Update MySQL Value Through Img Src Variable Including jQuery

Question

Thank-you to all who have helped me over the last few days.. Unfortunately I was working so I couldn't get back to you. I have included some code into what I thought would work, but for some reason the below code will not update in my SQL Database. I will provide the code and it's output if someone could please copy the code and see why it's not working... It's really doing my head in! Haha!

(The connection to the MySQL db + table is working fine).

// admin.php
<a href="#" id="chngeHref" /><img src="<?php echo "image.php?url=" . $row[2]; ?>?tid=<?php echo $row[0]; ?>&opn=<?php echo $row[1]; ?>" id="chnge" /></a>
// image.php?url=image.jpg?tid=3&opn=1

I was advised to do it this way to make it easier for me to pass the variables (tid and opn) through the process.

// update.php

$tid  = $_GET['tid'];
$opn  = $_GET['opn'];

if ($opn == "0") { $opn = "1"; } elseif ($opn == "1") { $opn = "0"; } 

mysql_query("UPDATE catalogue SET opn = $opn WHERE tid = $tid ; ");   

mysql_close(); 

// it's just a simple script to change a variable from 1 to 0 or 0 to 1 where tid = a specific number...

I have my jQuery stuff all tucked away in a lovely little file, because there is alot of it...

// navigate.js


$.extend({
 getUrlVars: function() {
  var vars = {};
  var parts = window.location.href.replace(/[?&]+([^=&]+)=([^&]*)/gi, function(m,key,value) { vars[key] = value; });
 return vars;
 }
});


$("#chngeHref").click(function() {
 var tid = $.getUrlVars()['tid'];
 var opn = $.getUrlVars()['opn'];

 $.ajax({
  type: "POST",
  url: "update.php",
  data: "tid="+ tid +"& opn="+ opn,
  success: function(){ 
   $('#chnge').fadeTo('slow',0.4);
   }
  });
 });

The .extend code i found on the net which finds the parameter and value of all those in the address line. I THINK this is where my issue might be, because the top code is never actually sending it to the address bar, it's being sent through jQuery to the update.php file.

I can only say thank-you soooo much in advance to anyone who can assist in this.

Phillip.

Just an FYI, your code in update.php is extremely vulnerable to [SQL Injection](http://www.unixwiz.net/techtips/sql-injection.html). — Nathan Taylor, Aug 22 '10 at 14:49
You have to start learning how to debug your code. That's the only way to find errors. Asking on SO is not an option — Your Common Sense, Aug 22 '10 at 14:58

score 0 · Answer 1 · edited May 23 '17 at 12:18

0

There are a few issues here bsides the SQL Injection vulnerability Nathan mentions, namely you're POSTing, so you need to use $_POST rather than $_GET to retrieve your variables. Also you have an extra space in the data block, this:

data: "tid="+ tid +"& opn="+ opn,

should be:

data: "tid="+ tid +"&opn="+ opn,

or a bit cleaner using object notation (so it also gets properly encoded):

data { tid: tid, opn: opn },

For the SQL Injection issue, instead of this:

mysql_query("UPDATE catalogue SET opn = $opn WHERE tid = $tid ; ");

At the very least escape the values, like this:

$tid = mysql_real_escape_string($_POST['tid']);
$opn = mysql_real_escape_string($_POST['opn']);

Or, go the parameterized query route, which is what I'd prefer.

edited May 23 '17 at 12:18

Community

1
1

answered Aug 22 '10 at 14:56

Nick Craver

623,446
136
1,297
1,155

Thank-you. I tried stipping all the jQuery away and _POST didnt work, so I changed it to _GET and it worked, so I updated my code in here, but if you think it needs to be GET, i am going to take your word for it, and secondly, are you suggesting in the jQuery I use data: "tid="+ tid +"&opn="+ opn, or data { tid: tid, opn: opn }, -- update: I just updated the code with your suggestions, and it did not work. the opn variable did not change in the db. – Phillip L Aug 22 '10 at 14:59
@Phillip - I'm suggesting using the object method, the `{ tid... }` this way any values that need encoding (say it contains a `&`, will get encoded). For the other: your GET or POST should match the method you're using, I'd prefer POST here since it's an "action" you're performing. But this bit: `type: "POST"` in jquery determines which you're doing, and that's how the variables will be available on the PHP side. – Nick Craver Aug 22 '10 at 15:03
1

@Phillip - You should use a tool like Firebug or Chrome's developer tools to see what's actually getting sent to the server, this narrows it down to client/server or both very quickly, first you need to make sure the right variables are getting POSTed, that's step #1, and using something like Firebug to see what's submitted is an excellent way to do that: http://getfirebug.com/ – Nick Craver Aug 22 '10 at 15:06
in that case, it doesnt work :( -- thank-you for your assistance. i did tidy up the code with your suggestions. – Phillip L Aug 22 '10 at 15:07
@Phillip - GET variables are in the address bar, POST ones aren't, that's the difference, you can link to a GET request. Typically, though this varies, developers *mostly* tend to use POST for things that have an effect, like a database update, and GET for viewing data, e.g. a link you'd want to send someone else, or bookmark. – Nick Craver Aug 22 '10 at 15:07
I just worked that out then! hahah. Thank-you. i am downloading the software you just suggested, then going to bed.. haha quick changeovers a not fair on the body. – Phillip L Aug 22 '10 at 15:11

Update MySQL Value Through Img Src Variable Including jQuery

1 Answers1