?
Solved

updating mysql database using a query string

Posted on 2010-04-09
7
Medium Priority
?
320 Views
Last Modified: 2013-12-12
Hi,
    i have a mysql database which i want  to update via  a query string.
the site is located at;
 http://localhost/webmaster/

the database logon credentials are;
username="root";
password="password";
database="contacts_db";


the update query string i want  to use is;
http://localhost/webmaster/ $query = "INSERT INTO contacts VALUES ('','John','Smith','01234 567890','00112 334455','01234 567891','johnsmith@gowansnet.com','http://www.gowansnet.com')";

because i havn't connected to the database i get;
Forbidden

You don't have permission to access /webmaster/ $query = "INSERT INTO contacts VALUES ('','John','Smith','01234 567890','00112 334455','01234 567891','johnsmith@gowansnet.com','http://www.gowansnet.com')"; on this server.

My question is can i prepend the logon credentials to the update query string, update the database, and then close  the database using a query string?
security is not an issue..
thanks
0
Comment
Question by:blossompark
  • 4
  • 3
7 Comments
 
LVL 6

Expert Comment

by:karoldvl
ID: 30187607
You could pass your credentials as additional parameters and then use it in a couple lines script to execute the query. Or do you insist on using solely "query" for this?

What rewrites do you have in place?

And this is only acceptable for localhost, but you mention security is not an issue.
0
 

Author Comment

by:blossompark
ID: 30188659
hi karoldvl thanks for your response
                   the reason for using a query string is to keep it simple as i am very new to this and am trying to learn in steps, however if you have guidance on this issue it would be greatly appreciated......... can i do it with a query string and if so what is the syntax ?

i dont understand your question;
What rewrites do you have in place?

thanks
0
 
LVL 6

Expert Comment

by:karoldvl
ID: 30189870
Never mind the rewrites. If you're not sure, then you probably don't have them in place.
 
You could use something like this (attached update.php).

And then acces it like this:
http://localhost/webmaster/update.php?user=root&pass=password&db=contacts_db&query= "INSERT INTO contacts VALUES ('','John','Smith','01234 567890','00112 334455','01234 567891','johnsmith@gowansnet.com','http://www.gowansnet.com')"

But this is so insanely insecure, that you should avoid it if possible. And this pertains not only to external threats, but there's so much room for error when operating in this fashion on the database, that backups are a priority.




<?php

$user  = isset($_GET['user']) ? $_GET['user'] : '';
$pass  = isset($_GET['pass']) ? $_GET['pass'] : '';
$db    = isset($_GET['db']) ? $_GET['db'] : '';
$query = isset($_GET['query']) ? $_GET['query'] : '';

$sql = mysql_connect(localhost, $user, $pass)
   or die('Connection error: ' . mysql_error());
   
mysql_select_db($db, $sql)
   or die('Database selection failed.');

// Only for update queries
mysql_query($query)
   or die('Query failed: ' . mysql_error());

?>

Open in new window

0
The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

 

Author Comment

by:blossompark
ID: 30190843
thanks for  that, looks great!!!
 that gives me a lot to play around with....
on the question of security, would it be possible not to put  the username,password,database name in the query string and just locate it on a php file on the server (or even in the update.php file you have created) and still be able to update the database?
0
 

Author Comment

by:blossompark
ID: 30191022
...i mean still update the database with a query string.
0
 
LVL 6

Accepted Solution

by:
karoldvl earned 2000 total points
ID: 30191072
Yes you can hardcode them:

<?php

$user  = 'root';
$pass  = 'password';
$db    = 'contacts_db';
$query = isset($_GET['query']) ? $_GET['query'] : '';

$sql = mysql_connect(localhost, $user, $pass)
   or die('Connection error: ' . mysql_error());
   
mysql_select_db($db, $sql)
   or die('Database selection failed.');

// Only for update queries
mysql_query($query)
   or die('Query failed: ' . mysql_error());

?>

Open in new window

0
 

Author Closing Comment

by:blossompark
ID: 31712659
hi karoldvl...thanks for everything....you've given me lots to play with here....i'll close this question and if i have any further issues i'll open a new question...once again thanks
0

Featured Post

2018 Annual Membership Survey

Here at Experts Exchange, we strive to give members the best experience. Help us improve the site by taking this survey today! (Bonus: Be entered to win a great tech prize for participating!)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog post, we’ll look at how using thread_statistics can cause high memory usage.
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question