$_get not working

Question

i created update code for updating password in a table using id.This is the url from where i am getting id using $_GET but its not working.

http://www.example.com/en/resetPaSS.php?id=1&token=779d2aa48de104db46d66e29de576aac

The code:

if(isset($_POST['sub']))
{
$pass_hash = PassHash::hash($_POST['pass']);

$sql = "UPDATE user SET password='$pass_hash' WHERE id='$_GET[id]'";
$resu = mysqli_query($link,$sql);
//echo $sql;
if(!$resu)
    {
     $error="Unable to change Password. Try Again!";
    }
    else
    {
     echo"changed";
    }
}

I also echo $sql and it shows UPDATE user SET password='$2a$10$bed9ad8e6cb910e0f1f12uXJldZLQ79f5HVrIiIAIZeZ9088Rre9.' WHERE id=''

Also tried $_REQUEST but still not works.

EDIT: I am using this url for reseting password to send to the user which is created using http://www.example.com/en/resetPaSS.php?id=$id&token=$token

What does a simple `echo $_GET["id"]` show? Also you have POST values there - are they set? Where do they come from, a form submission? — Pekka, Jun 08 '13 at 13:21
[SQL Injection](http://en.wikipedia.org/wiki/SQL_injection): [read about it](http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php) — PeeHaa, Jun 08 '13 at 13:21
if you put this `var_export($_POST); var_export($_GET); die();` at the beginning of the code, are you receiving correct parameters? — Stano, Jun 08 '13 at 13:27
it shows `array ( 'id' => '1', 'token' => '779d2aa48de104db46d66e29de576aac', )` for `var_export($_GET);` — , Jun 08 '13 at 13:33

Alexander Cogneau · Answer 1 · 2013-06-08T13:54:17.240

2

try this:

 $sql = "UPDATE user SET password='$pass_hash' WHERE id='" . mysqli_real_escape_string($_GET['id']) . "'";

edited Jun 08 '13 at 13:54

answered Jun 08 '13 at 13:22

Alexander Cogneau

1,286
4
12
25

4

No, don’t. Use prepared statements. **Do not** create your SQL statements by hand. It’s such an easy rule to follow, there is no reason to ever violate it. Yes, it might work in this very simple case. It is still very bad advice. (This also doesn’t solve OP’s problem.) – Konrad Rudolph Jun 08 '13 at 13:34

Perry · Accepted Answer · 2013-06-08T15:09:42.410

1

If you use a form, then the id is not in the action url. You can also post the id by using a hidden input field

You must use prepared statement to prevent sql injection:

$sql = "UPDATE user SET password='?' WHERE id=?";
$stmt = $link->prepare($sql);

/* bind parameters */
$stmt->bind_param("si", $pass_hash, $_GET['id']);

/* execute query */
$stmt->execute();

EDIT By clicking the link you will be go to your page where a form is. You have to edit the the id to the form or action url to make your script working by doing the following steps

make a variabele named id like this:

$id = isset($_GET['id']) ? $_GET['id'] : $_POST['id'];

also add hidden field to the form:

<input type="hidden" name="id" value="<?php echo $id; ?>">

Change the query bind_param to:

$stmt->bind_param("si", $pass_hash, $id);

edited Jun 08 '13 at 15:09

answered Jun 08 '13 at 13:31

Perry

11,172
2
27
37

How do you post the data? By using only a url you can't post the data. – Perry Jun 08 '13 at 13:54
but i have used `$_get[id]` in the same for select query..then y its not working for this update query and if i `echo $_get[id]` its echo the value but confused y not working with update – Jun 08 '13 at 15:03
oh..no no...i have used this url for password reset .When user click forget password he enter his email and a mail sent is to his email with the url which is something like `http://www.example.com/en/resetPaSS.php?id=1&token=779d2aa48de104db46d66e29de576aac` and when user comes to the page, code first check if the time is less than 24hours and the id , token exit in table if yes the form is shown to them ...then user submit the form to update ..but problem in in updating as u know – Jun 08 '13 at 15:21
I know, that is why you have to add the id to the form or to action url because there is no id when you submit. That can't be.... if so than the `$_GET['id']` is changed somewhere in the code. – Perry Jun 08 '13 at 15:25
ya...but its working while matching the values with database..confused – Jun 08 '13 at 15:34
First you click on the url, the page will load and check the stuff it is all oke then you add the form. The form will posted, when you post you will update the password but you also need to add the id by or setting the id in the action url or by using a hidden input field like i said in edited answer. Please try my answer it will help you out :) – Perry Jun 08 '13 at 15:37
i have added my forgot password code could you plz check and correct it..as i am new to php so i am totally coonfused what to do – Jun 08 '13 at 15:45
I would like to see the code you get when you click on the url. I will made some changes to you code you just posted. But if you can please post your resetpass code because there is the problem – Perry Jun 08 '13 at 15:50

score 0 · Answer 3 · answered Jun 08 '13 at 13:29

0

If you know, that id is number, do this:

$id = intval($_GET['id']);
$sql = "UPDATE user SET password='$pass_hash' WHERE id='$id';";

answered Jun 08 '13 at 13:29

Martin Perry

9,232
8
46
114

$_get not working

3 Answers3