updating mysql database using a query string

Hi,
    i have a mysql database which i want  to update via  a query string.
the site is located at;
 http://localhost/webmaster/

the database logon credentials are;
username="root";
password="password";
database="contacts_db";


the update query string i want  to use is;
http://localhost/webmaster/ $query = "INSERT INTO contacts VALUES ('','John','Smith','01234 567890','00112 334455','01234 567891','johnsmith@gowansnet.com','http://www.gowansnet.com')";

because i havn't connected to the database i get;
Forbidden

You don't have permission to access /webmaster/ $query = "INSERT INTO contacts VALUES ('','John','Smith','01234 567890','00112 334455','01234 567891','johnsmith@gowansnet.com','http://www.gowansnet.com')"; on this server.

My question is can i prepend the logon credentials to the update query string, update the database, and then close  the database using a query string?
security is not an issue..
thanks
blossomparkAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

karoldvlCommented:
You could pass your credentials as additional parameters and then use it in a couple lines script to execute the query. Or do you insist on using solely "query" for this?

What rewrites do you have in place?

And this is only acceptable for localhost, but you mention security is not an issue.
0
blossomparkAuthor Commented:
hi karoldvl thanks for your response
                   the reason for using a query string is to keep it simple as i am very new to this and am trying to learn in steps, however if you have guidance on this issue it would be greatly appreciated......... can i do it with a query string and if so what is the syntax ?

i dont understand your question;
What rewrites do you have in place?

thanks
0
karoldvlCommented:
Never mind the rewrites. If you're not sure, then you probably don't have them in place.
 
You could use something like this (attached update.php).

And then acces it like this:
http://localhost/webmaster/update.php?user=root&pass=password&db=contacts_db&query= "INSERT INTO contacts VALUES ('','John','Smith','01234 567890','00112 334455','01234 567891','johnsmith@gowansnet.com','http://www.gowansnet.com')"

But this is so insanely insecure, that you should avoid it if possible. And this pertains not only to external threats, but there's so much room for error when operating in this fashion on the database, that backups are a priority.




<?php

$user  = isset($_GET['user']) ? $_GET['user'] : '';
$pass  = isset($_GET['pass']) ? $_GET['pass'] : '';
$db    = isset($_GET['db']) ? $_GET['db'] : '';
$query = isset($_GET['query']) ? $_GET['query'] : '';

$sql = mysql_connect(localhost, $user, $pass)
   or die('Connection error: ' . mysql_error());
   
mysql_select_db($db, $sql)
   or die('Database selection failed.');

// Only for update queries
mysql_query($query)
   or die('Query failed: ' . mysql_error());

?>

Open in new window

0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

blossomparkAuthor Commented:
thanks for  that, looks great!!!
 that gives me a lot to play around with....
on the question of security, would it be possible not to put  the username,password,database name in the query string and just locate it on a php file on the server (or even in the update.php file you have created) and still be able to update the database?
0
blossomparkAuthor Commented:
...i mean still update the database with a query string.
0
karoldvlCommented:
Yes you can hardcode them:

<?php

$user  = 'root';
$pass  = 'password';
$db    = 'contacts_db';
$query = isset($_GET['query']) ? $_GET['query'] : '';

$sql = mysql_connect(localhost, $user, $pass)
   or die('Connection error: ' . mysql_error());
   
mysql_select_db($db, $sql)
   or die('Database selection failed.');

// Only for update queries
mysql_query($query)
   or die('Query failed: ' . mysql_error());

?>

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
blossomparkAuthor Commented:
hi karoldvl...thanks for everything....you've given me lots to play with here....i'll close this question and if i have any further issues i'll open a new question...once again thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.