Update MySQL Table

[HarryWorksInc]

I am working on a website in which the user can set their own status I am trying to load a web page from a mobile device to set the user status. This is my code

$sql=mysql_query("UPDATE Character_Stats SET Status = '$_GET['status']' WHERE Username = '$_GET['username']' AND Location = '$_GET['location']', Coins = '$_GET['coins']'");

But it doesn't seem to be working i get this error:

Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/harrywo2/public_html/SNACPF/UpdateStatus.php on line 14

Line 14 is the mysql_query I posted above.

 

[Not Available]

Remove the single quotes around the $_GET arguments. That is,

$sql=mysql_query("UPDATE Character_Stats SET Status = '$_GET[status]' WHERE Username = '$_GET[username]' AND Location = '$_GET[location]', Coins = '$_GET[coins]'");

 

[NathanCH]

It's pretty unsafe to upload/update anything using raw $_GET. I could simply change the URL and upload/update any information to your site. Very very easy to hack!

 

[bld44]

That query is very, very susceptible to SQL injection.

Put those GET's into variables and run mysql_real_escape_string on them at the least.