Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2015-04-02 10:15:47

joel
Member
Registered: 2014-07-04
Posts: 440

hello hep, the update/edit does not work with database id line. it pic

hello help, the edit/update does not work with database id user date line. it pick the first user data in the database irrespective of the user you chooses to edit, instead it show only the first user data on the database to be edited once click to edit any user. although it has the id on the url. eg. edit.php?id=12 edit.php?id=13 edit.php?id=14 but same user database appears

what is work with this code? some one help.

<?php require_once('../Connections/osdbc.php'); ?>
<?php
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_POST["MM_update"])) && ($_POST["MM_update"] == "form1")) {
  $updateSQL = sprintf("UPDATE account SET lastname=%s, email=%s, zipcode=%s, gender=%s, occupation=%s, streetaddress=%s, `state`=%s, country=%s WHERE firstname=%s",
                       GetSQLValueString($_POST['lastname'], "text"),
                       GetSQLValueString($_POST['email'], "text"),
                       GetSQLValueString($_POST['zipcode'], "text"),
                       GetSQLValueString($_POST['gender'], "text"),
                       GetSQLValueString($_POST['streetaddress'], "text"),
                       GetSQLValueString($_POST['state'], "text"),
                       GetSQLValueString($_POST['country'], "text"),
                       GetSQLValueString($_POST['firstname'], "text"));

  mysql_select_db($database_osdbc, $osdbc);
  $Result1 = mysql_query($updateSQL, $osdbc) or die(mysql_error());

  $updateGoTo = "admin.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $updateGoTo .= (strpos($updateGoTo, '?')) ? "&" : "?";
    $updateGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $updateGoTo));
}

mysql_select_db($database_osdbc, $osdbc);
$query_edit = "SELECT * FROM account";
$edit = mysql_query($query_edit, $osdbc) or die(mysql_error());
$row_edit = mysql_fetch_assoc($edit);
$totalRows_edit = mysql_num_rows($edit);
?>

Last edited by joel (2015-04-02 10:18:53)


Warning! be informed and be forewarned. <p>
<?php
I'm not a native English Man. So my comments might contain some grammatical explosive (ELD), missapropreation of words (dinamyt), The use of wrong words (missiles), & mis spelling of words (war drones). Any of the occurrence can cause havoc. So be warned
?>

Offline

#2 2015-04-02 10:58:48

joel
Member
Registered: 2014-07-04
Posts: 440

Re: hello hep, the update/edit does not work with database id line. it pic

help

Last edited by joel (2015-04-02 11:01:41)


Warning! be informed and be forewarned. <p>
<?php
I'm not a native English Man. So my comments might contain some grammatical explosive (ELD), missapropreation of words (dinamyt), The use of wrong words (missiles), & mis spelling of words (war drones). Any of the occurrence can cause havoc. So be warned
?>

Offline

#3 2015-04-02 12:32:35

seven
Member
From: Torino, Italy
Registered: 2010-08-19
Posts: 314
Website

Re: hello hep, the update/edit does not work with database id line. it pic

Most likely you aren't using the WHERE clause in your SQL to indicate which row(s) you want to fetch.


gamezoo.org - serious gaming services for serious gamers.

Offline

#4 2015-04-02 14:33:15

joel
Member
Registered: 2014-07-04
Posts: 440

Re: hello hep, the update/edit does not work with database id line. it pic

please help to point out where that is. from the code.


Warning! be informed and be forewarned. <p>
<?php
I'm not a native English Man. So my comments might contain some grammatical explosive (ELD), missapropreation of words (dinamyt), The use of wrong words (missiles), & mis spelling of words (war drones). Any of the occurrence can cause havoc. So be warned
?>

Offline

#5 2015-04-02 15:15:56

seven
Member
From: Torino, Italy
Registered: 2010-08-19
Posts: 314
Website

Re: hello hep, the update/edit does not work with database id line. it pic

It's where you select the rows before displaying them.


gamezoo.org - serious gaming services for serious gamers.

Offline

#6 2015-04-03 08:17:44

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,292
Website

Re: hello hep, the update/edit does not work with database id line. it pic

Deprecated MySQL functions are easier to use (not counting all the escaping you should be doing) than PDO of MySQLi prepared statements, but far less secure. That's why they've been deprecated. You should be rewriting this code more securely using the links in your first topic.

There are several other flaws in your code (that I don't think I've already explained) :

  • After header() you need to use exit or the script will continue

  • You break out of and back in to PHP on line #1 for no reason. That could be enough to generate a "cannot modify header information" error

Offline

#7 2015-04-03 10:48:14

joel
Member
Registered: 2014-07-04
Posts: 440

Re: hello hep, the update/edit does not work with database id line. it pic

chris98 wrote:

Deprecated MySQL functions are easier to use (not counting all the escaping you should be doing) than PDO of MySQLi prepared statements, but far less secure. That's why they've been deprecated. You should be rewriting this code more securely using the links in your first topic.

