MySQL / PHP problem

[Mike]

I'm trying to update the database when I get a postback from my affiliate company. Here's the script I'm using:

<?php

include("db.php");

$email = $_GET['email'];

$query = "UPDATE `table_name`.`info` SET `incentive` = \'1\', WHERE `info`.`email` = '.$email.';";

mysql_query($query) or die('Error, query failed');

mysql_close($database);
?>

I keep getting "Error, query failed", but I'm too tired - and apparently too stupid - to figure out why.

Help.

 

[audax]

What are the periods doing in the `table_name`.`info` part of the query? Doesn't look like legal query syntax.

Also... you are escaping single quotes when the whole string in already in double quotes. That's not needed.

You also have a comma after the SET values before the WHERE clause starts.

Should be something like this:

$query = "UPDATE table_name SET incentive = 1 WHERE email = '$email'";

 

[oziman]

change the error reporting part to

or die(mysql_error());

so you can figure out where the error is in your syntax and fix it.

 

[kyleirwin]

man... so much wrong there... drop the stupid single quotes from phpmyadmin, and the semi at the end of the query, either drop the .'s around $email, or break the string w/ "'s, and you don't need quotes around numeric values. also, if the db isn't seleced w/ mysql_select_db('dbname'); in db.php, then do that too.

$query = "UPDATE table_name SET incentive=1 WHERE email='".$email."'";

 

[patrick24601]

You really don't need the periods at all:

$query = "UPDATE table_name SET incentive=1 WHERE email='$email'";
Should work just fine. I use that all of the time.

 

[esnagel]

$query = "UPDATE table_name SET incentive=1 WHERE email='".$email."'";

Add some security to the query:

$query = "UPDATE table_name SET incentive=1 WHERE email='" . mysql_real_escape_string(stripslashes($email)) . "'";

This will take the slashes off of $email (if magic quotes is enabled) and then make it MySQL-safe.

After your query, you can also add in:

if (mysql_error()) {
    mail('you@yourdomain.com', 'MySQL Error', "$query\n" . mysql_error(), "From:you@yourdomain.com");
}

 

[Mike]

Thanks for the help guys! It's working now!

 

[chatmasta]

Esnagel, you don't need stripslashes() with mysql_real_escape_string. MRES is all you need.

 

[esnagel]

Esnagel, you don't need stripslashes() with mysql_real_escape_string. MRES is all you need.

I should just try this out, but...

IF magic quotes is enabled, then "She's there" would be "She\'s there" in $_GET['whatever']

so if I ran that through MRES, it'd turn into "She\\\'s there", wouldn't it?

So put it through stripslashes, first, to get "She\'s there" back to "She's there" then MRES to get "She\'s there" again (plus any other security holes plugged)

 

[chatmasta]

well i was assuming magic gay wasn't enabled, because its the dumbest shit ever and should be disabled immediately upon php installation

 

[Mike]

no magic quotes, they're disabled.

 

[CaptainBigPants]

It's much safer to use prepared statements and bind a parameter for $email. Would your code be safe from SQL injection if I supplied an email like this?

george.bush@whitehouse.gov'; DELETE FROM mytable WHERE 1 = 1 --

 

[chatmasta]

It's much safer to use prepared statements and bind a parameter for $email. Would your code be safe from SQL injection if I supplied an email like this?

george.bush@whitehouse.gov'; DELETE FROM mytable WHERE 1 = 1 --

It would be with mysql_real_escape_string.