Full update query

Full update query

am 11.02.2006 00:29:02 von UKuser

Hi Guys,

I am trying to create an editable table of a MySQL query where every
field can be updated. My example script is at:
http://nana46.coconia.net/test4.php however I am currently getting
Parse errors.

Am I missing anything obvious in my code below?

Thanks

A




test 4


function check_mysql()
{
if (mysql_errno() > 0)
{
die("
MySQL error " . mysql_errno() . ": " .
mysql_error());
}

}

$db = mysql_connect("coconia.net", "nana46_nana46", "hello");
if (!$db)
{
die("Failed to open connection to MySQL server.");

}

mysql_select_db("nana46_nana46");
check_mysql();

$requete = "SELECT id,lowerval,upperval,result FROM fig_lookup";
$resulta = mysql_query($requete) or die (mysql_error());

echo '';

$edit = "Edit record";

echo "
";
echo "";
echo "";
echo "";
echo "";

if($mode == "Update")
{
for ($i=0; $i {

////LINE 39////// mysql_query ("UPDATE fig_lookup SET
lowerval='{'$_POST['f2'][$i]}',upperval='{'$_POST['f3'][$i]} ',result='{'$_POST['f4'][$i]}'
WHERE id='{'$_POST['f1'][$i]}'");
}

}

while ($l = mysql_fetch_array($resulta, MYSQL_ASSOC))
{ ?>





}

echo "";
echo "
idLowervalUppervalResult
"> "> "> ">
";
?>




Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or
`T_NUM_STRING' in /home/www/nana46.coconia.net/test4.php on line 39
(line 39 is mysql_query line - marked in code)

Re: Full update query

am 11.02.2006 03:05:53 von Bill Karwin

"UKuser" wrote in message
news:1139614141.985116.93960@g47g2000cwa.googlegroups.com...
> ////LINE 39////// mysql_query ("UPDATE fig_lookup SET
> lowerval='{'$_POST['f2'][$i]}',upperval='{'$_POST['f3'][$i]} ',result='{'$_POST['f4'][$i]}'
> WHERE id='{'$_POST['f1'][$i]}'");
>
> Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or
> `T_NUM_STRING' in /home/www/nana46.coconia.net/test4.php on line 39
> (line 39 is mysql_query line - marked in code)

Doesn't PHP have a problem parsing nested quoted strings? That is, your
array subscript single-quoted strings (like 'f2') aren't being parsed,
because they're inside the double-quoted string for the UPDATE statement.
See http://p2p.wrox.com/topic.asp?TOPIC_ID=2468

Also note that your code is full of SQL injection and XSS vulnerabilities.
You should save each of those POST parameters to an individual variable and
validate them, to make sure they contain only simple values, with no
possibility of extra SQL code or javascript code.

Regards,
Bill K.

Re: Full update query

am 11.02.2006 12:33:47 von UKuser

Still not working I'm afraid with Code as below. Would you use the
check_mysql() command for the injection vulnerabilities?

if($mode == "Update")
{
for ($i=0; $i {
$post1 = $_POST[f2][$i];
$post2 = $_POST[f3][$i];
$post3 = $_POST[f4][$i];
$post0 = $_POST[f1][$i];
mysql_query ("UPDATE fig_lookup SET
lowerval='$post1',upperval='$post2',result='$post3' WHERE id=$post0 ");

}
}

Re: Full update query

am 11.02.2006 22:31:07 von Bill Karwin

"UKuser" wrote in message
news:1139657627.568843.34480@g47g2000cwa.googlegroups.com...
> Still not working I'm afraid with Code as below. Would you use the
> check_mysql() command for the injection vulnerabilities?

I don't know what the check_mysql() function is.

It's important that you read about what SQL injection means, for instance
here:
http://en.wikipedia.org/wiki/SQL_injection

> mysql_query ("UPDATE fig_lookup SET
> lowerval='$post1',upperval='$post2',result='$post3' WHERE id=$post0 ");

When making SQL strings for execution in a scripting language like this, you
never know _exactly_ what is being sent to the MySQL parser unless you
capture that string after interpolating all variables and before executing
it with mysql_query. It's best to

Also, you aren't checking the return value of the mysql_query() function.
This could give you a more informative error message.

for ($i=0; $i {
$post1 = $_POST[f2][$i];
// validate that $post1 doesn't contain SQL.

$post2 = $_POST[f3][$i];
// validate that $post2 doesn't contain SQL.

$post3 = $_POST[f4][$i];
// validate that $post3 doesn't contain SQL.

$post0 = $_POST[f1][$i];
// validate that $post0 doesn't contain SQL.

$query = "UPDATE fig_lookup SET
lowerval='$post1',upperval='$post2',result='$post3' WHERE id=$post0 ";
// output $query to make sure it looks right.
// you might even try copy & paste of that output into the mysql CLI to
test it.

$result = mysql_query ($query);
if (!$result) {
die('Invalid query: ' . mysql_error());
}
}

Regards,
Bill K.

Re: Full update query

am 12.02.2006 01:48:06 von Bill Karwin

"Bill Karwin" wrote in message
news:dsll2r02vch@enews1.newsguy.com...
> When making SQL strings for execution in a scripting language like this,
> you never know _exactly_ what is being sent to the MySQL parser unless you
> capture that string after interpolating all variables and before executing
> it with mysql_query. It's best to

Er, to elaborate on that last point...

It's best to create tor SQL statement as a string, then output it either to
a debugging log or the browser, and examine it for any obvious errors. You
can even take that finished string and cut & paste it into mysql CLI or
Query Browser, executing it against a test copy of your database, to see if
it does what you expect it to do.

The point is that it's more difficult to debug strings that are a mix of SQL
and PHP syntax than it is to debug the resulting SQL statement after the
variables have been interpolated.

Regards,
Bill K.