There are several other flaws in your code (that I don't think I've already explained) :

  • After header() you need to use exit or the script will continue

  • You break out of and back in to PHP on line #1 for no reason. That could be enough to generate a "cannot modify header information" error

hello chris,

i am not a programmer neither do I have any webmaster qualifications. I had never attend any training or what so ever before.

the little I know I pick them online. writing secure script is never my thing.

I am only trying to amend or modify.

mind you. the script I am working don't need security concern. it's just a project that is needed with it functioning 

I had no idea what you are talking about security.


Warning! be informed and be forewarned. <p>
<?php
I'm not a native English Man. So my comments might contain some grammatical explosive (ELD), missapropreation of words (dinamyt), The use of wrong words (missiles), & mis spelling of words (war drones). Any of the occurrence can cause havoc. So be warned
?>

Offline

#8 2015-04-03 11:44:56

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,292
Website

Re: hello hep, the update/edit does not work with database id line. it pic

There's a lot of rubbish online that doesn't help with organised code, I learned that when I first started too. But I don't have a single qualification in coding either, yet.

Part of it is to do with outdated tutorials, they make people think that they are perfectly fine to use. But in reality, they are very, very bad. Not only one because they're very insecure, but also they've been deprecated by PHP. in PHP 7.0, they will be completely removed, and so relying on deprecated functions is not a good idea because one day they will no longer exist.

Below two of the most common problems (in addition to the ones I've mentioned) with the MySQL extension (the code that you're using - i.e. mysql_connect, mysql_numrows, mysql_query .etc)

  • Not under active development

  • Doesn't support Non-blocking, asynchronous queries- in other words, queries that do not force things into a bottleneck when a page loads

So instead of using MySQL, you have two options; MySQLi, or PDO. PDO is easier for beginners and supports more database types, so it is probably more beneficial overall. Below, I'll explain to you how PDO works, and then how about attempting the same code through PDO, to ensure that the security of your application is the highest it can be?

So, to connect to a database through PDO, just like what mysql_connect does, you must have a database username and password. This is the best type of code to do so because it automatically lets you know about any database errors that occur during your script.

Another very useful feature of the newer database drivers is that it allows you to handle errors properly when they occur. At the moment, when you use or die(mysql_error()) it instantly exits the script displaying the exact error to the user. But what happens if the user is a hacker, and wants to bring your site down?

The information

access denied for user whatever @ localhost using password 123

has just given an attacker a massive mount of information on your database setup. With PDO you can catch errors and do something if it should occur, giving you the ability to continue with your script even if a massive database error does occur.

<?php
$username = 'root';
$password = '';
$dsn = "mysql:host=localhost;dbname=my_database";
$opt = array(
	// any occurring errors wil be thrown as PDOException
	PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
	// an SQL command to execute when connecting
	PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES 'UTF8'"
);
$pdo = new PDO($dsn, $username, $password, $opt);

So in this piece of code, you've managed to connect to 'localhost', and a database called 'my_database' through PDO. There are plenty of tutorials around that are very good at explaining this in more detail, such as these:

http://www.dreamincode.net/forums/topic … on-to-pdo/

http://code.tutsplus.com/tutorials/why- … -net-12059

http://www.w3schools.com/php/php_mysql_ … ements.asp

The next thing in PDO that makes it better is the ability to use prepared statements. Take a look at the following code:

$sql = "SELECT type, colour FROM `fruits` WHERE id = ?";

This might strike you as a bit odd, being that it has a ? where you would normally put the ID from the URL. But this is exactly how to stop SQL Injection. SQL Injection is the ability for attackers to inject malicious code into your forms or URLs in order to compromise your database. In doing do, they will be able to get hold of very sensitive information.

The most common method of SQL Injection is simply placing a ' in the URL after any integer value. For example, take this topic as an example - https://fluxbb.org/forums/viewtopic.php?id=8306

An attacker would simply use https://fluxbb.org/forums/viewtopic.php?id=8306' to check if a website is vulnerable.

The reason for this, is when you use $_GET['id'], the apostrophe is put inside the query as well:

$sql = 'SELECT name, colour FROM fruits WERE id=$_GET['id']';

Would become:

$sql = 'SELECT name, colour FROM fruits WERE id=8306'';

- see the double apostrophe at the end? That would cause an error. Even if the original SQL string used double quotes, it would still trigger an error because it's incorrect SQL syntax, see the example below:

$sql = "SELECT name, colour FROM fruits WERE id=8306'";

I won't go into masses amount of detail (and there are other less effective ways to counter it than prepared statements) but here is a tutorial on SQL Injection if you want to know more: http://voice0fblackhat.blogspot.com/201 … l-for.html

Prepared statements keep the data completely separate from the query, as shown below again:

$sql = "SELECT type, colour FROM `fruits` WHERE id = ?";

By doing do, there is 0% risk of SQL Injection because it's not directly inserted into the query. Instead, you'd do something like the following:

// Assume that this code is below your database connection, above
// This next line isn't perfect, but this is more simple
$id = $_GET['id'];

// First, say what the query is
$sql = "SELECT type, colour FROM `fruits` WHERE id = ?";

// Next using the $pdo variable (from the connection code above) prepare the query
$ps = $pdo->prepare($sql);

// Now, keeping the data separate from the query, execute the prepared statement

// By doing so, create an array with all the question marks from the query.
// array($data1, $data2, $data3) .etc 
$ps->execute(array($id));

// Fetch the data from the database in an array
$fruit = $ps->fetch();

// Print the array out onto the page to see the result of our new prepared statement!
print_r($fruit);

It gets more complicated than this, and this is very basic. But this is how to counter SQL Injection. It's also worth noting that just using PDO doesn't counter sql injection, you have to keep the data completely separate, as I did above.

