2

Thanks in advance for any light shed.

I have a mysql database consisting of customers with some fields pertaining to each customer. currently running on one of my lamp servers. There is security risks with my code at the moment, but I plan to get the functionality i'm looking for and then reconfigure the code for a tighter security. At the moment I have an html index file that calls on php script to search mysql database by firstname or lastname. Upon this query it displays a list of users and allows me to modify the user. When I click modify it pulls the correct customer id number, but it is not displaying any current information, nor allowing me to update the info.

To summarize, I would like to search a customer, and it pull up selected fields and show the content and allow me to actively change the data and resend it to the database.

My search.html code:

<html>
<body>

<form action="scripts/search.php" method="post">

Firstname: <input type="text" name="firstname">


<input type="submit">
</form>
<form action="scripts/lastnamesearch.php" method="post">

Lastname: <input type="text" name="lastname">




<input type="submit">
</form>
<form action="scripts/phonenumbersearch.php" method="post">

Phone Number: <input type="text" name="phone">


<input type="submit">
</form>
</body>
</html>

MY search.PHP Script: //this script allows me to search the database by filling out one of the forms and clicking submit. Each of the forms calls upon it's own individual script, I realize that this is probably cumbersome, due to my lack of coding knowledge.

<?php
$con=mysqli_connect("localhost","root","*****","*******");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }

$result = mysqli_query($con,"SELECT * FROM customers WHERE `firstname` LIKE '$_POST[firstname]'");

echo "<table border='1'>
<tr>
<th>id</th>
<th>firstname</th>
<th>lastname</th>
<th>phone</th>
<th>address</th>
<th>notes</th>
<th>additional notes</th>
<th>passwords</th>


</tr>";

while($row = mysqli_fetch_array($result))
  {
  echo "<tr>";
  echo "<td>" . $row['id'] . "</td>";
  echo "<td>" . $row['firstname'] . "</td>";
  echo "<td>" . $row['lastname'] . "</td>";
  echo "<td>" . $row['phone'] . "</td>";
  echo "<td>" . $row['address'] . "</td>";
  echo "<td>" . $row['notes'] . "</td>";
  echo "<td>" . $row['addnotes'] . "</td>";
  echo "<td>" . $row['passwords'] . "</td>";
  echo "<a href=\"modify.php?id=" . $row['id'] . "\">Modify User</a>";

  echo "</tr>";
  }
echo "</table>";

mysqli_close($con);
?>

My modify.php script: //this is where I believe one of my problems lie. when I click modify user on the search.php script it calls on this script and it loads the correct user/customer id in the address bar, but it doesn't show any existing data, nor does it update the data that I fill in the cells. 

<?php
$con=mysqli_connect("localhost","root","crapola1","Computition");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }

        $mysqli_query = "SELECT * FROM customers WHERE ID = $_get[id]";
        $mysqli_result = mysqli_query($mysqli_query);
        $customer = mysqli_fetch_array($mysqli_result);




?>
<h1> You are modifying a user</h1>
<form action="<?php echo $SERVER['PHP_SELF']; ?>" method="post">
    Firstname<input type="text" name="inputFirstname" value="<?php echo $row['firstname']; ?>" /><br />
    Notes<input type="text" name="inputNotes" value="<?php echo $row['notes']; ?>" />
    <br />
    <input type="hidden" name="id" value="<?php echo $_GET['id']; ?>" />
    <input type="submit" name="submit" value="Modify" />
</form>

Thanks again, I've been searching on this topic for about a week now and have pieced together this much, but can't seem to get over this "hump"

user3259494
  • 21
  • 1
  • _and then reconfigure the code for a tighter security_. Of course you will. It's not like high priority projects never come up, and code like this gets left because it's "good enough". You should think about security at the beginning, not make it an afterthought. – Barmar Feb 11 '14 at 05:26
  • Just thought I'd that mysql server is hosted behind two firewalls and on a segregated vlan, and the sole purpose of this database is to be used on a closed lan for a few select users, security at the moment is not as important because this database will never see the www. T – user3259494 Feb 12 '14 at 02:35

1 Answers1

2

$_GET is a super global array . It should be in UPPERCASE.

Change the query on your modify.php here

SELECT * FROM customers WHERE ID = $_get[id] to upper case.

Must be..

SELECT * FROM customers WHERE ID = ".$_GET['id']

Also, It is strictly not advised to pass the $_GET or $_POST parameters directly to your query as it leads to SQL injection. You need to switch over to PreparedStatements

Community
  • 1
  • 1
Shankar Narayana Damodaran
  • 68,075
  • 43
  • 96
  • 126
  • He acknowledged the SQL injection risks in the 2nd line of the question, you don't have to tell him about it. – Barmar Feb 11 '14 at 05:24
  • 1
    @Barmar, I know. Suggesting something like `PreparedStatements` is not going to hurt anything. – Shankar Narayana Damodaran Feb 11 '14 at 05:26
  • Thank you all for your words of wisdom, I will research and re-attempt my query's. Just thought I'd that mysql server is hosted behind two firewalls and on a segregated vlan, and the sole purpose of this database is to be used on a closed lan for a few select users, security at the moment is not as important because this database will never see the www. Thanks again! – user3259494 Feb 12 '14 at 02:21