Reputation:
$_get not working
i created update code for updating password in a table using id.This is the url from where i am getting id using $_GET but its not working.
http://www.example.com/en/resetPaSS.php?id=1&token=779d2aa48de104db46d66e29de576aac
The code:
if(isset($_POST['sub']))
{
$pass_hash = PassHash::hash($_POST['pass']);
$sql = "UPDATE user SET password='$pass_hash' WHERE id='$_GET[id]'";
$resu = mysqli_query($link,$sql);
//echo $sql;
if(!$resu)
{
$error="Unable to change Password. Try Again!";
}
else
{
echo"changed";
}
}
I also echo $sql and it shows UPDATE user SET password='$2a$10$bed9ad8e6cb910e0f1f12uXJldZLQ79f5HVrIiIAIZeZ9088Rre9.' WHERE id=''
Also tried $_REQUEST but still not works.
EDIT:
I am using this url for reseting password to send to the user which is created using
http://www.example.com/en/resetPaSS.php?id=$id&token=$token
Upvotes: 0
Views: 537
Answers (3)
Reputation: 11700
If you use a form, then the id is not in the action url. You can also post the id by using a hidden input field
You must use prepared statement to prevent sql injection:
$sql = "UPDATE user SET password='?' WHERE id=?";
$stmt = $link->prepare($sql);
/* bind parameters */
$stmt->bind_param("si", $pass_hash, $_GET['id']);
/* execute query */
$stmt->execute();
EDIT By clicking the link you will be go to your page where a form is. You have to edit the the id to the form or action url to make your script working by doing the following steps
make a variabele named id like this:
$id = isset($_GET['id']) ? $_GET['id'] : $_POST['id'];
also add hidden field to the form:
<input type="hidden" name="id" value="<?php echo $id; ?>">
Change the query bind_param to:
$stmt->bind_param("si", $pass_hash, $id);
Upvotes: 1
Reputation: 1274
try this:
$sql = "UPDATE user SET password='$pass_hash' WHERE id='" . mysqli_real_escape_string($_GET['id']) . "'";
Upvotes: 2
Reputation: 9527
If you know, that id is number, do this:
$id = intval($_GET['id']);
$sql = "UPDATE user SET password='$pass_hash' WHERE id='$id';";
Upvotes: 0