-8

My page was working fine until I added this piece of code and I can't figure out what is wrong with it.

<?
if (isset($_POST['credclick'])){ 
$amount=$_POST['credits']
mysql_query("UPDATE users SET points = points+".$amount." WHERE id = '".$username."'");
echo"<p>Credits Added</p>";
}
?>

$username is defined from the session at the top of the page.

$username=$_SESSION['username'];
aadaaam
  • 1
  • 5

1 Answers1

4

Syntax error likely: Add a semi-colon at the end of $amount=$_POST['credits'] to indicate end of statement.

Change $amount=$_POST['credits'] to $amount=$_POST['credits'];

As other have indicated, you are susceptible to malicious sql injection, so to fix that, a) stop using the mysql_ and use PDO or mysqli_ or at the very least sanitize your statement with something like:

$amount = htmlentities($_POST['credits'], ENT_QUOTES); or $amount = mysql_real_escape_string($_POST['credits']);

Best practice though is to switch db connection type.

Rasclatt
  • 12,498
  • 3
  • 25
  • 33
  • 3
    At least point out that you added the `;`. A quick glance would look like the two versions are identical. But +1 for catching the error. – Marc B Sep 29 '14 at 20:06
  • Agreed, you should *always* explain differences between code snippets, even if it would appear obvious to you. – ajp15243 Sep 29 '14 at 20:07
  • Yeah, true. Sometimes I take those little things for granted that everyone should pick up on... – Rasclatt Sep 29 '14 at 20:07
  • It doesn't add to the column in my database any help? using code – aadaaam Sep 29 '14 at 20:18
  • 1
    Do you have `error_reporting` turned on? If not, turn it on. You may have a syntax error in your sql statement. – Rasclatt Sep 29 '14 at 20:23