1

I have the following code that is not functioning properly. I am trying to post a value to mysql db when the li is clicked. First is the js file and the 2nd is my php file. thanks for the assistance.

javascript:

function changeIt(){    
 $("#pagewrap").css({'background-image':'url(/image/HapppsTemplates/BlueTemplates/blueShell.svg)'});
 $.ajax({
  type: "POST",
  url: "templatepost.php",
  data: { tempname: "blueShell.svg"}
});
    }

templatepost.php:

<?php

header("Location: templatetest.php");
require_once("./source/include/membersite_config.php");

if(!$fgmembersite->CheckLogin())
{
    $fgmembersite->RedirectToURL("login.php");
    exit;
}

mysql_connect("xxx", "xxx", "xxx") or die(mysql_error());
mysql_select_db("xxx") or die(mysql_error());

$test = $fgmembersite-> UserID();
    $template_name = $_POST ['tempname'];



$query = "UPDATE events SET tempname= '".$template_name."' WHERE id_user = '$test'"
or die(mysql_error());


?>
Steven
  • 401
  • 3
  • 7
  • 21
  • The first thing is to mitigate SQL attacks using parameterized SQL. – Lion Jan 27 '13 at 19:11
  • You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Jan 27 '13 at 19:13

1 Answers1

4

You never actually run the query with mysql_query.

Your code is also very insecure. You don't escape the POST values in the query. You should use parameterized queries with PDO or mysqli.

$pdo = new PDO('mysql:host=xxx', 'xxx', 'xxx');
$stmt = pdo->prepare('UPDATE xxx.events SET tempname = ? WHERE id_user = ?');
$stmt->execute($template_name, $test);
Explosion Pills
  • 188,624
  • 52
  • 326
  • 405