SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    Non-Member
    Join Date
    Feb 2005
    Posts
    737
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Help with an update query?

    Hi All,

    Wondering if anyone can help me. I have a html table which I want to use to update in a query.

    PHP Code:
    <?php
    if(isset($_POST['Submit']))
      {

        for(
    $i 0$i count($_REQUEST['the_text']); $i++)
      {
        
    $result mysql_query("Update tbl set text ='".$_REQUEST['the_text'][$i]."' WHERE topstory_id=".$_REQUEST['id'][$i]) OR DIE(mysql_error());
       print 
    "Update tbl  set text ='".$_REQUEST['the_text'][$i]."' WHERE topstory_id ='".$_REQUEST['id'][$i]."'";
      }

      
    header("Location: done.php");

       } 
    ?>
    <form id="form" action="" method="post"  name="form">
       <table  align="center">
          <thead>
            <tr> 
              <th>Position</th>
              <th>Make Position</th>
            </tr>
          </thead>
          <tbody>
                    <tr>
              <td><input type="hidden" name="id[]" value="21">Panel ()</td>
              <td><input style="margin-top:20px;" type="checkbox" name="the_text[]" value="AND story_id = 1234"></td>
            </tr>
                    <tr>
              <td><input type="hidden" name="id[]" value="22">Panel ()</td>
              <td><input style="margin-top:20px;" type="checkbox" name="the_text[]" value="AND story_id = 1234"></td>
            </tr>
                  </tbody>
        </table>
       <button type="submit" name="Submit" value="Submit">Submit</button>
      </form>
    And basically what I do is tick ONE of the checkboxes which updates my mysql database. So depending on what I tick and hit submit with the query should be either:

    Update tbl set text ='AND story_id = 1234' WHERE topstory_id ='21'
    or
    Update tbl set text ='AND story_id = 1234' WHERE topstory_id ='22'

    But nomatter what checkbox I tick in the table and press submit with it always sets the query as

    Update tbl set text ='AND story_id = 1234' WHERE topstory_id ='21'

    Anyone help?
    Thanks

  2. #2
    Non-Member
    Join Date
    Oct 2009
    Posts
    1,852
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You should never pass query parts from user input.

  3. #3
    SitePoint Enthusiast
    Join Date
    Nov 2009
    Posts
    70
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    set the checkbox name tag as:
    name="the_text[X]" where X is the primary key of you table

    And the update:
    PHP Code:
    <?php

    foreach( $_POST["id"] AS $ids ) {
        if ( isset( 
    $_POST["the_text"][$ids] ) ) {
            
    $sql sprintf"update table SET field='%s' WHERE topstory_id=%d " mysql_real_escape_string$_POST["the_text"][$ids] ) , $ids );
            echo 
    $sql// if its good, use the mysql_query()
        



    ?>

  4. #4
    Non-Member
    Join Date
    Feb 2005
    Posts
    737
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks Guys

    You should never pass query parts from user input.
    Out of interest why?

  5. #5
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,788
    Mentioned
    153 Post(s)
    Tagged
    3 Thread(s)
    because it leads you open to MASSIVE sql injection.

    Imagine I made a form and sent it to YOUR processing that had something like:

    Code:
    AND delete where 1=1
    bish bash bosh there goes your database!
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  6. #6
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,527
    Mentioned
    84 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by Shrapnel_N5 View Post
    You should never pass query parts from user input.
    Could you advise the OP as to how it should be handled instead?
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •