Update n Insert throught GET

Question

Here is my code:

if (isset($_GET['id']) && !empty($_GET['id'])) {
    $deal_update_sql = "UPDATE mydb.nl_dailydeals SET storeid = '5', cultureid = '10' WHERE product_id = ".$_GET["id"];
    $result = mysql_query($deal_update_sql);
}
else {
    $insert_query = "INSERT INTO admin_zuki_be.nl_dailydeals (product_id, storeid) VALUES (3, 2)";
    $result = mysql_query($insert_query);
}

This code doesn't work. No matter what id I pass within the URL through GET, it should be inserted into the database. If the id is already present in the database, then it should update the record with the given id.

How can I fix this?

You must first check whether or not it is in the database... from what I can see in your code you are not checking this. — chriz, Mar 17 '15 at 10:43
What is not working? What's going wrong and dont use mysql. Use mysqli instead. — Loko, Mar 17 '15 at 10:43
Besides you'll get a syntax error: Parse error: syntax error, unexpected '$result' — Daan, Mar 17 '15 at 10:44

score 0 · Answer 1 · answered Mar 17 '15 at 10:55

use the line:

 $result = mysql_query($deal_update_sql) or die(mysql_error());

which, if the query fails, will tell you what the error was. Take the die() out of production code though.

I suspecy your issue is that you arte trying to update a record that doesnlt exist. You need to check if the product_id exists, if it does then update it, if it doesnlt insert it.

janenz00 · Accepted Answer · 2015-03-17T11:48:09.047

Three important points :

Your code is very vulnerable to SQL injection, since you did not sanitize your input. Use mysqli_real_escape_string to sanitize input before using it in the query.
```
 $id = mysqli_real_escape_string($link, $GET['id']); //Link will be your connection variable
```
mysql_* functions are deprecated. Do not use them. Use mysqli_* functions instead.

The logic is wrong.

 if (isset GET id) {
  check if id exists in db using select query
  If  (id exists in db)
        update query
  else 
        insert query
}

The code will be :

   if (isset($_GET['id']) && !empty($_GET['id'])) {
       $id = mysqli_real_escape_string($link, $GET['id']); //Link will be your connection variable
       $query = "SELECT product_id FROM mydb.nl_dailydeals WHERE product_id=". $id;
       if ($result = mysqli_query($link, $query)) {
              //run your UPDATE query
        } else {
            // run your insert query
        }

Update n Insert throught GET

2 Answers2