austinh
Reputation: 1071
Variable from URL in PHP MySQL query
I'm trying to get a variable from the URL, but for some reason, I can't get it to work. This is all coming from another website's form, that's why I need to get it from the URL. This is what I have right now:
if (isset($_GET['PTS'])) {
$sPTS = htmlentities($_GET['PTS']);
if(isset($_GET['submit']))
{ mysql_query("UPDATE table1 SET $sPTS=1, ENTRY=5") or die (mysql_error()); }}
Thanks for your help...I'm still new to this and learning.
Upvotes: 0
Views: 462
Answers (2)
Doug Kress
Reputation: 3537
There are a few concerns about the code that I'd like to point out, and they may or may not address the issue.
- You use htmlentities() on what will ultimately be a field name. Perhaps a tiny bit of data checking would be better.
- You're allowing a GET statement to specify a field name with NO restrictions. This is VERY dangerous
- There is no where clause on your UPDATE statement. All records in the table will be updated.
- If the submit was made via POST, it wouldn't hit here. I only mention this to you in the off chance that this is something you overlooked. Is
$_REQUESTa better fit for your use (than$_GET)?
Upvotes: 3
thelastshadow
Reputation: 3644
Try
if(isset($_GET['submit']))
{ mysql_query("UPDATE table1 SET `".$sPTS."`=1, `ENTRY`=5") or die (mysql_error()); }}
also you should be using mysql_real_escape string on those $_GET values
$sPTS = mysql_real_escape_string(htmlentities($_GET['PTS']));
Upvotes: 0
Related Questions
- How to get parameters from a URL and use them in a MySQL query in PHP
- Pass PHP variable in URL query
- Passing variable from URL + Selecting from SQL and Echoing it
- How to get values from MySQL database with PHP code using WHERE clause and variable set from url
- MySQL query using url parameters in PHP
- Set a variable in url using php and mysql
- Get MySQL value to place in URL
- MySQL error when getting variable from URL
- Using a get variable from URL to do a MYSQL Query
- how to get data from mysql in php based on url?