0 
<?php
$host = "localhost";
$user = "root";
$pass = "pass";
$db = "table";
$connect=mysql_connect($host, $user, $pass) or die(mysql_error());
mysql_select_db($db, $connect) or die(mysql_error());
if ($_SERVER["REQUEST_METHOD"] == "POST")
{
  $username = trim($_POST["username"]);
   $res = mysql_query("SELECT id, username, email, ip FROM users WHERE username='". mysql_real_escape_string($username) . "'");

  $arr = mysql_fetch_assoc($res);
  $user_id = $arr['id'];
  $user_name = $arr['username'];
  $user_email = $arr['email'];
  $user_ip = $arr['ip'];
  $res = mysql_query("UPDATE users SET enabled=no WHERE id=$user_id") or mysql_error();
}
?>
<form method="post" action="">
<input type="text" size="40" name="username">
<tr><td colspan="2"><input type="submit" class="btn" value='send'></td></tr>
</form>

This script doesn't execute: $res = mysql_query("UPDATE users SET enabled=no WHERE id=$user_id") or mysql_error();

What's wrong ?

Improve this question

3 Answers 3

Reset to default
7

Use:

$res = mysql_query("UPDATE users SET enabled='no' WHERE id=$user_id") or die(mysql_error());
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

Try wrapping the enabled=no and the id=$user_id in quotes

$res = mysql_query("UPDATE users SET enabled='no' WHERE id='$user_id'") or mysql_error();

You should also make sure you escape your variables as your code is vulnerable to SQL Injection

$username = mysql_real_escape_string(trim($_POST["username"]));
Improve this answer

7 Comments

If the id column is an integer you don't need the single quotes around $user_id
I have doubt on single quoted $user_id... are you sure?
True, but it's best practice - if it's inside quotes and you escape the variable, it can prevent SQL injection
I'm not sure putting integer values in single quotes is best practice.. Why would this be better than without the qoutes?
Because of SQL injection reasons, and also on the possibility it isn't an int being passed. If it's wrapped in quotes, then it will just return null, without causing the script to bug out. And with regards to SQL injection, if the variable is '1 OR UNION...' then it's exploitable - if it's wrapped in quotes and escaped, again it will just return null.
|
0

you need to debug.

at the end of this line

 $res = mysql_query("UPDATE users SET enabled=no WHERE id=$user_id") or mysql_error();

write this line

"UPDATE users SET enabled=no WHERE id=$user_id"

you will see what command will be execute. probably $user_id variable coming wrong.

if you seen wrong sql command go head and try to investigate why user_id coming wrong

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.