Home/ Questions/Q 964111
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T01:46:32+00:00

I have a a php page which updates a mySql database it works fine

  • 0

I have a a php page which updates a mySql database it works fine on my mac (localhost using mamp)

I made a check if its the connection but it appears to be that there is a connection

 <?php require_once('connection.php'); ?>

 <?php  
  $id = $_GET['id'];
  $collumn = $_GET['collumn'];
  $val = $_GET['val'];
 // checking if there is a connection
 if(!$connection){
     echo "connectioned failed";
   }
  ?>


 <?php 
    $sqlUpdate = 'UPDATE plProducts.allPens SET '. "{$collumn}".' = '."'{$val}'".' WHERE allPens.prodId = '."'{$id}'".' LIMIT 1';
    mysql_query($sqlUpdate);
    // testing for errors
   if ($sqlUpdate === false) {
      // Checked this and echos NO errors.
     echo "Query failed: " . mysql_error();
    }

if (mysql_affected_rows() == 1) {
  echo "updated";
} else {
  echo "failed";
}?>

In the URL i pass in parameters and it looks like this: http://pathToSite.com/updateDB.php?id=17&collumn=prodid&val=4

Maybe this has to do with the hosting? isn’ t this simple PHP mySql database updating? what can be wrong here?

Why on localhost it does work?

Why on live server it doesn’t?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Let’s start with troubleshooting your exact problem. Your query is failing for some reason. We can find out what that problem is by checking what comes back from mysql_query, and if it’s boolean false, asking mysql_error what went wrong:

    $sh = mysql_query($sqlUpdate);
if($sh === false) {
    echo "Query failed: " . mysql_error();
    exit;
}

    You have other problems here. The largest is that your code suffers from an SQL Injection vulnerability. Let’s say your script is called foo.php. If I request:

    foo.php?collumn=prodId = NULL --

    then your SQL will come out looking like:

    UPDATE plProducts.allPens SET prodId = NULL -- = "" WHERE allPens.prodId = "" LIMIT 1

    -- is an SQL comment.

    I just managed to nuke all of the product IDs in your table.

    The most effective way to stop SQL injection is to use prepared statements and placeholders. The "mysql" extension in PHP doesn’t support them, so you’d also need to switch to either the must better mysqli extension, or the PDO extension.

    Let’s use a PDO prepared statement to make your query safe.

    // Placeholders only work for *data*.  We'll need to validate 
// the column name another way.  A list of columns that can be
// updated is very safe.
$safe_columns = array('a', 'b', 'c', 'd');
if(!in_array($collumn, $safe_columns))
    die "Invalid column";
// Those question marks are the placeholders.
$sqlUpdate = "UPDATE plProducts.allPens SET $column = ? WHERE allPens.prodId = ? LIMIT 1";
$sh = $db->prepare($sqlUpdate);
// The entries in the array you pass to execute() are substituted
// into the query, replacing the placeholders.
$success = $sh->execute(array( $val, $id ));
// If PDO is configured to use warnings instead of exceptions, this will work.
// Otherwise, you'll need to worry about handling the exception...
if(!$success)
    die "Oh no, it failed!  MySQL says: " . join(' ', $db->errorInfo());
    • 0