problem updating table via php/html - PHP Server Side Scripting forum at WebmasterWorld - WebmasterWorld

Forum Moderators: coopster

Message Too Old, No Replies

problem updating table via php/html

jake66

12:59 am on Apr 18, 2006 (gmt 0)

10+ Year Member

problem:
via http post i am pulling the user from the database so only he can edit his own record (an no one elses).. this works fine.

the problem comes when i need to edit the user's tables... anything typed by the current user replaces EVERYONE's fields as well as the intended location.

here's the code:

<html>
<head>
 <title>Update</title>
</head>
<body bgcolor="white">
<?php
foreach($HTTP_POST_VARS as $varname => $value)
 $formVars[$varname]=$value;
require_once("includes/_connect.php");echo "Record updated";
$query="UPDATE staff set ".
"top1= \"".$formVars["top1"]."\",".
"top2= \"".$formVars["top2"].
"\" WHERE name = \"".$formVars["name"]."\"";
mysql_query($query);
mysql_close($connection);
?>
<?php echo $formVars["name"];?>
</body>
</html>

can anyone see what could be causing the problem here?

here is my _connect.php:

<?php
$host = "localhost";
$user = "myusername";
$pass = "mypassword";
$dbname = "mydatabase";$connection = mysql_connect($host,$user,$pass) or die (mysql_errno().": ".mysql_error()."<BR>");
mysql_select_db($dbname);
?>

Habtom

4:09 am on Apr 18, 2006 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

//the problem comes when i need to edit the user's tables... anything typed by the current user replaces EVERYONE's fields as well as the intended location.

It seems to me you have just got to take care of the WHERE condition in your queries.

Hab

jake66

8:31 pm on Apr 18, 2006 (gmt 0)

10+ Year Member

i figured that was the problem, but every different instance of where i tried, it either updated nothing or updated the records for everyone.

"\" WHERE name = \"".$formVars["name"]."\"";

mooger35

9:10 pm on Apr 18, 2006 (gmt 0)

10+ Year Member

try this

$query = "UPDATE `staff` SET `top1` = '$formVars['top1']', `top2` = '$formVars['top2']'
WHERE `name` = '$formVars['name']'";

jake66

3:02 am on Apr 19, 2006 (gmt 0)

10+ Year Member

i get this:

Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/**/public_html/admin/update.php on line 12

and line 12:
$query = "UPDATE `staff` SET `top1` = '$formVars['top1']', `top2` = '$formVars['top2']'

Habtom

3:39 am on Apr 19, 2006 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

$query = "UPDATE staff SET top1 = '". $formVars['top1'] ."', top2 = '". $formVars['top2'] ."' WHERE name = '". $formVars['name'] ."'";

All in one line :)

this shall work fine.

Habtom

jake66

4:35 am on Apr 19, 2006 (gmt 0)

10+ Year Member

sorry i never had a chance to see your post, but thanks for the help :)

i fixed my problem with this:
"\" WHERE name = \"".$formVars["name"]."\" AND password = \"".$formVars["password"]."\"";

not sure what i did differently outside of adding the "AND password" value.

hakre

4:34 pm on Apr 24, 2006 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

dear folks, please take care not to directly insert formvariables into database queries because this lead into mysql injections, a serious security issue. esacpe string data using mysql_real_escape_string() [php.net] first!

jake66

4:59 pm on Apr 24, 2006 (gmt 0)

10+ Year Member

hakre, i just made a post about that: [webmasterworld.com...]

i'm new to php, so i'm going one step at a time.

hakre

7:08 am on Apr 25, 2006 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

yeah i've seen and read and replied in there. i just wanted to drop a line about it because i found similar risks in code posted here. often people are just copy & pasting so i think it was time for a warning ;)