-1

My address bar is this: (it contains the job number 113852)

http://www.mysite.?0=113852

My array output is this: (it contains serial numbers... array amounts change)

Array ( [joblist] => Array ( [0] => gi4416ncd876 [1] => GI4521NA3391 [2] => M40719GD6274 ) [btnSubmit] => SUBMIT )

My php code:

$connection = mysql_connect('#', '#', '#'); 
mysql_select_db('#');

$equipmentquery="UPDATE tbl_assets 
SET date_installed = curdate(), account_number = {$_GET ['0']} 
WHERE serial = $_POST['joblist']";

I am getting a server error. How do I write this sql query to go thru the entire array and update my table?

Jason Wells
  • 1
  • 2
  • I think your sql query string got syntax error. You could use {$_POST['joblist']} – Uttam Kumar Roy Feb 12 '16 at 15:52
  • 7
    oh holy hell! NEVER NEVER NEVER directly use $_GET to interact with a SQL database! – devlin carnate Feb 12 '16 at 15:53
  • 2
    your query is vulnerable to SQL INJECTION. – Drudge Rajen Feb 12 '16 at 15:53
  • 2
    Also, mysql_* is removed in PHP7 . You can use PDO. – Drudge Rajen Feb 12 '16 at 15:54
  • 1
    [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Feb 12 '16 at 16:07
  • 1
    Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Feb 12 '16 at 16:07
  • 1
    Can you show the form that you're using? If you're not using one and/or the post method isn't set the `$_POST` array is never populated – Jay Blanchard Feb 12 '16 at 16:08
  • I did a Print_r ($_POST) it outputs: Array ( [joblist] => Array ( [0] => gi4416ncd876 [1] => GI4521NA3391 [2] => M40719GD6274 ) [btnSubmit] => SUBMIT ) – Jason Wells Feb 12 '16 at 16:11
  • Since joblist is an array your query will always have an error. `echo $_POST['joblist'];` – Jay Blanchard Feb 12 '16 at 16:14

1 Answers1

2

You have space between $_GET and [0], and I think in $_POST['joblist'] there are missing {}.

But you should escape values before put them into query!

Grzegorz J
  • 82
  • 5
  • $equipmentquery="UPDATE tbl_assets SET date_installed = curdate(), account_number = {$_GET['0']} WHERE serial = {$_POST['joblist']}"; – Jason Wells Feb 12 '16 at 15:56
  • I think values should be put in '' as far as I remember. Try to escape values and put variables into query, usign '$variable' . It's MySQL or PostgreSQL? – Grzegorz J Feb 12 '16 at 15:57
  • MySQL... obviously I'm a noob but I am not understanding what you are referring to with the variable comment. @Grzegorz J – Jason Wells Feb 12 '16 at 16:00
  • It was just a simple example, try to: [link](http://php.net/manual/pl/function.mysql-real-escape-string.php) Then put your escaped variables into query, and put them in single quotes. – Grzegorz J Feb 12 '16 at 16:04