Re: [PHP-DB] Problem with updating MySQL table

Wed, 27 Aug 2008 09:29:00 -0700 

Hi Yves,
I plan to wrap the $_POST's into something to protect against some issues like that. But this was a proof of concept for the boss so it just needed to be up quickly to see if it was something we wanted to go ahead with :) 


On Aug 27, 2008, at 12:21 PM, YVES SUCAET wrote:


Ah, how to debug SQL code in PHP...


Here's what I would do: run your query separately in something like  
SQLyog or
the Netbeans database interface. Just to "echo $sql" and copy and  
paste. An
"echo $Record" statement may also help to assure that you're passing  
on the PK

to the record correctly.


One suggestion: you may want put mysql_real_escape_string() wrappers  
around

all those $_POST[] fields to prevent SQL hijacking of your site.

HTH,

Yves

------ Original Message ------
Received: Wed, 27 Aug 2008 11:07:20 AM CDT
From: Jason Pruim <[EMAIL PROTECTED]>
To: php-db@lists.php.net
Subject: [PHP-DB] Problem with updating MySQL table

Hi Everyone,

So I'm working on a project (Same one I sent the question about
regarding the user access rights on monday) And now I am attempting to
update the record... Here is some of my code:

index.php
<?PHP

        <form method="post" action="purlprocess.php">
        First Name/Last Name<input type="text" name="txtFName"
value="{$row['FName']}" $edit> <input type="text" name="txtLName"
value="{$row['LName']}" $edit><br>
        Email Address <input type="text" name="txtEmail"
value="{$row['email']}" $edit><br>
        Company name <input type="text" name="txtBusiness"
value="{$row['Business']}" $edit><br>
        Company Address <input type="text" name="txtAddress1"
value="{$row['Address1']}" $edit><br>
        City/State/Zip <input type="text" name="txtCity"
value="{$row['City']}" $edit> <input type="text" name="txtState"
value="{$row['State']}" $edit> <input type="text" name="txtZip"     
value="{$row['Zip']}" $edit><br>     
        Phone <input type="text" name="txtPhone" value="{$row['phone']}"
$edit><br>
        Your Favorite Type of coffee: <input type="radio" name="rdoCoffee"
value="Starbucks"> <img src="../media/starbucks.jpeg" width="10%">
<input type="radio" name="rdoCoffee" value="Folgers">       <img src="../
media/folgers.jpeg" width="10%"> <input type="radio" name="rdoCoffee"

value="Other"> Other: <input type="text" name="txtCoffee"  
size="20"><br>

        When would a good time to bring it over be? <input type="text"
name="txtMeeting"><br>
        <input type="submit" value="Yes! Give me the caffeine!">
        <input type="hidden" name="Record" value="{$row['record']}">
        </p>
</form>   

?>

purlprocessing.php

<?PHP
        $FName= $_POST['txtFName'];
        $LName= $_POST['txtLName'];
        $Email= $_POST['txtEmail'];
        $Business = $_POST['txtBusiness'];
        $Address1 = $_POST['txtAddress1'];
        $City = $_POST['txtCity'];
        $State = $_POST['txtState'];
        $Zip = $_POST['txtZip'];
        $CoffeeChoicetest = $_POST['rdoCoffee'];
        //$Coffee = $_POST['txtCoffee'];
        $Phone = $_POST['txtPhone'];
        $Record = $_POST['Record'];
        $Meeting = $_POST['txtMeeting'];
        $date = time();
        $IPAddress = $_SERVER['REMOTE_ADDR'];
        if ($CoffeeChoicetest == "Other"){
                $Coffee = $_POST['txtCoffee'];
        }else{
                $Coffee = $_POST['rdoCoffee'];
        }

        $sql = "UPDATE `schreur` set FName='{$FName}', LName='{$LName}',
email='{$Email}', Business='{$Business}', Address1='{$Address1}',
City='{$City}', State='{$State}', Zip='{$Zip}', Coffee='{$Coffee}',
subscribed='0', date='{$date}', IPAddress='{$IPAddress}',
Meeting='{$Meeting}' WHERE record='{$Record}'";
        mysqli_query($link, $sql) or die("Could not update..." .
mysqli_error($link));
?>

mysql> describe schreur;
+------------+-------------+------+-----+---------+-------+
| Field      | Type        | Null | Key | Default | Extra |
+------------+-------------+------+-----+---------+-------+
| FName      | varchar(20) | YES  |     | NULL    |       |
| LName      | varchar(20) | YES  |     | NULL    |       |
| email      | varchar(50) | YES  |     | NULL    |       |
| phone      | varchar(12) | YES  |     | NULL    |       |
| url        | int(12)     | YES  |     | NULL    |       |
| record     | int(7)      | YES  |     | NULL    |       |
| subscribed | int(1)      | NO   |     |         |       |
| date       | varchar(12) | YES  |     | NULL    |       |
| IPAddress  | varchar(19) | YES  |     | NULL    |       |
| Business   | varchar(20) | YES  |     | NULL    |       |
| Address1   | varchar(50) | YES  |     | NULL    |       |
| City       | varchar(20) | YES  |     | NULL    |       |
| State      | varchar(2)  | YES  |     | NULL    |       |
| Zip        | varchar(10) | YES  |     | NULL    |       |
| Coffee     | varchar(20) | YES  |     | NULL    |       |
| Meeting    | text        | YES  |     | NULL    |       |
+------------+-------------+------+-----+---------+-------+


The problem is when I am attempting to update some of the info, it
erases the info in the field.

Anyone got a clue as to what is going on? :)

Thanks for looking!



--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
11287 James St
Holland, MI 49424
www.raoset.com
[EMAIL PROTECTED]









--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
11287 James St
Holland, MI 49424
www.raoset.com
[EMAIL PROTECTED]





--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php























					Reply via email to