开发者

Update mysql table using POST

开发者 https://www.devze.com 2023-02-15 12:58 出处:网络
This is the query: if (isset($_POST[\'editMessage\'])) { $result = mysql_query(\"UPDATE messages SET message = \'\".htmlspecialchars($edited开发者_StackOverflow社区message).\"\' WHERE id = \'\".$id.\

This is the query:

if (isset($_POST['editMessage'])) {
    $result = mysql_query("UPDATE messages SET message = '".htmlspecialchars($edited开发者_StackOverflow社区message)."' WHERE id = '".$id."'");
    if ($result) {
        die("<strong>Message has been edited!</strong>");
    } else {
        die("<strong>Error ".mysql_error()."</strong>");
    }
}

Using this form:

    <form action="index.php" method="post">
<textarea name='editedmessage' rows='5' cols='70'><?php echo $_POST['editedmessage'];?></textarea>
    <input type='submit' name='editMessage' value='Edit'>

It's not showing an error, it updates the table field, but doesn't enter the edited message into the field, so the field updates and shows no informtion at all.

Where am I going wrong?


htmlspecialchars($editedmessage)
  1. You don't seem to be defining $editedmessage anywhere, did you mean $_POST['message1']
  2. That should really be mysql_real_escape_string( htmlspecialchars( ... ) )


Try the other way when its correct you get an ressource back:

if(!$result) {
   die('Died: ' . mysql_error());
} else {
   echo "Edited:";
}


You're missing the line:

$editedmessage = $_POST['editMessage'];


You are wrong here

$result = mysql_query("UPDATE messages SET message = '".htmlspecialchars($_POST['editedmessage'])."' WHERE id = '".$id."'");


You use $editMessage in the query instead of _POST[editMessage] (unless you have register globals on, apparently you don't).

However, do NOT do this without running mysql_real_escape_string() on editMessage first, and DO NOT run htmlspecialchars() on it! Encoded data does not belong in the DB.

Either do $editMessage = $_POST['editMessage'];, or use _POST in the query directly, but wrap it in mysql_real_escape_string() for goodness sake!

However, you DO want to run htmlspecialchars(), htmlentities(), or at the very least string_tags() on $_POST['message1'] when you echo it out. This page is XSS (cross-site script) vulnerable.

0

精彩评论

暂无评论...
验证码 换一张
取 消