1

I want to update MySQL database by below code, but it doesn't work why?

<?php
    mysql_connect("localhost","root","");
    mysql_select_db("timer");
    $update=$_COOKIE['name'];
    mysql_query("UPDATE user SET password='2' WHERE username=$update");
?>
Mihai Iorga
  • 39,330
  • 16
  • 106
  • 107
maral farokhinezhad
  • 33
  • 6
  • Its better to use mysqli or PDO and use prepared statements rather than direct input, see http://www.php.net/manual/en/ref.pdo-mysql.php – DarkBee Jul 19 '13 at 08:44
  • 1
    You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Jul 19 '13 at 08:45

4 Answers4

1

String values should be quoted: MySQL String Literals. 

mysql_query("UPDATE user SET password='2' WHERE username='$update'");
revoua
  • 2,044
  • 1
  • 21
  • 28
  • mysql_* functions are deprecated : http://php.net/manual/en/function.mysql-connect.php – DarkBee Jul 19 '13 at 08:43
  • You will also want to seriously escape your query parameters: http://php.net/manual/en/function.mysql-escape-string.php – n3rd Jul 19 '13 at 08:45
  • 1
    @maralfarokhinezhad, u should really not use this tho – DarkBee Jul 19 '13 at 08:50
  • See the comment from Quentin below your question – DarkBee Jul 19 '13 at 09:03
  • We propose you some more secure issues. Some guys (not just me) propose you other alternative with PDO. Furthermore, I don't think it resolved your problem because it creates a new one, you are using a deprecated function of PHP... – David Level Jul 19 '13 at 09:20
1
$dsn = 'mysql:dbname=timer;host=127.0.0.1';
$user = 'root';
$password = '';

$update=$_COOKIE['name'];

$query = 'UPDATE user SET password='2' WHERE username=(?)';

try {
    $dbh = new PDO($dsn, $user, $password);
    $dbh->prepare( $query )->execute( array($query) );

} catch (PDOException $e) {
    echo 'Connection failed ' . $e->getMessage();
}

Can't be sure if it works because I don't know what you have in your $_COOKIE array.

But the code should look like this.

For security, you can add some text transformation to the variable $update like addslashes or other ones.

David Level
  • 353
  • 2
  • 16
0

Use prepared queries, the way you do it isn't a good practice. Check also if $update isn't empty, otherwise the query will not work, Finally, use mysqli_* functions instead of mysql_* :)

Mohamed Amine
  • 2,264
  • 1
  • 23
  • 36
0
<?php
    mysql_connect("localhost","root","");
    mysql_select_db("timer");
    $update=$_COOKIE['name'];
    mysql_query("UPDATE ´user´ SET password='2' WHERE username='$update'");
?>

Try to mention the name of your table in this query like this: ´user´

Let me recommend you that if your query doesn't work then you could put the whole query in an echo (or print) to see whats wrong.

For example:

echo "mysql_query(\"UPDATE user SET password='2' WHERE username=$update\";
Wancott
  • 11