Menu
Community /Pin to ProfileBookmark
@NogDogMar 06.2010 — #For debugging, at the end where you check the result, try something like this:
@NogDogMar 06.2010 — #
Well, in and of itself register_globals does not necessarily make it easier for someone to hack the page, depending on how you code it. If you use $_POST['id'] instead of $id but do not sanitize [i]either[/i] one, then your susceptibility is roughly equal, whereas if you do sanitize them and are careful to initialize all other variables you use that are not from external sources, then it also does not matter. But, when register_globals is enabled, the possibility exists that you could write some sloppy code that uses an uninitialized variable which is not intended to contain user-supplied data but which could be converted to such by a GET | POST | COOKIE value submitted by a malicious user. So, long story short, having register_globals turned on does not automatically make any page a security risk, but it does add a possible hole for the unwary/uneducated/lazy programmer; so I agree that it should be turned off and the code fixed to not rely on it. One way is to simply use extract with the optional 2nd parameter to not overwrite existing variables:
Problem UPDATE Table in mysql Works No errros But Not updating!
HI Guys , I appreciate if somebody could tell what mistakes do i have in the following code :
[B]Contents Table
[code=php]<?php
// Set Mysql Connection info
$host =”localhost”;
$username=”root”;
$password=””;
$db_name=”mail”;
$table_name=”emails”;
// Connect to database
mysql_connect(“$host”, “$username”, “$password”)or die(mysql_error());
mysql_select_db(“$db_name”) or die(“Couldn’t find mysql database”);
$sql = “SELECT * FROM $table_name ORDER BY id” or die(mysql_error());
$result = mysql_query($sql); ?>
<table width=”50%” border=”1″>
<tr>
<td width=”25%” bgcolor=”#cccccc”> ID </td> <td width=”25%”> Name </td> <td width=”50%”>Email</td>
</tr>
<?php while($rows=mysql_fetch_array($result))
{ ?>
<tr>
<td width=”25%” bgcolor=”#cccccc”><?php echo $rows[‘id’];?></td>
<td width=”25%”><?php echo $rows[‘name’]; ?></td>
<td width=”50%”><?php echo $rows[’email’]; ?></td>
<td width=”50%”><a href=edit.php?id=<?php echo $rows[‘id’];?>>Edit</a></td>
</tr>
<?php
}
mysql_close
?>
</table>
[B]Edit Form
[code=php]<?php
// Set Mysql Connection info
$host =”localhost”;
$username=”root”;
$password=””;
$db_name=”mail”;
$table_name=”emails”;
// Connect to database
mysql_connect(“$host”, “$username”, “$password”)or die(mysql_error());
mysql_select_db(“$db_name”) or die(“Couldn’t find mysql database”);
// get the value id
$id = $_GET[‘id’];
// get data from mysql database
$sql= ” SELECT * FROM $table_name WHERE id=’$id’ “;
$result = mysql_query($sql);
$rows = mysql_fetch_array($result);
?>
<form name=”update” method=”post” action=”update.php”>
<p>Name: <br />
<input type=”text” name=”name” id=”name” value=”<?php echo $rows[‘name’];?>” /> </p>
<p>E-mail:<br />
<input type=”text” name=”email” id=”email” value=”<?php echo $rows[’email’];?>” />
<br />
<input name=”id” type=”hidden” value=”<?php echo $rows[‘id’];?>”/>
<input type =”submit” name=”submit” value=”submit” />
</form>
<?php
// close connection
mysql_close();
?>
[B]The file That Update Table in mysql
[code=php]<?php
// Set Mysql Connection info
$host =”localhost”;
$username=”root”;
$password=””;
$db_name=”mail”;
$table_name=”emails”;
// Connect to server and select database.
mysql_connect(“$host”, “$username”, “$password”)or die(“cannot connect”);
mysql_select_db(“$db_name”)or die(“cannot select DB”);
// update data in mysql database
$sql=” UPDATE $table_name SET name=’$name’, email=’$email’ WHERE id=’$id'”;
$result=mysql_query($sql);
// if successfull
if($result) {
echo “Subscriber Updated Successfully!”;
}
else { echo “ERROR”;
}
?>
when i hit submit to update info , it says Updated Successfully , No erros , but actually Nothing updated!
Thank you in advance
Sign in
to post a comment16 Comments(s) ↴
0
@NogDogMar 06.2010 — #For debugging, at the end where you check the result, try something like this:[code=php]
// if successfull
if($result) {
if(mysql_affected_rows($result))
{
echo mysql_affected_rows($result) . " rows updated";
}
else
{
echo "No rows updated: <br />n" . htmlspecialchars($sql);
}
}
else {
echo "ERROR";
}
[/code]0
@NogDogMar 06.2010 — #Turning it on is a very bad idea. It explains why your script wasn't working but it is a *very* bad "fix" (and I hesitate to even call it that). If you have turned it on your database can now be manipulated by anyone just by typing certain urls into your browser. Not good at all.[/QUOTE]
Well, in and of itself register_globals does not necessarily make it easier for someone to hack the page, depending on how you code it. If you use $_POST['id'] instead of $id but do not sanitize [i]either[/i] one, then your susceptibility is roughly equal, whereas if you do sanitize them and are careful to initialize all other variables you use that are not from external sources, then it also does not matter. But, when register_globals is enabled, the possibility exists that you could write some sloppy code that uses an uninitialized variable which is not intended to contain user-supplied data but which could be converted to such by a GET | POST | COOKIE value submitted by a malicious user. So, long story short, having register_globals turned on does not automatically make any page a security risk, but it does add a possible hole for the unwary/uneducated/lazy programmer; so I agree that it should be turned off and the code fixed to not rely on it. One way is to simply use extract with the optional 2nd parameter to not overwrite existing variables:
[code=php]
<?php
extract($_POST, EXTR_SKIP);
extract($_GET, EXTR_SKIP);
extract($_COOKIE, EXTR_SKIP);
[/code]