PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
hello,
i got a form on my page. In the forms there are different values, selected from the mysql database. I am able to update the form, with typing anything in the form and click on the submit button. The value is automatically updated in the mysql database, but to show the value in the form I need to refresh my browser in order to see the new value in the form. How is it possible that i don't need to refresh and the updated value gets shown right away?
IF I do that the script doesn't even work. No values are being updates in the db. however if I i move it above
echo "<form method='POST' action ='profile_edit.php'>";
the script works, but same result, i would have to refresh my page in order to be able to see the updated results.
Should that really work what you tolld me? however, i'm hopping for some more suggestions. thanks
Also, there are a number of SQL and XSS injection vulnerabilities in your applications. You would do well to turn off magic quotes and use mysql_real_escape_string()
<?php
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());
if (isset($_POST[submit]))
{
mysql_query("UPDATE users SET username='$_POST[username_output]' WHERE username='$username';") or die("ERROR");
mysql_query("UPDATE users SET first_name='$_POST[first_name_output]' WHERE username='$username';") or die("ERROR");
}
$username = $_COOKIE['ID_my_site'];
$user_myself = mysql_query ("SELECT * from users where username = '$username';") or die ("error");
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());
if (isset($_POST[submit]))
{
mysql_query("UPDATE users SET username='$_POST[username_output]' WHERE username='$username';") or die("ERROR");
mysql_query("UPDATE users SET first_name='$_POST[first_name_output]' WHERE username='$username';") or die("ERROR");
}
echo "<form method='POST' action ='profile_edit.php'>";
while ($output = mysql_fetch_array ($user_myself))
{
echo "Username: <input type='text' value='$output[username]' name='username_output'><p>";
echo "First Name: <input type='text' value='$output[first_name]' name='first_name_output'>";
echo "<p>";
}
?>
<input type="submit" name="submit" value="submit">
</form>
<p>
<a href="members.php">Back</a>
<?php
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());
if (isset($_POST[submit]))
{
mysql_query("UPDATE users SET username='$_POST[username_output]' WHERE username='$username';") or die("ERROR");
mysql_query("UPDATE users SET first_name='$_POST[first_name_output]' WHERE username='$username';") or die("ERROR");
}
$username = $_COOKIE['ID_my_site'];
$user_myself = mysql_query ("SELECT * from users where username = '$username';") or die ("error");
echo "<form method='POST' action ='profile_edit.php'>";
while ($output = mysql_fetch_array ($user_myself))
{
echo "Username: <input type='text' value='$output[username]' name='username_output'><p>";
echo "First Name: <input type='text' value='$output[first_name]' name='first_name_output'>";
echo "<p>";
}
?>
<input type="submit" name="submit" value="submit">
</form>
<p>
<a href="members.php">Back</a>
didn't work. the last example didn't even update the values in the db.
can we talk about the vulnerabilities later, i'd like to get that working first, thanks so much
Last edited by DonPatricio91 on Wed Dec 12, 2007 9:30 pm, edited 1 time in total.
$username has not been defined; my fault, I told you to move the block too far up. Move $username = $_COOKIE['ID_my_site']; before the mysql_query updates.
Step 1: When you use double quotes, you have the ability to interpolate variables, i.e. "a $var" becomes "a cow" if $var == 'cow'. Interpolation, usually, is the wrong way to go about things for SQL, because strings need to be escaped to prevent people from inserting things like "'; DROP TABLE foo". Here is the first thing I'll ask you to do:
Remove any interpolated variables from the strings, and replace them with simpler variable names, which you assign and escape before the string. Example:
$sql_username_output = mysql_real_escape_string($_POST['username_output']);
$sql_username = mysql_real_escape_string($username);
mysql_query("UPDATE users SET username='$sql_username_output' WHERE username='$sql_username';") or die("ERROR");
<?php
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());
$username = $_COOKIE['ID_my_site'];
if (isset($_POST[submit]))
{
$sql_username_output = mysql_real_escape_string($_POST['username_output']);
$sql_username = mysql_real_escape_string($username);
mysql_query("UPDATE users SET username='$sql_username_output' WHERE username='$sql_username';") or die("ERROR");
$sql_first_name_output = mysql_real_escape_string($_POST['first_name_output']);
mysql_query("UPDATE users SET username='$sql_first_name_output' WHERE username='$sql_username';") or die("ERROR");
}
$user_myself = mysql_query ("SELECT * from users where username = '$username';") or die ("error");
echo "<form method='POST' action ='profile_edit.php'>";
while ($output = mysql_fetch_array ($user_myself))
{
echo "Username: <input type='text' value='$output[username]' name='username_output'><p>";
echo "First Name: <input type='text' value='$output[first_name]' name='first_name_output'>";
echo "<p>";
}
?>
<input type="submit" name="submit" value="submit">
</form>
<p>
<a href="members.php">Back</a>
Unfortunately it doesn't work. What is happening is that if i update the first name, it doesnt change in the db. However what I update in the form first name the value of the username gets updated. so something is kind of messed up. again when i update first name, username is getting updated.
Step #2: Whenever you echo anything the user gave you through $_POST, $_COOKIE, etc, run it through htmlspecialchars(). If you are placing them in an attribute delimeted with single quotes ', use htmlspecialchars($string, ENT_QUOTES);. You may need to break things out of the interpolation, like you did before. Prefix variable names with $html_
Oh wow, I'm sorry i really don't understand what i am supposed to do, i actually just learned php, i know all the basics and suddenly somebody tells me that my script is unsafe. that is kind of scary. It would be great if you could give me an example regarding my code, because i really have no clue. it was easy to work on the first part, because you gave me an example, though.