Link to home
Start Free TrialLog in
Avatar of blossompark
blossomparkFlag for Ireland

asked on

updating mysql database using a query string

Hi,
    i have a mysql database which i want  to update via  a query string.
the site is located at;
 http://localhost/webmaster/

the database logon credentials are;
username="root";
password="password";
database="contacts_db";


the update query string i want  to use is;
http://localhost/webmaster/ $query = "INSERT INTO contacts VALUES ('','John','Smith','01234 567890','00112 334455','01234 567891','johnsmith@gowansnet.com','http://www.gowansnet.com')";

because i havn't connected to the database i get;
Forbidden

You don't have permission to access /webmaster/ $query = "INSERT INTO contacts VALUES ('','John','Smith','01234 567890','00112 334455','01234 567891','johnsmith@gowansnet.com','http://www.gowansnet.com')"; on this server.

My question is can i prepend the logon credentials to the update query string, update the database, and then close  the database using a query string?
security is not an issue..
thanks
Avatar of karoldvl
karoldvl
Flag of Poland image
You could pass your credentials as additional parameters and then use it in a couple lines script to execute the query. Or do you insist on using solely "query" for this?

What rewrites do you have in place?

And this is only acceptable for localhost, but you mention security is not an issue.
Avatar of blossompark
blossompark
Flag of Ireland image

ASKER

hi karoldvl thanks for your response
                   the reason for using a query string is to keep it simple as i am very new to this and am trying to learn in steps, however if you have guidance on this issue it would be greatly appreciated......... can i do it with a query string and if so what is the syntax ?

i dont understand your question;
What rewrites do you have in place?

thanks
Avatar of karoldvl
karoldvl
Flag of Poland image
Never mind the rewrites. If you're not sure, then you probably don't have them in place.
 
You could use something like this (attached update.php).

And then acces it like this:
http://localhost/webmaster/update.php?user=root&pass=password&db=contacts_db&query= "INSERT INTO contacts VALUES ('','John','Smith','01234 567890','00112 334455','01234 567891','johnsmith@gowansnet.com','http://www.gowansnet.com')"

But this is so insanely insecure, that you should avoid it if possible. And this pertains not only to external threats, but there's so much room for error when operating in this fashion on the database, that backups are a priority.




<?php

$user  = isset($_GET['user']) ? $_GET['user'] : '';
$pass  = isset($_GET['pass']) ? $_GET['pass'] : '';
$db    = isset($_GET['db']) ? $_GET['db'] : '';
$query = isset($_GET['query']) ? $_GET['query'] : '';

$sql = mysql_connect(localhost, $user, $pass)
   or die('Connection error: ' . mysql_error());
   
mysql_select_db($db, $sql)
   or die('Database selection failed.');

// Only for update queries
mysql_query($query)
   or die('Query failed: ' . mysql_error());

?>

Open in new window

Avatar of blossompark
blossompark
Flag of Ireland image

ASKER

thanks for  that, looks great!!!
 that gives me a lot to play around with....
on the question of security, would it be possible not to put  the username,password,database name in the query string and just locate it on a php file on the server (or even in the update.php file you have created) and still be able to update the database?
Avatar of blossompark
blossompark
Flag of Ireland image

ASKER

...i mean still update the database with a query string.
ASKER CERTIFIED SOLUTION
Avatar of karoldvl
karoldvl
Flag of Poland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of blossompark
blossompark
Flag of Ireland image

ASKER

hi karoldvl...thanks for everything....you've given me lots to play with here....i'll close this question and if i have any further issues i'll open a new question...once again thanks