1

EDIT: Thank you all for the very quick answers! I have been at this for a while, trying to figure out why $id was being recognized and why the strings weren't. I feel a bit silly now seeing the obvious answer but I'm relieved to have it working.

I apologize if this has been answered before, I've looked for hours and could not find something similar to help me figure this out.

I am trying to update a row in my database of devices with new information. Problem is, the php file only recognizes $data->devID; and nothing else.

If I have something like $sql = "UPDATE devices SET devName = 'static test string', description = 'static test string' WHERE devID = $id"; the entry with the correct ID will update in my database table just fine.

If I try $sql = "UPDATE devices SET devName = $name, description = $desc WHERE devID = $id"; it does not work.

Where am I going wrong?

HTML:

<div data-ng-repeat="info in deviceInfo">
    <form class="deviceInfo">
        <h2>Device ID: {{info.devID}}</h2>
        <p>Device Name:</p>
        <input type="text" data-ng-model="info.devName">
        <p>Device Description:</p>
        <textarea data-ng-model="info.description"></textarea>
        <p>Device Available: {{info.isAvailable}}</p>
        <input type="submit" name="Update" value="Update" data-ng-click="updateInfo(info.devID, info.devName, info.description)">
    </form>
</div>

updateDeviceInfo.php:

<?php

$data = json_decode(file_get_contents("php://input"));

include('config.php');

$id = $data->devID; 
$name = $data->devName;
$desc = $data->description;

$sql = "UPDATE devices SET devName = $name, description = $desc WHERE devID = $id";

$qry = $conn->query($sql);

$data = $qry;

$sql = "SELECT * FROM devices";

$qry = $conn->query($sql);

$data = array();

if($qry->num_rows > 0){
    while($row = $qry->fetch_object()){
        $data[] = $row;
    }
}else {
    $data[] = null;
}

$conn->close();

echo json_encode($data);

controller.js:

$scope.updateInfo = function($paramID, $paramName, $paramDesc){

    console.log($paramID);
    console.log($paramName);
    console.log($paramDesc);

    $scope.dataOneTest = {
            devID: $paramID,
            devName: $paramName,
            description: $paramDesc

        };

    console.log($scope.dataOneTest.devID);

    $http.post('./js/updateDeviceInfo.php', {'devID': $paramID, 'devName': $paramName, 'description': $paramDesc})
        .success(function(data){
            $scope.results = data;
        })
        .error(function(err){
            $log.error(err);
        })
}
Martin Doychinov
  • 63
  • 7

3 Answers3

2

tl;dr You are almost certainly performing SQL injection on yourself both by inserting variables directly into a query and by failing to use proper quotation marks around them.

You need to use prepared statements, rather than concatenating variables directly into your query. If, for example, $data->devName contained something nefarious like NULL --, that would toast your entire table. And that's a very mild example of how badly things could go. Prepared statements would render that example (and pretty much all other examples) harmless.

Short-Term Fix

As a short-term fix, put quotation marks in the query and escape your data, like this:

$id = your_database_escape_function($data->devID); 
$name = your_database_escape_function($data->devName);
$desc = your_database_escape_function($data->description);

$sql = "UPDATE devices SET devName = '$name', description = '$desc' WHERE devID = $id";

substituting your database's corresponding escaping function for your_database_escape_function(). For example, use $conn->real_escape_string() if $conn is a MySQLi object. See the manual.

The Real Fix

Here's how you really do it correctly, and the solution you should implement ASAP. That is, do this before you go any further if at all possible. Use prepared statements.

Read this entire Q&A and this cheat sheet from OWASP (no affiliation) for more information.

Community
  • 1
  • 1
elixenide
  • 44,308
  • 16
  • 74
  • 100
  • Thank you, I will read all of those to remind myself of the proper way to do things. I'm coming back to php from a very long break and I've forgotten everything almost. – Martin Doychinov Mar 29 '17 at 02:57
1

change this becuase description and devName which are string should be quoted

$sql = "UPDATE devices SET devName = $name, description = $desc WHERE devID = $id";

to

$sql = "UPDATE devices SET devName = '".$name."', description = '".$desc."' WHERE devID = $id";

Sugumar Venkatesan
  • 4,019
  • 8
  • 46
  • 77
1

Try this, $sql = "UPDATE devices SET devName = '$name', description = '$desc' WHERE devID = $id";

As title and description are string it requires single quote wrapping inside double quotes.

Sonal Khunt
  • 1,876
  • 12
  • 20