I can't figure out why one of these PHP scripts is not working

Question

I have two scripts doing almost the same things but one of them is not working. I just can't figure where is the problem. Both scripts have almost the same code but the "update message" script is not working. I do not get any php error but the database is not updating.

Delete script (working) :

<?php
function deleterow() 
{
$con=mysqli_connect("localhost","root","root","TP1AlexandreBouletCouture");
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

$delete_id =  ($_GET["delete_id"]); 
$sql="DELETE FROM `table1` WHERE `table1`.`id` = '$delete_id'"; 


if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
echo '<p>Message supprimé</p>';


mysqli_close($con);
}
if(isset($_GET['delete_id']))
{
deleterow($_GET['delete_id']);
}
?>

<form action="history.php" method="get">
<input type="submit" value="Supprimer">
<input type="hidden" name="delete_id" value='.$row['id'].'>
</form>

Update message script (not working) :

<?php
function updatemyinfos() 
{
$con=mysqli_connect("localhost","root","root","TP1AlexandreBouletCouture");
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

$update_id =  ($_GET["update_id"]);
$new_message = ($_GET["updatemessage"]);
$sql="UPDATE `table1` SET  `message` =  '$new_message' WHERE  `table1`.`id` ='$update_id";


if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
echo '<p>Message modifié</p>';


mysqli_close($con);
}
if(isset($GET['updatemessage']))
{
updatemyinfos($GET['updatemessage']);
}
?>


<form action="history.php" method="get">
<textarea style="resize:none"cols="35"rows="3"name="updatemessage">'.$row['message'].'</textarea>           
<input type="submit" value="Modifier">
<input type="hidden" name="update_id" value='.$row['id'].'>
</form>

You are vulnerable to [SQL injection attacks](http://bobby-tables.com). — Marc B, Oct 21 '13 at 20:10
You should read this: [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — kunal, Oct 21 '13 at 20:11
`$GET` != `$_GET`, but that's the least of your problems: google for SQL injection and how to prevent it, and NEVER use GET requests to modify data (prefetching browsers could prefetch all your DELETE links leaving your database empty). — Wrikken, Oct 21 '13 at 20:11
I know that I am vulnerable to SQL injection attacks but this is just a simple personal project that I am building to understand the basics of PHP. I will not use that script for any "real" purpose. — abouletcouture, Oct 21 '13 at 20:16
to Wrikken : That fixed it ! It was a "typo"... I should have saw that when trying to fix it.. — abouletcouture, Oct 21 '13 at 20:20

score 4 · Answer 1 · answered Oct 21 '13 at 20:09

4

You're missing a quote after $update_id.

'$new_message' WHERE  `table1`.`id` ='$update_id

But you should use PDO, http://php.net/manual/en/book.pdo.php. The mysql extension was deprecated from php 5.5.0

answered Oct 21 '13 at 20:09

Cristian Bitoi

1,557
1
10
14

Thanks a lot, I can't realize I did not see that.. I've been trying to fix it for like 2 hours ! – abouletcouture Oct 21 '13 at 20:19

score 0 · Answer 2 · answered Oct 21 '13 at 20:18

0

in addition to Cristian's answer, your php variables in the form HTML won't get parsed. You need to wrap them in php tags:

<input type="hidden" name="update_id" value="<?php echo $row['id']; ?>">

answered Oct 21 '13 at 20:18

Billy

165
6

I can't figure out why one of these PHP scripts is not working

2 Answers2