tbl_name SET status='$status' WHERE id='$id'";
    $result=mysql_query($sql);
    
    if($result){
    echo "Order has been updated to Complete";
    echo "<BR>";
    echo "<a href='list_records.php'>View result</a>";
    }
    
    else {
    echo "ERROR";
    }
    
    ?>
    Thanks

    Hudbarnett
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    where do $id and $status come from? There's no definition in your code. If you're using the ancient register_globals "feature", turn it off and properly fetch the values from $_GET or $_POST.

    Your code is also wide open to SQL injections. The mysql_ functions are generally obsolete. Use one of the contemporary extensions.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Location
    Edinburgh
    Posts
    19
    Rep Power
    0
    Originally Posted by Jacques1
    Hi,

    where do $id and $status come from? There's no definition in your code. If you're using the ancient register_globals "feature", turn it off and properly fetch the values from $_GET or $_POST.

    Your code is also wide open to SQL injections. The mysql_ functions are generally obsolete. Use one of the contemporary extensions.
    Hi there

    The status is a field in the database and i would like to be able to change this field so complete by using a dropdown selection.

    I'm new to php but i'm sure you already know this.

    I didn't know that the code i'm using was not secure and open to injections. Are you able to point me in the direction of some good examples that i can learn from.

    Thank you

    Hudbarnett
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by hudbarnett
    The status is a field in the database and i would like to be able to change this field so complete by using a dropdown selection.
    Yes, but I was talking about the PHP variables $id and $status. They aren't defined anywhere in your code, so I assume you rely on the long obsolete register_globals, which would automatically inject POST and GET parameters into variables.



    Originally Posted by hudbarnett
    I didn't know that the code i'm using was not secure and open to injections. Are you able to point me in the direction of some good examples that i can learn from.
    Click on the link (the underlined "SQL injections"). You might also want to google for "prepared statement", because that's the best counter measure against SQL injections (but it's only supported by MySQLi and PDO).
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Location
    Edinburgh
    Posts
    19
    Rep Power
    0
    Originally Posted by Jacques1
    Yes, but I was talking about the PHP variables $id and $status. They aren't defined anywhere in your code, so I assume you rely on the long obsolete register_globals, which would automatically inject POST and GET parameters into variables.





    Click on the link (the underlined "SQL injections"). You might also want to google for "prepared statement", because that's the best counter measure against SQL injections (but it's only supported by MySQLi and PDO).
    Hi

    i have pointed my form to the following script. In this script there is a field called status and the id is auto inc form the database.

    In my connection details, if this is updated will this help to protect my database?

    Code:
    <?php
    
    $host="localhost"; // Host name
    $username="#######"; // Mysql username
    $password="#######"; // Mysql password
    $db_name="#######"; // Database name
    $tbl_name="#######"; // Table name
    
    // Connect to server and select database.
    mysql_connect("$host", "$username", "$password")or die("cannot connect");
    mysql_select_db("$db_name")or die("cannot select DB");
    
    // Get values from form
    $QuickOrderForm=$_POST['QuickOrderForm'];
    $status=$_POST['status'];
    $SchoolName=$_POST['SchoolName'];
    $Address1=$_POST['Address1'];
    $Address2=$_POST['Address2'];
    $Postcode=$_POST['Postcode'];
    $Title=$_POST['Title'];
    $Name=$_POST['Name'];
    $Position=$_POST['Position'];
    $AccountNo=$_POST['AccountNo'];
    $Telephone=$_POST['Telephone'];
    $CatNo_1=$_POST['CatNo_1'];
    $ItemDescription1=$_POST['ItemDescription1'];
    $Qty1=$_POST['Qty1'];
    $Unit1=$_POST['Unit1'];
    $Size1=$_POST['Size1'];
    $Price1=$_POST['Price1'];
    $Price_1=$_POST['Price_1'];
    $Vat1=$_POST['Vat1'];
    
    // Insert data into mysql
    $sql="INSERT INTO $tbl_name(QuickOrderForm, status, SchoolName, Address1,Address2,Postcode,Title,Name,Position,AccountNo,Telephone,CatNo_1,ItemDescription1,Qty1,Unit1,Size1,Price1,Price_1,Vat1)VALUES('$QuickOrderForm', '$status', '$SchoolName', '$Address1', '$Address2', '$Postcode', '$Title', '$Name', '$Position', '$AccountNo', '$Telephone', '$CatNo_1', '$ItemDescription1', '$Qty1', '$Unit1', '$Size1', '$Price1', '$Price_1', '$Vat1')";
    $result=mysql_query($sql);
    
    // if successfully insert data into database, displays message "Successful".
    if($result){
    echo "Successful";
    echo "<BR>";
    echo "<a href='insert.php'>Back to main page</a>";
    }
    
    else {
    echo "ERROR";
    }
    ?>
    
    <?php
    // close connection
    mysql_close();
    ?>
  10. #6
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by hudbarnett
    i have pointed my form to the following script. In this script there is a field called status and the id is auto inc form the database.
    What does this script have to do with the update script in your first post?



    Originally Posted by hudbarnett
    In my connection details, if this is updated will this help to protect my database?
    No, you need to actually read my replies and follow the links. I gave you several keywords and links regarding SQL injections.

IMN logo majestic logo threadwatch logo seochat tools logo