0

I have php page that you can type in a number and then click the submit button and it should update the column in the table. The problem I have is that it isn't updating the value but just leaving an empty field.

Something seems to be wrong with this line.

$update = mysql_query("UPDATE sip SET callerid = '$new' WHERE name = $trial");

If I just change the $new to a number it works fine. If I echo $new I get a number. Also the $trial bit works fine.

The full code I have is below.

   <!DOCTYPE html>
<html>
<head>
  <title>Test</title>
<link href="/../site.css" rel="stylesheet">
</head>

<body>
<? include("../header.php") ?>  
<div id="main">


<?php
session_start();
$trial = $_SESSION['random'];
echo "Random: ".$trial;

if(empty($_SESSION['random'])) {
header("Location:/site/home.php");
}

   echo "<br />";
?>

    <form action="customer_details.php" method="post">
    Number: <input type="number" name="phone" id="phone" maxlength="4" min="1000" max="9999" />
     <br /><br />
    <input type="Submit" />

</form>


<?php
$link = mysql_connect('localhost', 'root', '');
mysql_select_db('test' , $link) or die("Unable to select database: asterisk" . mysql_error());


if(isset($_POST['phone']))
{

$phone = $_POST['phone'];



$result = mysql_query("SELECT * FROM table where number = '$phone'");
while ($row = mysql_fetch_array($result)) 
{

$data = $row['callerid'];
}

echo $phone;

if($phone = $data)
{

print '<script type="text/javascript">'; 
print 'alert("Number is already in database")'; 
print '</script>';

}
else {
$new = $phone;
$update = mysql_query("UPDATE sip SET callerid = '$new' WHERE name = $trial");

if(! $update )
{
  die('Could not update data: ' . mysql_error());
}
else
{
print '<script type="text/javascript">'; 
print 'alert("New Data added");'; 
print 'window.location.href = "../home.php";';
print '</script>';
}

}

}
?>

<? include("../footer.php") ?> 
</div>
</body>

</html>
Improve this question
7
  • 2
    Your code is vulnerable to SQL injection. Commented Apr 2, 2014 at 5:25
  • Agreed with @RUJordan, any errors? Commented Apr 2, 2014 at 5:28
  • No I haven't got any errors. Might try check the logs but don't think that will help. Not worried about SQL injection as nothing is that important on it. Commented Apr 2, 2014 at 5:32
  • have you try to use mysqli? Commented Apr 2, 2014 at 5:43
  • this bit here "if ($phone = $data) {" is resetting the value of phone. you need to use == Commented Apr 2, 2014 at 5:43

4 Answers 4

Reset to default
1

You're setting $phone to $data instead of comparing their values.

if($phone = $data)
{

print '<script type="text/javascript">'; 
print 'alert("Number is already in database")'; 
print '</script>';

}

Change $phone = $data to $phone == $data. Right now, this condition block will always execute and the else (where your update is set to run) will not.

Side note: If the values of either of the variables contains single quotes and you're using single quotes to set the value in the query (as you should), than it's not only a question of being an injection vulnerability but it just won't update correctly.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I changed to == and it fixed it. Thanks
0

You should use single quotes like this:

$update = mysql_query("UPDATE sip SET callerid = '$new' WHERE name = '$trial'");
Improve this answer

1 Comment

I have tried that single quotes around $trial and makes no difference
0

Try this code

$update = mysql_query("UPDATE sip SET callerid = '{$new}' WHERE name = '{$trial}'");

Improve this answer

Comments

0

You have to use single quotes for variables which are not integers and no need to use single quotes for integers.

$update = mysql_query("UPDATE sip SET callerid ='".$new."' WHERE name ='".$trial."'");

and change this line 

if($phone = $data)  // here you are assigning the value of $data to $phone

to 

if($phone == $data) // you have to compare it using ==
Improve this answer

7 Comments

If I remove the single quotes around $new. I receive the following error: Could not update data: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE name = '200101'' at line 1
what are the datatypes of fields callerid and name?
callerid is varchar(80) and name is varchar(80)
try with my updated answer..let me know if you are getting any sql errors. You can echo the query like echo "update sip SET .....";exit; and execute the query in the database and check whether u r getting any errors.
I tried added the '". and page didn't load. But I did and echo of the mysql_query and it return UPDATE sip SET callerid = WHERE 200101.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.