Reputation: 103
PHP $_GET['Variable'] Echos but Doesn't Evaluate In a $query
Snippets of what I have:
echo $_GET['tournamententryid'].'<br/>';
The above line will correctly display: 32
Just below the line above, I have:
if (isset($_POST['submit']))
{
$query='UPDATE tbl_tournamententry set score='.$_POST['score'].' WHERE id='.$_GET['tournamententryid'];
echo $query;
}
The output of the 'echo $query' from just above results in this:
UPDATE tbl_tournamententry set score=876 WHERE id=
I cannot understand why the $query variable does not include the . . .id=32. The $query I'm trying to concatenate together should read:
UPDATE tbl_tournamententry set score=876 WHERE id=32
What am I missing?
More information: The receiving page URL is: http://example.com/test/submitascore.php?tournamententryid=32&gamename=Creature+From+the+Black+Lagoon
That URL is where the 'get' of my $_GET['tournamententryid'] value of 32 (and it properly echos) comes from. The $_POST receives the score that the user entered. So, Page 1 allowed the user to select the 'tournamententryid' which was a href to the submitascore.php page. The submitascore.php URL includes the $_GET variable
Upvotes: 2
Views: 597
Answers (2)
Reputation: 103
I understand the problem:
When the page loads, the URL correctly contains the GET tournamententryid variable and $_GET['tournamententryid'] is available.
The page contains a form method="post" which calls itself, so when the user clicks the submit button, the URL gets re-written from:
http://example.com/test/submitascore.php?tournamententryid=32&gamename=Creature+From+the+Black+Lagoon
to
http://example.com/test/submitascore.php
thereby deleting the $_GET variables entirely. Thank you to all for the brain exercise!
Solution: In the form method="post", store the value of $_GET['tournamententryid'] in an input="hidden" value=$_GET['tournamententryid'] for use in the POST section
Upvotes: 2
Reputation:
This is a TERRIBLE practice. Look into sanitizing your variables before injecting them into SQL.
This code below is vulnerable to SQL Injection (attacks)
if (isset($_POST['submit'])) {
$query='UPDATE tbl_tournamententry set score='.$_POST['score'].' WHERE id='.$_GET['tournamententryid'];
echo $query;
}
Look into PDO & ensure you're not using an outdated version of PHP
PDO example
firstly connect to your database like so
$database = "mydatabase";
$username = "myusername";
$password = "mypassword";
$PDO = new PDO('mysql:host=localhost;dbname='.$database, $username, $password);
Then
$sql = $PDO->prepare('UPDATE tbl_tournamententry set score=:score WHERE id=:id');
$sql->execute(array(
":score" => $_POST['score'],
":id" => $_GET['tournamententryid'],
);
using prepared statements, your variables will be sanitized to prevent SQL injection. By putting a variable straight into SQL that users have control of, anyone can put anything there. SQL is separate to PHP.
if for example $_GET['id'] was set by the user as '' or 1=1
with an SQL statement like
SELECT * FROM users WHERE username=$_GET['id']
it would then be SELECT * FROM users WHERE id='' or 1=1
SQL is capable of mathematics, therefore 1 DOES EQUAL 1 and ALWAYS will.
In more simple terms, this means IF 1=1 LIST ALL USERS
Additionally, you're using $_POST and $_GET
$_GET comes from the URL e.g.
http://example.com/?tournamententryid=1
$_GET['tournamententryid'] will be able to access that in the URL above. This is known as the GET Method.
Whereas, $_POST['tournamententryid'] is a different variable sent through the POST Method. They server different purposes. You may want $_POST['tournamententryid']
Upvotes: 2
Related Questions
- $_GET does not work
- $_GET variable is query not working when passed
- PHP Can't retrieve $_GET variable
- Inputting variables from GET into a SQL Database not working
- Weird $_GET behaviour
- PHP MySQL query variables not returning
- $_GET for MySQL query causing Unknown column error
- $_GET variable Array with MySQL Query
- $_GET['$something']; What am I doing wrong?
- Passing $_GET into mySQL query