开发者

Variable from URL in PHP MySQL query

问答 作者:

I'm trying to get a variable from the URL, but for some reason, I can't get it to work. This is all coming from another website's form, that's why I need to get it from the URL. This is what I have right now:

if (isset($_GET['PTS'])) {
    $sPTS = htmlentities($_GET['PTS']);

if(isset($_GET['submit']))
  { mysql_query("UPDATE table1 SET $sPTS=1, ENTRY=5") or die (mysql_error()); }}

Thanks for your help...I'm still new to this and 开发者_开发问答learning.

There are a few concerns about the code that I'd like to point out, and they may or may not address the issue.

  • You use htmlentities() on what will ultimately be a field name. Perhaps a tiny bit of data checking would be better.
  • You're allowing a GET statement to specify a field name with NO restrictions. This is VERY dangerous
  • There is no where clause on your UPDATE statement. All records in the table will be updated.
  • If the submit was made via POST, it wouldn't hit here. I only mention this to you in the off chance that this is something you overlooked. Is $_REQUEST a better fit for your use (than $_GET)?

Try 

if(isset($_GET['submit']))
{ mysql_query("UPDATE table1 SET `".$sPTS."`=1, `ENTRY`=5") or die (mysql_error()); }}

also you should be using mysql_real_escape string on those $_GET values

$sPTS = mysql_real_escape_string(htmlentities($_GET['PTS']));

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9