0

Please tell me what I have done wrong. I think there may be a $_POST error but I am new to PHP and just need a hand.

<?php

include("config.php");
if(isset($_POST['submit']))
{

$medical=$_POST['medicalin'];

    if($medical=='')
    {
        echo"<script>alert('Please enter some Medical Information, if there is none to report, simply type N/A.')</script>";
       exit();
    }

//updating
$query = "UPDATE test SET medical= '$medical' WHERE id=".$user['id'];

if(mysql_query($query)) {
    echo"<script>window.open('/success','_self')</script>"; }

else {
   echo "There was an error updating your medical information, please contact us immediately.";}

}

?>
Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
WPS Team
  • 1
  • where you define $user['id'] ? – shubham715 Apr 25 '18 at 07:23
  • why compare with `''` and not `empty()` – SuperDJ Apr 25 '18 at 07:24
  • later up in a another file, but ive already got this: $query = " UPDATE test SET last_login = NOW() WHERE id=".$user['id']; – WPS Team Apr 25 '18 at 07:25
  • Dont use `mysql_*` instead use `mysqli_*` or PDO as `mysql_*` is deprecated and removed as of PHP7 – SuperDJ Apr 25 '18 at 07:25
  • ok @SuperDJ ill try that – WPS Team Apr 25 '18 at 07:27
  • Your code is vulnerable to [SQL injection](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use [mysqli](https://secure.php.net/manual/en/mysqli.prepare.php) or [PDO](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [this post](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). –  Apr 25 '18 at 07:34
  • your script is open to SQL Injections. Do not post directly user input but use prepared statements instead – Lelio Faieta Apr 25 '18 at 07:34
  • Please describe the problem more detailed! Do you get an error? What does this script do and what does it not? – Ma Kobi Apr 25 '18 at 07:38
  • @MaKobi I am getting the error or "There was an error updating your medical information, please contact us immediately." – WPS Team Apr 25 '18 at 09:37

0 Answers0