Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>There are multiple , <strong>serious</strong> issues with this code - without even touching the functionality...</p> <h3>1 PHP syntax</h3> <pre><code>$_REQUEST[testcode] </code></pre> <p>Not good, always use braces!</p> <pre><code>$_REQUEST['testcode'] </code></pre> <h3>2 Injection proneness</h3> <p>You are wide open to <a href="http://en.wikipedia.org/wiki/SQL_injection" rel="nofollow"><strong>SQL Injection</strong></a>, and <a href="http://en.wikipedia.org/wiki/Code_injection#HTML-script_injection_.28cross-site_scripting.29" rel="nofollow"><strong>HTML/Javascript</strong></a> injection too</p> <pre><code>echo "&lt;br /&gt;Got testcode: ".$_REQUEST[testcode]; //HTML injection... //SQL injection $getsortedq=mysql_query("SELECT username, section1right as m from kmarks where testcode='.$_REQUEST[testcode].' order by section1right DESC"); </code></pre> <p><strong>Always</strong> use proper sanitization (<code>mysql(i)_real_escape_string($_REQUEST['testcode'])</code> depending on mysql_ or mysqli being used). Or even better: prepared statements in the SQL case...</p> <h3>3 Deprecation</h3> <p>The Obligatory mysql_* Warning: <strong>mysql_</strong> functions are deprecated as of PHP 5.5. <strong>Don't use them</strong>: use either PDO or at least <strong>mysqli_</strong> functions...</p> <h2>Functionality</h2> <p>This is the culprit:</p> <pre><code>$updatep1q=mysql_query("UPDATE kmarks set percentile1=$percentile where username='.$key.' and testcode='.$_REQUEST[testcode].'"); </code></pre> <p>The resulting query will read:</p> <pre><code>UPDATE kmarks set percentile1=&lt;somevalue&gt; --this is OK where username='.&lt;somevalue&gt;.' and testcode='.$_REQUEST[testcode].' ^ ^ ^^^^^^^^^^^^^^^^^^^^^ </code></pre> <p>The problems are highlighted... There are unwanted dots, and a whole bad part. I suppose you wanted something like this</p> <pre><code>UPDATE kmarks set percentile1=&lt;somevalue&gt; where username='&lt;somevalue&gt;' and testcode='&lt;somevalue&gt;' </code></pre> <p>Use it like this instead (of course with sanitization!!!):</p> <pre><code>//WARNING! STILL HAS SQL INJECTION --apply sanitization from #2 to make it safer... $updatep1q=mysql_query("UPDATE kmarks set percentile1=$percentile where username='".$key."' and testcode='".$_REQUEST[testcode]."'"); </code></pre> <p>Arrays can't be used inside string literals, and <code>.</code> concatenation operators are not required in case of plain variables...</p>
    singulars
    1. This table or related slice is empty.
    1. POcalculating percentile for huge database
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USppeterka
    1. USppeterka
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COmade changes..but now not getting "Got testcode: CAT B2got the sorted query quick" updated records aren't mentioning..
      singulars
      1. PO
      1. USShandhanu Mohan
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload