[RESOLVED] $_GET from second URL

BryanJ

In my code, there is a form where you enter some information and it grabs some stats based on your entered information. The url looks something like this:

[/url]http://localhost/API%20Module/insert_character.php?apiKey=D4FA7D5A748D4BF38B42F608177E4EF431EBB989CB484EBEB73E96A0FC43F4B0&userID=714244[/url]

When the user is directed there, it lists up to 3 entries, all of which have a link to

[/url]http://localhost/API%20Module/insert_character.php?apiKey=D4FA7D5A748D4BF38B42F608177E4EF431EBB98[/url]
9CB484EBEB73E96A0FC43F4B0&userID=714244&charID=07146415726&insert_characters=Submit+Characters

where charID=07146415726 is a unique number based on the entry the user clicks.

My problem is there when the user clicks submit the first time on the original form, it takes the userID and the apiKey and inserts it into the database no problem. However, when the user clicks an entry instead of grabbing the charID from the URL and putting it into the database, it just outputs the success message without inputting it.

My Code used:

IF statement handling the charID portion:

if($_GET['submitted'] == 'yes')
    {
    $charID = $_GET['charID'];
    $api = $_GET['apiKey'];
    $user_ID = $_GET['userID'];
    echo "Successful";

insert_charID($api, $user_ID, $charID);


}

Insert_charID Function

function insert_charID($api, $userid, $charid)
    {
    $update_query = "UPDATE user_info SET char_id = '$charid' WHERE api_key = '$api' AND user_id = '$userid'";
    mysql_query($update_query) or die(mysql_error());
    $text = "Char ID Update Successfully";
    echo $text;

}

djjjozsi

MAybe your API code field does'nt have enoght space in the database? (let's use at least Varchar 100)

Why is it needed to send codes in links ?

use session to bring these codes.

On update, mysql_affected_rows() function gives you back the affected rows number, lets check, and if it is 1, then return from the function: true, if its not 1 then return false.

if(insert_charID($api, $userid, $charid) ==true)
echo "Success";
else
echo "error on Update";

and let's use mysql_real_escape_string() function on the data from your visitors if you insert it to the database.

BryanJ

api and userid info are added fine, but I have changed the api field to 100 chars. Using the code to check the insert_charID function shows error on update 🙁

BryanJ

I got this working using the following code:

Insert Characters

if(isset($_GET['submitted']) && $_GET['submitted'] == 'yes')
    {
    $charid = $_GET['charID'];
    $api = $_GET['apiKey'];
    $userid = $_GET['userID'];

insert_charID($api, $userid, $charid);
   // echo "Successful";




}

Function

function insert_charID($api, $userid, $charid)
    {
$update_query = "UPDATE user_info SET char_id = '" . $charid . "' WHERE api_key = '" . $api . "' AND user_id = '" . $userid . "'";
    mysql_query($update_query) or die(mysql_error());
    $text = "Char ID Update Successfully";
    echo $text;

}

laserlight

A word of warning though: you did not escape the incoming variables before using them in the SQL statement. This makes your code vulnerable to SQL injection. I would suggest something like this:

function insert_charID($api, $userid, $charid)
    {
    $sql = sprintf("UPDATE user_info SET char_id = '%s' WHERE api_key = '%s' AND user_id = '%s'",
        mysql_real_escape_string($charid),
        mysql_real_escape_string($api),
        mysql_real_escape_string($userid));

    return mysql_query($sql);
}

// ...

if (isset($_GET['submitted'], $_GET['charID'], $_GET['apiKey'], $_GET['userID'])
    && $_GET['submitted'] == 'yes')
    {
    if (insert_charID($_GET['apiKey'], $_GET['userID'], $_GET['charID']))
        {
        echo "Char ID Update Successfully";
        }
    else
        {
        // Handle some kind of SQL or other database related error.
        }
    }

BryanJ

Yeah, its only for my personal use so I dont need to sanitize any input as im not going to hack my own stuff.

laserlight

BryanJ wrote:
Yeah, its only for my personal use so I dont need to sanitize any input as im not going to hack my own stuff.

No, sanitise your input anyway. Even if you only intend it for personal use now, you may drop it into code intended for a wider audience later and forget to correct the security problems. Besides the potential SQL injection problem, there is also the possibility of "honest" user errors where a single quote somehow makes it way into one of those strings.