So I'm working on a project (Same one I sent the question about
regarding the user access rights on monday) And now I am attempting to
update the record... Here is some of my code:
The problem is when I am attempting to update some of the info, it
erases the info in the field.
Anyone got a clue as to what is going on? :)
Thanks for looking!
--
Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
11287 James St
Holland, MI 49424
www.raoset.com
japruim@raoset.com
--Apple-Mail-144-1027803625--
Re: Problem with updating MySQL table
am 27.08.2008 18:21:49 von Yves Sucaet
Ah, how to debug SQL code in PHP...
Here's what I would do: run your query separately in something like SQLyo=
g or
the Netbeans database interface. Just to "echo $sql" and copy and paste. =
An
"echo $Record" statement may also help to assure that you're passing on t=
he PK
to the record correctly.
One suggestion: you may want put mysql_real_escape_string() wrappers arou=
nd
all those $_POST[] fields to prevent SQL hijacking of your site.
HTH,
Yves
------ Original Message ------
Received: Wed, 27 Aug 2008 11:07:20 AM CDT
From: Jason Pruim
To: php-db@lists.php.net
Subject: [PHP-DB] Problem with updating MySQL table
Hi Everyone,
So I'm working on a project (Same one I sent the question about =
regarding the user access rights on monday) And now I am attempting to =
The problem is when I am attempting to update some of the info, it =
erases the info in the field.
Anyone got a clue as to what is going on? :)
Thanks for looking!
--
Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
11287 James St
Holland, MI 49424
www.raoset.com
japruim@raoset.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Problem with updating MySQL table
am 27.08.2008 18:24:34 von Evert Lammerts
Your index.php looks very strange:
>
>
>
>
> ?>
I'm guessing you're echoing this? I never echo from my scripts so I
don't know if this is new functionality, but in my days you echoed
either by or by .
Anyway, since you're using the $_POST variable, did you check if it
contains any values? You can do this with var_dump($_POST); Let us
know what the results are.
Another tip:
> $FName= $_POST['txtFName'];
> etc
is terrible practice - if anybody writes an SQL command into one of
your textfields it WILL be executed; this is called SQL injection. A
less terrible scenario, but still one that messes up your page, is if
somebody uses quotes. So always use mysql_real_escape_string() on your
post variables before using them in a query.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Problem with updating MySQL table
am 27.08.2008 18:24:57 von Fergus Gibson
Hi, Jason. Do you realize this code is wide open for an SQL injection
attack? The problem could easily be addressed by using a prepared query
instead. For more details, check the mysqli documentation.
Jason Pruim wrote:
> The problem is when I am attempting to update some of the info, it
> erases the info in the field.
>
> Anyone got a clue as to what is going on? :)
I'm not sure I understand. You mean that some of the fields that should
receive content in the update do not do so? Why not echo $sql and then
submit the form so that you can see the query being sent to your
database? That will probably help you solve the problem. Odds are
there is something wrong with your query.
You'd never want to echo an SQL query in a production environment, but
since this is in development, I assume you needn't worry about that.
You block of "$variable = $_POST['key'];" is a complete waste of time,
BTW. Why create another copy of the data? You could just as easily use
"set FName = '{$_POST['txtFName']}'..." That would also make your
injection vulnerability more obvious to you.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Problem with updating MySQL table
am 27.08.2008 18:26:35 von Jason Pruim
Hi Yves,
I plan to wrap the $_POST's into something to protect against some
issues like that. But this was a proof of concept for the boss so it
just needed to be up quickly to see if it was something we wanted to
go ahead with :)
On Aug 27, 2008, at 12:21 PM, YVES SUCAET wrote:
> Ah, how to debug SQL code in PHP...
>
> Here's what I would do: run your query separately in something like
> SQLyog or
> the Netbeans database interface. Just to "echo $sql" and copy and
> paste. An
> "echo $Record" statement may also help to assure that you're passing
> on the PK
> to the record correctly.
>
> One suggestion: you may want put mysql_real_escape_string() wrappers
> around
> all those $_POST[] fields to prevent SQL hijacking of your site.
