Cant update data base php

PHP
1

Hay guys i don’t know why i cant update my data base please take a look

PHP

if(isset($_POST['submit'])){
		$sql1 = "SELECT * FROM No where id='1'";
		$result1 = mysqli_query($mysqli,$sql1) or die(mysqli_error());
		while($row= mysqli_fetch_assoc($result1))
		{
		$FARIDA= $row['FARIDA'];
		}
		// FARIDABAD UPDATE 01//
		if(isset($_POST['FARIDA'])){
		$FARIDA_1 = $_POST['FARIDA'];
		$sql2 = "UPDATE sattaNo SET id='2',FARIDABAD='$FARIDA' where id='2'";
		$result2 = mysqli_query($mysqli,$sql2) or die(mysqli_error());
		if($result2){
			
		$sql3 = "UPDATE sattaNo SET id='1',FARIDA='$FARIDA_1' where id='1'";
		$result3 = mysqli_query($mysqli,$sql3) or die(mysqli_error());
		}
		}

HTML

<form method="post" action="">
   <div class="col-md-4">
      <div class="form-group">
<label for="form_lastname" class="Cform">FARIDA</label>
        <div class="input-group input-group-md">
             <input type="text" name="FARIDABAD" class="form-control" placeholder="Update NO." >
		<span class="input-group-btn">
			<button  class="btn btn-primary" type="submit"> UPDATE </button>  
		</span>
	</div>
    </div>
  </div>
</form>
2

You should be using prepared statements, your code is vulnerable to SQL injection attacks

3

how to fix this

4

I don’t see this attribute anywhere in your form, so where is the value coming from?

if(isset($_POST['FARIDA'])) {

Is it a typo?

<input type="text" name="FARIDABAD" class="form-control" placeholder="Update NO." >

If that doesn’t help, can you give us some idea of the values of variables as you run through debugging the PHP code.

Also these queries have a bit of “extra” that doesn’t seem needed, to me at least:

$sql2 = "UPDATE sattaNo SET id='2',FARIDABAD='$FARIDA' where id='2'";
$sql3 = "UPDATE sattaNo SET id='1',FARIDA='$FARIDA_1' where id='1'";

What’s the idea behind setting the id value when it already has that value? You only select rows where id=2 in the first one, so why set the value to 2 when it is already that? I should add I’m relatively new to SQL, so maybe there’s a reason for it, perhaps someone could clarify.

Once it’s working, as @SpacePhoenix said, you need to look at prepared statements to add security.

1 Like
5

Completely aggree where is the old value for FARIDABAD. I don’t see any value in your form

6

Well, upon making changes to the current snippet, you should already be making changes to the vulnerabilities. If you make the change to the SQL statement and it starts working, you’re doing double the work to make changes to the vulnerabilities.

I say you should be able to debug as you go, not debug when everything is finished. I think the problem also lies with the single quotes being wrapped around a variable in double quotes.

Ultimately, the logic is horrible.

7

Possibly - I haven’t looked at quotes inside query strings since switching to PDO and prepared statements to I tend to not notice them now.

8

I don’t even use single quotes or anything like that since I use prepared statements in all my codes regardless if the WHERE clause is present or not. Makes it less difficult if I want to append a WHERE clause in the future.

The problem with OP’s snippet is that there are tons of legacy logic/ code in there. Only reason to use isset in $_POST is so that you can check whether that field has been tampered with via Inspect Element. Otherwise, supporting this logic only brings in horrible logic and design patterns. Hence why people are bashing about PHP so much.

9

Thanks PDO its working

10

Regardless if you are using PDO or mysqli_*, if you are still using the same horrible legacy logic, your code is still vulnerable no matter what.

“It’s working” is only a temporary fix.

1 Like
11

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.