0

I'm trying to get a variable from the URL, but for some reason, I can't get it to work. This is all coming from another website's form, that's why I need to get it from the URL. This is what I have right now:

if (isset($_GET['PTS'])) {
    $sPTS = htmlentities($_GET['PTS']);

if(isset($_GET['submit']))
  { mysql_query("UPDATE table1 SET $sPTS=1, ENTRY=5") or die (mysql_error()); }}

Thanks for your help...I'm still new to this and learning.

Improve this question
6
  • So the column name is in the PTS value on the querystring? i.e. foo.php?CustomerID=abcd... and you want to build your SQL string to have CustomerID=1? Commented Sep 6, 2011 at 20:11
  • Is $sPTS supposed to be the field/column instead of the value in your query? Are you receiving what you are expecting from htmlentities($_GET['PTS']);? When dealing with a URL, use urldecode. Commented Sep 6, 2011 at 20:12
  • Are you getting an error message? Where and what? Commented Sep 6, 2011 at 20:12
  • Is the other website's form have it's method set to POST or GET? Commented Sep 6, 2011 at 20:12
  • 1
    100500 wise comments saying "I hope you sanitize your inputs" and not a single one to understand how to sanitize and what. Commented Sep 6, 2011 at 20:33

2 Answers 2

Reset to default
3

There are a few concerns about the code that I'd like to point out, and they may or may not address the issue.

  • You use htmlentities() on what will ultimately be a field name. Perhaps a tiny bit of data checking would be better.
  • You're allowing a GET statement to specify a field name with NO restrictions. This is VERY dangerous
  • There is no where clause on your UPDATE statement. All records in the table will be updated.
  • If the submit was made via POST, it wouldn't hit here. I only mention this to you in the off chance that this is something you overlooked. Is $_REQUEST a better fit for your use (than $_GET)?
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

your answer is better than mine :)
0

Try 

if(isset($_GET['submit']))
{ mysql_query("UPDATE table1 SET `".$sPTS."`=1, `ENTRY`=5") or die (mysql_error()); }}

also you should be using mysql_real_escape string on those $_GET values

$sPTS = mysql_real_escape_string(htmlentities($_GET['PTS']));
Improve this answer

6 Comments

It may have nothing to do with GET values, but it has everything to do with not getting your database hacked.
@jordan this answer is not safe against SQL injection, even with using mysql_real_escape_string. -1
@Pekka isn't mysql_real_escape_string designed for that exact purpose, to make input values safe for use with a database?
@jordanmoore mysql_real_escape_string does not escape the backtick character. It its current form, you can at least assign arbitrary values to other columns by doing a SQL injection in $_GET["submit"]. m_r_e_s() is useful only for string values that you pass to the query. You can't sanitize field or table names with it.
@Pekka thanks for that - didn't realise! You've just saved me a tonne of work for my site (I've not started the db yet and was going to rely on that!).
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.