Update MySQL Table

Discussion in 'Web Design and Development' started by HarryWorksInc, Apr 24, 2010.

Most Liked Posts
  1. HarryWorksInc, Apr 24, 2010

    HarryWorksInc macrumors regular

    Joined:
    Feb 21, 2010
    #1
    I am working on a website in which the user can set their own status I am trying to load a web page from a mobile device to set the user status. This is my code
    PHP:
    $sql=mysql_query("UPDATE Character_Stats SET Status = '$_GET['status']' WHERE Username = '$_GET['username']' AND Location = '$_GET['location']', Coins = '$_GET['coins']'");
    But it doesn't seem to be working i get this error:
    HTML:
    Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/harrywo2/public_html/SNACPF/UpdateStatus.php on line 14
    Line 14 is the mysql_query I posted above.
     
    share
    + Quote Reply
  2. Not Available, Apr 24, 2010

    Not Available Guest

    Joined:
    Jun 30, 2009
    #2
    Remove the single quotes around the $_GET arguments. That is,
    PHP:
    $sql=mysql_query("UPDATE Character_Stats SET Status = '$_GET[status]' WHERE Username = '$_GET[username]' AND Location = '$_GET[location]', Coins = '$_GET[coins]'"); 
     
    share
    + Quote Reply
  3. NathanCH, Apr 24, 2010

    NathanCH macrumors 65816

    NathanCH

    Joined:
    Oct 5, 2007
    Location:
    Stockholm, Sweden
    #3
    It's pretty unsafe to upload/update anything using raw $_GET. I could simply change the URL and upload/update any information to your site. Very very easy to hack!
     
    share
    + Quote Reply
  4. bld44, Apr 24, 2010

    bld44 macrumors 6502

    Joined:
    Apr 21, 2007
    #4
    That query is very, very susceptible to SQL injection.

    Put those GET's into variables and run mysql_real_escape_string on them at the least.
     
    share
    + Quote Reply
(You must log in or sign up to post here.)

Share This Page