1

i'm trying to update rows quantity using ajax by class not id i have looked on google for hours trying to work this out but everything i could find didnt seem to work

my code so far is

include('config.php');


$id=$_GET[id];

$sql2="SELECT * FROM  `orders` WHERE  `id` = '".$id."'";

$result2 = mysql_query($sql2);

$row2 = mysql_fetch_array($result2);

$order=$_GET[order];
$qty=$_GET[qty];

$sql="SELECT * FROM  `stock` WHERE  `part` = '".$part."'";

$result = mysql_query($sql);

$row1 = mysql_fetch_array($result);

$lineprice=$qty * $row2[price];

$sqlins1 = "UPDATE `orders` SET qty='$qty', lineprice='$lineprice' WHERE id = '".$id."'";

if (!mysql_query($sqlins1,$con))
  {
  die('Error: ' . mysql_error());
  }

$sql="SELECT * FROM `orders` WHERE  `invoice` = '".$order."' ORDER BY id DESC";

$result = mysql_query($sql);
echo"   <table id='POITable' width='100%' border='1'>
        <tr>
            <td>SKU</td>
            <td>QTY</td>
            <td width='45%'>item</td>
            <td>Unit Price</td>
            <td>Line Price</td>
            <td>Delete</td>
        </tr>";
while($row = mysql_fetch_array($result))
  {

echo"<tr><td>" . $row['part'] . "</td><td><form name='test'>
   <input type='hidden' value='" . $row[id] . "' id='part'>   <input type='text' id='qty' value='" . $row['qty'] . "' onblur='updateqty(this.id)'></form></td><td>" . $row['description'] . "</td><td>" . $row['price'] . "</td><td>" . $row['lineprice'] . "</td><td> <input type='image' src='images/btn_delete.png' value='" . $row[id] . "' onclick='deletesku(this.value)' height='30'/></td>
";

 }

any help on this would be greatly appreciated,

Many thanks

ollo
  • 24,797
  • 14
  • 106
  • 155
Joe Bambridge
  • 36
  • 7
  • possible duplicate of [mysql update qty on complete order array](http://stackoverflow.com/questions/16444439/mysql-update-qty-on-complete-order-array) – andrewsi May 08 '13 at 16:37
  • Please tell me you're doing [proper SQL escaping](http://bobby-tables.com/php) because it looks like you're missing that part. You're also using the deprecated `mysql_query` interface that's being removed in future versions of PHP. [Using PDO](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/) would be a much better idea. – tadman May 08 '13 at 18:09

1 Answers1

3

  1. Your code is vulnerable to SQL injection.

  2. You're using a deprecated API which does not support prepared statements to prevent SQL injection

  3. You can combine your UPDATE and SELECT into a single statement. Here's an idea

  4. Your deduction should be database based, not value based

    UPDATE tbl UPDATE col = col - 1

Community
  • 1
  • 1
Kermit
  • 33,827
  • 13
  • 85
  • 121