Make the page do nothing if $_GET is empty

Question

I am trying to get my page to update a DB when there is $_GET data.

However even when www.myurl.com?status= is blank the page updates the DB with nothing.

Here is my code

$status=$_GET["status"];

$sql="UPDATE users SET status =$status WHERE personID='$user'" or die(mysql_error());
mysql_query($sql);

Can anyone help? I am trying to get the page to do nothing if the URL is just www.myurl.com

Sidenote: You are **wide open** to SQL injection attacks, and you will be hacked if you haven't been already. Please use prepared / parameterized queries to prevent this from happening. See also: [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/) — Amal Murali, Feb 16 '14 at 17:29
You first of all need a function that returns you the request URI. So far this is missing. — hakre, Feb 16 '14 at 17:29
This is prone to a SQL attack as said above. Try switching to PDO or mysqli, prepares statements should help out. — ykykykykyk, Feb 16 '14 at 17:37

ykykykykyk · Answer 1 · 2014-02-16T18:27:58.150

2

if(!empty($_GET['status']) { // Check if `status` is not empty
    $sql="UPDATE users SET status = $_GET['status'] WHERE personID='$user'";
    mysql_query($sql);  // Continue with sql query
}

empty - http://us2.php.net/empty

isset - http://us2.php.net/isset

edited Feb 16 '14 at 18:27

answered Feb 16 '14 at 17:28

ykykykykyk

446
1
3
10

Whoever down voted this could you explain what's wrong with it? I'm actually curious. – ykykykykyk Feb 16 '14 at 17:47
upvoted.... this is right. – itachi Feb 16 '14 at 17:56
it is not a question of being wrong - it is because you only provided the code without any explanation of what exactly needs to go into the `{ }`... beef up your answer and will be happy to upvote – malta Feb 16 '14 at 18:20
@malta Hopefully that's a little better, sorry for not going the whole nine yards. – ykykykykyk Feb 16 '14 at 18:29
@malta I didn't care about the vote as much of what needed to be changed :) Thanks anyway. – ykykykykyk Feb 16 '14 at 18:31

Shankar Narayana Damodaran · Answer 2 · 2014-02-16T18:28:09.303

0

Make use of empty() in PHP to achieve this.

if(!empty($_GET["status"]))  //<--- Control to the inside will be passed only if the status variable is not empty
{
$status=$_GET["status"];
$sql="UPDATE users SET status =$status WHERE personID='$user'" or die(mysql_error());
mysql_query($sql);
}

That was the first thing. Secondly you are using an obsolete deprecated API i.e. the mysql_* functions. You need to switch over to PreparedStatements.

edited Feb 16 '14 at 18:28

answered Feb 16 '14 at 17:27

Shankar Narayana Damodaran

68,075
43
96
126

2

The `isset()` is unnecessary if using `!empty()`. – Nick Coons Feb 16 '14 at 17:28
1

@AmalMurali, Isn't your comment synonymous to that of Nick's ? ;) – Shankar Narayana Damodaran Feb 16 '14 at 17:31
@ShankarDamodaran: Nick doesn't explain *why*. (By the way, the downvote is *not* mine.) – Amal Murali Feb 16 '14 at 17:33
@AmalMurali, Ah its ok thanks :) . I am used to downvotes :P – Shankar Narayana Damodaran Feb 16 '14 at 17:34

Make the page do nothing if $_GET is empty

2 Answers2