Reputation: 117
Prevent updating mysql data if is not received from the form
I have a simple form to update the user data in my database. I am posting the data to another page to update my database. However if I go to directly the page directly (ex: update2.php?userid=30), database is being updated with empty data.
here is what I have inside my update2.php file
$userid=$_GET["userid"];
$username = $_POST["username"];
$email = $_POST["email"];
$phone = $_POST["phone"];
include("connect.php");
$updateuser=mysql_query("update users username='$username', email='$email', phone='$phone', where ID=$userid");
if($updateuser){
echo "Done";
}
else{
echo "Failed";
}
Upvotes: 0
Views: 75
Answers (3)
Reputation: 5333
that's because when you go to the page directly, you are making a "GET" action, not a "POST". When you send the information via form you can choose if you want to send via "POST" (e.g.: <form action="action_page.php" method="POST">) or "GET" (e.g.: <form action="action_page.php" method="GET">). The GET method puts the variables in the URL (e.g: "update2.php?userid=30&phone=12345"), while POST doesn't.
A solution is not to be so specific and use $_REQUEST instead of $_POST or $_GET. $_REQUEST reads both from $_POST and $_GET:
$userid=$_REQUEST["userid"];
$username = $_REQUEST["username"];
$email = $_REQUEST["email"];
$phone = $_REQUEST["phone"];
PS: I'm assuming that your code is not accessible from the outside world and/or its not an important database and/or you oversimplified the code for understanding purposes. I say that because, it is very vulnerable to SQL injection. What if I access update2.php?userid=1 OR 1=1 or worse update2.php?userid=1;DROP TABLE an_important_table
UPDATE:
I think that I misunderstood the question. I thought that you want to update the database when accessing directly, but the data was being updated with empty values. Now I understand that you won't let anyone to update directly.
So, check if you are getting the response by POST (form) or GET (directly via browser). You can check if your $_POST["userid"] is setted for that or use the $_SERVER['REQUEST_METHOD']
if ($_SERVER['REQUEST_METHOD'] != "POST") { // OR if isset($_POST["userid"])
echo "You can't access this directly!";
}
else {
$userid=$_GET["userid"];
$username = $_POST["username"];
$email = $_POST["email"];
$phone = $_POST["phone"];
include("connect.php");
$updateuser=mysql_query("update users username='$username', email='$email', phone='$phone', where ID=$userid");
if($updateuser){
echo "Dode";
}
else{
echo "Failed";
}
}
Upvotes: 1
Reputation:
Try that
if(isset($_POST['username']) && isset($_POST['email']) && isset($_POST['phone'])) {
$userid=$_GET["userid"];
$username = $_POST["username"];
$email = $_POST["email"];
$phone = $_POST["phone"];
include("connect.php");
$updateuser=mysql_query("update users username='$username', email='$email', phone='$phone', where ID=$userid");
if($updateuser){
echo "Done";
}
else{
echo "Failed";
}
}
else {
echo "Please use the form";
}
Upvotes: 1
Reputation: 9
You can always add a hidden field in your form:
<input type="hidden" name="action" value="UPDATE" />
and then validate it before making any updates
if ($_POST["action"] == "UPDATE") {
//update script
}
Upvotes: -1
Related Questions
- PHP/MYSQL UPDATE only if value is not null
- PHP Form update MySql only if not null
- How to check if there is new data after updated a form?
- Updating Form with MYSQL data
- PHP Form is Updating SQL Table Even When SQL Table Column Isn't Blank
- php update mysql table via form, reload information on page immediately
- how to prevent updating more than 1 fields in database
- MySQL Update from PHP form
- PHP variable value to NOT update MySQL table field?
- preventing users from submitting data from form to mysql twice