0

I've got an payment provider, which helps me to pay by call. However after the payment I need to UPDATE the order's status. This doesn't work. The whole script is found below.

        if ($m->payed) {
$order_result = mysql_query('UPDATE jos_vm_orders SET order_status="C" WHERE order_id="'.$_GET['id'].'"');       
            echo '<b>Bedankt voor je betaling</b><br />
                  De betaling is succesvol gelukt!';

        }
        else {

$GET_['id'] is sent with the url.

I really don't know the answer, because the UPDATE line does work when I use it in the beginning (before the payment).

And not only the update line doesn't work, everything after 'if payed' doesn't work.

Thanks in advanced!

Improve this question
1
  • 2
    Your code is highly vulnerable to SQL injection attacks, since you are passing $_GET['id'] directly into SQL statements. You should, at a minimum, call mysql_real_escape_string() on it as: $id = mysql_real_escape_string($_GET['id']) Commented Sep 9, 2011 at 13:26

5 Answers 5

Reset to default
1

Examine the query:

$order_result = mysql_query('UPDATE jos_vm_orders SET order_status="C" 
WHERE order_id="'.$_GET['id'].'"');

It is my guess that the WHERE clause is failing. Call mysql_affected_rows() after the operation; it will return 0 if no rows were updated.

The problem could also be the query failing. Wrap the query in a block similar to the following:

if (!$order_result = mysql_query('UPDATE jos_vm_orders SET order_status="C"
WHERE order_id="'.$_GET['id'].'"')) {
    // Handle the error here.
}

Also note, it is not good practice to ever use $_GET or $_POST data directly in an SQL query. Consider validating it, at least by doing this:

$_GET['id'] = (int) $_GET['id'];
if ($_GET['id'] === 0) {
  // handle the error here
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Please verify the value of $m->payed by adding var_dump() in your code.

var_dump($m);
if ($m->payed) 
 { 
 $sql="UPDATE jos_vm_orders SET order_status='C' WHERE order_id=$_GET[id]";
 $order_result = mysql_query($sql);        
 echo '<b>Bedankt voor je betaling</b><br /> 
       De betaling is succesvol gelukt!'; 
 }
Improve this answer

1 Comment

Your code is highly vulnerable to SQL injection attacks, since you are passing $_GET['id'] directly into SQL statements. You should, at a minimum, call mysql_real_escape_string() on it as: $id = mysql_real_escape_string($_GET['id'])
0

You have to learn how to debug your code.

It's impossible to say what's the problem just by watching the code.
One have to run the code, get all possible error messages and check all important variables. that's the only way to find the problem.

So, to get possible error message you have to run your query the same way as previous one, by using mysql_error()

And also you must take care of the values going to the query.

So, make your code like this:

if ($m->payed) {
    $id  = intval($_GET['id']);
    $sql = "UPDATE jos_vm_orders SET order_status='C' WHERE order_id=$id";
    $res = mysql_query($sql);
    if (!$res) {
        trigger_error(mysql_error()." ".$sql);
        echo '<br>Server Error<br>';
    } elseif (!mysql_affected_rows($res)) {
        trigger_error("No rows were updated! ".$sql);
        echo '<br>Server Error<br>';
    } else {
        echo '<b>Bedankt voor je betaling</b><br />De betaling is succesvol gelukt!';
    }
} else {
    echo '<font color=red><b>Betaling is niet afgerond,<br />volg de onderstaande instructies!</b></font><br /><br />';
    }
    include('includes/include.paymentscreen.php');
}
Improve this answer

2 Comments

I have an error, it's Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/rsdeals/domains/xxx/public_html/joom/pay/pay.php:1) in /home/rsdeals/domains/xxx/public_html/joom/pay/pay.php on line 2 So the session_start(); is wrong ? How do I fix this?
@Tim thats very common problem. Check if there is no space before <? in the first line. if no - search here for the Byte Order Mark for the instructions
0

The problem was eventually my server, I had 'display erros' on off. When I turned it on, the actually error lied with the session_start. When I opened the file on my server, I saw I saved it in the wrong format, this solved it!

Thanks for every answer.

Improve this answer

Comments

0

Try Change This

UPDATE jos_vm_orders SET order_status="C" WHERE order_id="'.$_GET['id'].'"

To

$id=$_GET['id'];    
"UPDATE jos_vm_orders SET order_status='C' WHERE order_id='$id'"

Be careful with quotes in query. Always Give Double quotes at starting and ending , prefer single quotes in the middle of query.

Avoid concatination in query and instead try including it like mentioned above

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.