>
> HTH,
>
> Yves
>
> ------ Original Message ------
> Received: Wed, 27 Aug 2008 11:07:20 AM CDT
> From: Jason Pruim
> To: php-db@lists.php.net
> Subject: [PHP-DB] Problem with updating MySQL table
>
> Hi Everyone,
>
> So I'm working on a project (Same one I sent the question about
> regarding the user access rights on monday) And now I am attempting to
> update the record... Here is some of my code:
>
> index.php
>
>
>
>
>
> ?>
>
> purlprocessing.php
>
>
> $FName= $_POST['txtFName'];
> $LName= $_POST['txtLName'];
> $Email= $_POST['txtEmail'];
> $Business = $_POST['txtBusiness'];
> $Address1 = $_POST['txtAddress1'];
> $City = $_POST['txtCity'];
> $State = $_POST['txtState'];
> $Zip = $_POST['txtZip'];
> $CoffeeChoicetest = $_POST['rdoCoffee'];
> //$Coffee = $_POST['txtCoffee'];
> $Phone = $_POST['txtPhone'];
> $Record = $_POST['Record'];
> $Meeting = $_POST['txtMeeting'];
> $date = time();
> $IPAddress = $_SERVER['REMOTE_ADDR'];
> if ($CoffeeChoicetest == "Other"){
> $Coffee = $_POST['txtCoffee'];
> }else{
> $Coffee = $_POST['rdoCoffee'];
> }
>
> $sql = "UPDATE `schreur` set FName='{$FName}', LName='{$LName}',
> email='{$Email}', Business='{$Business}', Address1='{$Address1}',
> City='{$City}', State='{$State}', Zip='{$Zip}', Coffee='{$Coffee}',
> subscribed='0', date='{$date}', IPAddress='{$IPAddress}',
> Meeting='{$Meeting}' WHERE record='{$Record}'";
> mysqli_query($link, $sql) or die("Could not update..." .
> mysqli_error($link));
> ?>
>
> mysql> describe schreur;
> +------------+-------------+------+-----+---------+-------+
> | Field | Type | Null | Key | Default | Extra |
> +------------+-------------+------+-----+---------+-------+
> | FName | varchar(20) | YES | | NULL | |
> | LName | varchar(20) | YES | | NULL | |
> | email | varchar(50) | YES | | NULL | |
> | phone | varchar(12) | YES | | NULL | |
> | url | int(12) | YES | | NULL | |
> | record | int(7) | YES | | NULL | |
> | subscribed | int(1) | NO | | | |
> | date | varchar(12) | YES | | NULL | |
> | IPAddress | varchar(19) | YES | | NULL | |
> | Business | varchar(20) | YES | | NULL | |
> | Address1 | varchar(50) | YES | | NULL | |
> | City | varchar(20) | YES | | NULL | |
> | State | varchar(2) | YES | | NULL | |
> | Zip | varchar(10) | YES | | NULL | |
> | Coffee | varchar(20) | YES | | NULL | |
> | Meeting | text | YES | | NULL | |
> +------------+-------------+------+-----+---------+-------+
>
>
> The problem is when I am attempting to update some of the info, it
> erases the info in the field.
>
> Anyone got a clue as to what is going on? :)
>
> Thanks for looking!
>
>
>
> --
>
> Jason Pruim
> Raoset Inc.
> Technology Manager
> MQC Specialist
> 11287 James St
> Holland, MI 49424
> www.raoset.com
> japruim@raoset.com
>
>
>
>
>
>
>
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
11287 James St
Holland, MI 49424
www.raoset.com
japruim@raoset.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Problem with updating MySQL table
am 27.08.2008 18:35:03 von Fergus Gibson
YVES SUCAET wrote:
> One suggestion: you may want put mysql_real_escape_string() wrappers
around
> all those $_POST[] fields to prevent SQL hijacking of your site.
[...]
> mysqli_query($link, $sql) or die("Could not update..." .
Yves, he's using mysqli, not mysql. You should not mix those functions.