Offline

#9 2015-04-03 20:00:22

joel
Member
Registered: 2014-07-04
Posts: 440

Re: hello hep, the update/edit does not work with database id line. it pic

OK I will go through them on free time. I am still too confuse.


Warning! be informed and be forewarned. <p>
<?php
I'm not a native English Man. So my comments might contain some grammatical explosive (ELD), missapropreation of words (dinamyt), The use of wrong words (missiles), & mis spelling of words (war drones). Any of the occurrence can cause havoc. So be warned
?>

Offline

#10 2015-04-04 12:11:13

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,292
Website

Re: hello hep, the update/edit does not work with database id line. it pic

Let me know if you need any more help smile

Offline

#11 2015-04-05 14:27:15

joel
Member
Registered: 2014-07-04
Posts: 440

Re: hello hep, the update/edit does not work with database id line. it pic

criss the correction i need is the one from that code


Warning! be informed and be forewarned. <p>
<?php
I'm not a native English Man. So my comments might contain some grammatical explosive (ELD), missapropreation of words (dinamyt), The use of wrong words (missiles), & mis spelling of words (war drones). Any of the occurrence can cause havoc. So be warned
?>

Offline

#12 2015-04-05 14:31:00

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,292
Website

Re: hello hep, the update/edit does not work with database id line. it pic

Which code? I'm not quite sure what you mean. You can use the code I posted above, if that's what you mean.

Last edited by chris98 (2015-04-05 14:32:21)

Offline

#13 2015-04-05 17:09:31

joel
Member
Registered: 2014-07-04
Posts: 440

Re: hello hep, the update/edit does not work with database id line. it pic

the script is made up of the one you called. outdated  code.

from admin which list users and their details in a row starting with id and it as edit and delete user.

the delete work fine. but the edit will open the first user in the row in respective of any user you choose to edit. what got me so tired is the fact that the URLs has the user id but someone else details.

chris just take a look at that code again to find where the error is? I don't know if it this this edit. php or the admin.php where it's lick to edit.php.

could it be?




if I want to


Warning! be informed and be forewarned. <p>
<?php
I'm not a native English Man. So my comments might contain some grammatical explosive (ELD), missapropreation of words (dinamyt), The use of wrong words (missiles), & mis spelling of words (war drones). Any of the occurrence can cause havoc. So be warned
?>

Offline

#14 2015-04-05 17:14:42

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,292
Website

Re: hello hep, the update/edit does not work with database id line. it pic

Once you show me the updated version of the code, I'll take a look and see what's not working for you.

Offline

#15 2015-04-05 17:38:29

joel
Member
Registered: 2014-07-04
Posts: 440

Re: hello hep, the update/edit does not work with database id line. it pic

chris98 wrote:

Once you show me the updated version of the code, I'll take a look and see what's not working for you.

I don't have updated version.

can you give me complete


edit.php?

and clickheretoeditrow.php  leading to edit.php?=18

let me see if It will let me amend.


Warning! be informed and be forewarned. <p>
<?php
I'm not a native English Man. So my comments might contain some grammatical explosive (ELD), missapropreation of words (dinamyt), The use of wrong words (missiles), & mis spelling of words (war drones). Any of the occurrence can cause havoc. So be warned
?>

Offline

#16 2015-04-05 17:43:42

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,292
Website

Re: hello hep, the update/edit does not work with database id line. it pic

No. I won't do you project for you.

Offline

#17 2015-04-05 17:46:39

joel
Member
Registered: 2014-07-04
Posts: 440

Re: hello hep, the update/edit does not work with database id line. it pic

chris98 wrote:

No. I won't do you project for you.

please.  someone help.


Warning! be informed and be forewarned. <p>
<?php
I'm not a native English Man. So my comments might contain some grammatical explosive (ELD), missapropreation of words (dinamyt), The use of wrong words (missiles), & mis spelling of words (war drones). Any of the occurrence can cause havoc. So be warned
?>

Offline

#18 2015-04-05 17:48:25

chris98
Member
From: England, United Kingdom
Registered: 2013-05-31
Posts: 1,292
Website

Re: hello hep, the update/edit does not work with database id line. it pic

I've already given you help, start by reading over the links I gave you in post #8. Help is different from doing it for you.

Offline

Board footer

Powered by FluxBB