Update MySQL Table

Discussion in 'Web Design and Development' started by HarryWorksInc, Apr 24, 2010.

  1. HarryWorksInc macrumors regular

    Feb 21, 2010
    I am working on a website in which the user can set their own status I am trying to load a web page from a mobile device to set the user status. This is my code
    $sql=mysql_query("UPDATE Character_Stats SET Status = '$_GET['status']' WHERE Username = '$_GET['username']' AND Location = '$_GET['location']', Coins = '$_GET['coins']'");
    But it doesn't seem to be working i get this error:
    Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/harrywo2/public_html/SNACPF/UpdateStatus.php on line 14
    Line 14 is the mysql_query I posted above.
  2. Joined:
    Jun 30, 2009
    Remove the single quotes around the $_GET arguments. That is,
    $sql=mysql_query("UPDATE Character_Stats SET Status = '$_GET[status]' WHERE Username = '$_GET[username]' AND Location = '$_GET[location]', Coins = '$_GET[coins]'"); 
  3. NathanCH macrumors 65816


    Oct 5, 2007
    Stockholm, Sweden
    It's pretty unsafe to upload/update anything using raw $_GET. I could simply change the URL and upload/update any information to your site. Very very easy to hack!
  4. bld44 macrumors 6502

    Apr 21, 2007
    That query is very, very susceptible to SQL injection.

    Put those GET's into variables and run mysql_real_escape_string on them at the least.

Share This Page