What he should do is this:
$sql = "UPDATE `schreur` set FName=?, LName=?,
email=?, Business=?, Address1=?,
City=?, State=?, Zip=?, Coffee=?,
subscribed=?, date=?, IPAddress=?,
Meeting=? WHERE record=?";
Personally, I find the object style much easier to use than this
procedural style, but I am just being consistent with his code. Using a
prepare query will escape all necessary data automatically, provided
your string of types ('sssssssssisssi') is correct.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Problem with updating MySQL table
am 27.08.2008 18:36:46 von Fergus Gibson
Jason Pruim wrote:
> I plan to wrap the $_POST's into something to protect against some
> issues like that. But this was a proof of concept for the boss so it
> just needed to be up quickly to see if it was something we wanted to go
> ahead with :)
Well, no worries about that then. We're just looking out for your data
security. Heaven forbid someone tamper with your database resulting in
some poor soul receiving the wrong coffee! ;)
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Problem with updating MySQL table
am 27.08.2008 18:38:50 von Jason Pruim
On Aug 27, 2008, at 12:24 PM, Evert Lammerts wrote:
> Your index.php looks very strange:
>
>>
>>
>>
>>
>> ?>
>
> I'm guessing you're echoing this? I never echo from my scripts so I
> don't know if this is new functionality, but in my days you echoed
> either by or by .
It is a index.php page using the HEREDOC syntax... so basically:
echo <<any HTML code goes here
HTML;
pretty nifty I feel.
>
>
> Anyway, since you're using the $_POST variable, did you check if it
> contains any values? You can do this with var_dump($_POST); Let us
> know what the results are.
>
> Another tip:
>
>> $FName= $_POST['txtFName'];
>> etc
>
> is terrible practice - if anybody writes an SQL command into one of
> your textfields it WILL be executed; this is called SQL injection. A
> less terrible scenario, but still one that messes up your page, is if
> somebody uses quotes. So always use mysql_real_escape_string() on your
> post variables before using them in a query.
mysql_real_escape_string() won't help with my mysqlI connection
though :)
I will be wrapping the whole thing in a prepared statement before
going to production with this. At this point this is simply a proof of
concept for the boss.
--
Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
11287 James St
Holland, MI 49424
www.raoset.com
japruim@raoset.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Problem with updating MySQL table
am 27.08.2008 18:41:36 von Evert Lammerts
Everybody seems to agree on escaping :-) And I'm learning! HEREDOC,
nifty indeed!
How about your $_POST variable, is there anything in there?
On Wed, Aug 27, 2008 at 6:38 PM, Jason Pruim wrote:
>
> On Aug 27, 2008, at 12:24 PM, Evert Lammerts wrote:
>
>> Your index.php looks very strange:
>>
>>>
>>>
>>>
>>>
>>> ?>
>>
>> I'm guessing you're echoing this? I never echo from my scripts so I
>> don't know if this is new functionality, but in my days you echoed
>> either by or by .
>
> It is a index.php page using the HEREDOC syntax... so basically:
> echo <<any HTML code goes here
> HTML;
>
> pretty nifty I feel.
>
>>
>>
>> Anyway, since you're using the $_POST variable, did you check if it
>> contains any values? You can do this with var_dump($_POST); Let us
>> know what the results are.
>>
>> Another tip:
>>
>>> $FName= $_POST['txtFName'];
>>> etc
>>
>> is terrible practice - if anybody writes an SQL command into one of
>> your textfields it WILL be executed; this is called SQL injection. A
>> less terrible scenario, but still one that messes up your page, is if
>> somebody uses quotes. So always use mysql_real_escape_string() on your
>> post variables before using them in a query.
>
> mysql_real_escape_string() won't help with my mysqlI connection though :)
>
> I will be wrapping the whole thing in a prepared statement before going to
> production with this. At this point this is simply a proof of concept for
> the boss.
> --
>
> Jason Pruim
> Raoset Inc.
> Technology Manager
> MQC Specialist
> 11287 James St
> Holland, MI 49424
> www.raoset.com
> japruim@raoset.com
>
>
>
>
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Problem with updating MySQL table
am 27.08.2008 18:48:08 von Jason Pruim
On Aug 27, 2008, at 12:41 PM, Evert Lammerts wrote:
> Everybody seems to agree on escaping :-) And I'm learning! HEREDOC,
> nifty indeed!
