-3

Can you help me find down what wrong is this code. It say successed but in sql doesnt change. it is something wrong with $est = intval($_GET['est']); Plz help.

?php

session_start();

require_once("lib/connection.php");

if (!isset($_SESSION['username'])) {
 header('Location: login.php');
}else {
 $ten = $_SESSION['username'];
 $sql = "select * from users where username = '$ten' ";
 $query = mysqli_query($conn,$sql);
 $data = mysqli_fetch_array($query);
 }  
$est = intval($_GET['est']);

$query2 = "SELECT * FROM customerinfo where estimate_number = '$est'";

 $result = mysqli_query($conn,$query2);
 $row = mysqli_fetch_array($result);

 if (isset($_POST["xacnhan"])) {
   if (isset($_POST["estc"])){
     $estc = $_POST["estc"];
$sql = "UPDATE customerinfo SET estimate_number = '$estc' WHERE estimate_number = '$est'";
            mysqli_query($conn,$sql);
            echo "ban da doi thanh cong Name: $estc";
     }

      if(isset($_POST["namec"])){
 $namec = $_POST["namec"];
$sql = "UPDATE customerinfo SET name = '$namec' WHERE estimate_number = '$est'";
mysqli_query($conn, $sql);
echo "ban da doi thanh cong Name: $namec";

 }


 }

?>

Logan Phan
  • 1
  • Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – John Conde Mar 25 '17 at 02:35
  • 1
    You don't know what's wrong because you don't check for errors in your code. Never assume the code is always going to work flawlessly. Use [`mysqli_error()`](http://php.net/manual/en/mysqli.error.php) to get a detailed error message from the database. – John Conde Mar 25 '17 at 02:35

1 Answers1

0
$est = intval($_GET['est']);

You use $_GET['est'] without checking if this value exists. Try this:

if (!isset($_GET['est'])) {
    // error
} else {
    $est = intval($_GET['est']);
}

PS: You should definitely protect your code from SQL injections. It is the best known and easiest to exploit security issue of PHP. I could do an SQL injection within seconds using only a browser.

Aloso
  • 5,123
  • 4
  • 24
  • 41