0

I have made a small system, which should update certain things. It includes a form.

if(isset($_GET['bevestiging'])) {
$kamerurl= $_POST['kamer'];
mysql_query("UPDATE volg_dj_aan_uit SET (aan_of_uit,kamerurl) VALUES ('aanzetten','$kamerurl')");
echo '<b>Geupdate!!</b>
<br>
Het volgen is aangezet!
<br>
<a href="index.php?p=tools_volg_kamer" target="_self">Verder »</a>';
}

It check if "bevestiging" is set (which is) then the posted URL from $_POST['kamer'] should be transferred to $kamerurl but it's an empty result. And it also sets the "aanzetten" to 0 instead of "aanzetten" here is the form in PHP:

else {
$sql = mysql_query("SELECT * FROM volg_dj_aan_uit");
$row = mysql_fetch_array($sql);
if($row['aan_of_uit'] == "uitzetten") {
$aanofuit = "aanzetten";
} else if($row['aan_of_uit'] == "aanzetten") {
$aanofuit = "uitzetten";
}
echo 'Vul de kamerurl in: <form method="post" action="index.php?p=tools_volg_kamer&bevestiging=JA"><input type="text" id="kamer" name="kamer"><br>
Weet je zeker dat je gevolgt wilt worden?
<br>
<input type="submit"id="Submit"name="Submit" value="Ja">
</form>';
echo '
<a href="index.php?p=tools_volg_kamer" target="_self">Nee</a> | <a href="index.php?p=tools_volg_kamer_'. $aanofuit .'" target="_self">Volgen '. $aanofuit .'</a>';
}

And that gives me an empty result in the database. So how can I fix this in a proper way that it makes a form that sends the "kamerurl" to tools_volg_kamer&bevestiging=ja and sets it in the database?

mr.soroush
  • 1,110
  • 2
  • 14
  • 31
Kevin Houghton
  • 45
  • 2
  • 10
  • you need to take a look at code injection, because that way hackers can take over your website/database. I took a look at your profile and shaw that has been pointed out to you before. Furthermore, I have noticed that you almost never accept a answer could you look into that? – Mr. Radical Jan 20 '13 at 15:03

1 Answers1

1

Okay, here's the difference between UPDATE and INSERT.

UPDATE only edits the row while INSERT (which I think you want) adds new row on the table.

INSERT INTO volg_dj_aan_uit (aan_of_uit,kamerurl) 
VALUES ('aanzetten','$kamerurl')

the UPDATE syntax

UPDATE volg_dj_aan_uit 
SET    aan_of_uit = 'aanzetten',
       kamerurl   = '$kamerurl';

As a sidenote, the query is vulnerable with SQL Injection if the value(s) came from the outside. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

Community
  • 1
  • 1
John Woo
  • 258,903
  • 69
  • 498
  • 492