Yeah, ever since I found out about HEREDOC I've used it quite
extensively with some of my projects... Also, when you're in the
HEREDOC block, if you need to reference a variable just do this:
$var1 = "World";
echo <<
Hello {$var1}!
HTML;
?>
and voila!
>
>
> How about your $_POST variable, is there anything in there?
I think I have it narrowed down to disabling the editing of the
fields...
If I do NOT disable the editing, then it submits fine, if I DO disable
it then they don't submit.
I need to find a better to stop accidental editing rather then just
>
>
> On Wed, Aug 27, 2008 at 6:38 PM, Jason Pruim
> wrote:
>>
>> On Aug 27, 2008, at 12:24 PM, Evert Lammerts wrote:
>>
>>> Your index.php looks very strange:
>>>
>>>>
>>>>
>>>>
>>>>
>>>> ?>
>>>
>>> I'm guessing you're echoing this? I never echo from my scripts so I
>>> don't know if this is new functionality, but in my days you echoed
>>> either by or by .
>>
>> It is a index.php page using the HEREDOC syntax... so basically:
>> echo <<any HTML code goes here
>> HTML;
>>
>> pretty nifty I feel.
>>
>>>
>>>
>>> Anyway, since you're using the $_POST variable, did you check if it
>>> contains any values? You can do this with var_dump($_POST); Let us
>>> know what the results are.
>>>
>>> Another tip:
>>>
>>>> $FName= $_POST['txtFName'];
>>>> etc
>>>
>>> is terrible practice - if anybody writes an SQL command into one of
>>> your textfields it WILL be executed; this is called SQL injection. A
>>> less terrible scenario, but still one that messes up your page, is
>>> if
>>> somebody uses quotes. So always use mysql_real_escape_string() on
>>> your
>>> post variables before using them in a query.
>>
>> mysql_real_escape_string() won't help with my mysqlI connection
>> though :)
>>
>> I will be wrapping the whole thing in a prepared statement before
>> going to
>> production with this. At this point this is simply a proof of
>> concept for
>> the boss.
>> --
>>
>> Jason Pruim
>> Raoset Inc.
>> Technology Manager
>> MQC Specialist
>> 11287 James St
>> Holland, MI 49424
>> www.raoset.com
>> japruim@raoset.com
>>
>>
>>
>>
>>
>
--
Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
11287 James St
Holland, MI 49424
www.raoset.com
japruim@raoset.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Problem with updating MySQL table
am 27.08.2008 19:15:56 von Jason Pruim
On Aug 27, 2008, at 12:48 PM, Jason Pruim wrote:
>
For everyone that has helped me on this thank you! :) the solution was
changing from: to
type="text" name="txtFName" READONLY> Read only fields still get
passed with POST'ed info where as disabled does not.
And yes I will be adding some prepared statements to prevent SQL
injections as I'm hoping this will be a VERY popular feature that will
be used by my company for quite a long time :)
--
Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
11287 James St
Holland, MI 49424
www.raoset.com
japruim@raoset.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Problem with updating MySQL table
am 27.08.2008 21:06:44 von Micah Gersten
Putting commands into input containers in HTML is deprecated in the
XHTML specification. You should use this instead in the input:
Jason Pruim wrote:
>
> On Aug 27, 2008, at 12:48 PM, Jason Pruim wrote:
>
>>
> For everyone that has helped me on this thank you! :) the solution was
> changing from: to
> type="text" name="txtFName" READONLY> Read only fields still get
> passed with POST'ed info where as disabled does not.
>
> And yes I will be adding some prepared statements to prevent SQL
> injections as I'm hoping this will be a VERY popular feature that will
> be used by my company for quite a long time :)
>
>
> --
>
> Jason Pruim
> Raoset Inc.
> Technology Manager
> MQC Specialist
> 11287 James St
> Holland, MI 49424
> www.raoset.com
> japruim@raoset.com
>
>
>
>
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: Problem with updating MySQL table
am 27.08.2008 21:19:14 von Evert Lammerts
> Putting commands into input containers in HTML is deprecated in the
> XHTML specification. You should use this instead in the input:
Only if your doctype is XHTML, in which case you should also close
every tag, including the input tag. If your doctype is HTML your code
is fine. I use the HTML validator plug in for FireFox to check if my
code is valid.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php