Re: [nyphp-talk] Is there something wrong with this SQL query in PHP?

[Brian Dailey]

I would take Brian O'Connor's suggestion, first... make sure you're 
getting the expected values in $_POST. Use var_dump($_POST) to get all 
of the values.

Also, I don't know if you're already checking this or not, but given the 
SQL statement you provided your application is definitely open for SQL 
injection. If I post a value where id = [1=1;DROP TABLE jobsdb] I could 
create some massive headaches for you. Make sure you're clearly defining 
datavalues by using either prepared statements or some sort of 
mysql_real_escape function (wrapping each value in slashes in the query 
itself, too, even if it's an integer).

- Brian D.

Anthony Wlodarski wrote:
I have been staring at this for about a week and it is turning into a 
mind bender.  Here is the code excerpt:

 

// pre: none

// post: displays our controls for …

function displayControls()

{

        if($_POST['editjob'])

        {

                $query = "SELECT * FROM `jobsdb` WHERE `id` 
=".$_POST['id']."”;

                $result = mysql_query($query) or die("Error editing data.");

                $row = mysql_fetch_assoc($result, MYSQL_ASSOC);

 

                echo "Debug: ".$_POST['id']." - ".$row['id']."\n";

 

                // display all our form data

                echo "<fieldset style='color: #ffffff;'><legend>Edit a 
job</legend>\n".

                                "<form action='".$_SERVER['PHP_SELF']."' 
method='post'>\n".

                                "Recruiter: <input name='recruiter' 
type='text' value='".$row['recruiter']."'></br>".

                                " Job ID: <input name='jobid' 
type='text' value='".$row['jobid']."'></br>".

                                " Position: <input name='position' 
type='text' value='".$row['position']."'></br>".

                                " Position Link: <input name='link' 
type='text' value='".$row['link']."'></br>".

                                " Additional Info: <input 
name='additionalinfo' type='text' value='".$row['additionalinfo']."'></br>".

                                " Salary: <input name='salary' 
type='text' value='".$row['salary']."'></br>".

                                " Hiring Manager: <input 
name='hiringmanager' type='text' value='".$row['hiringmanager']."''></br>".

                                " Company: <input name='company' 
type='text' value='".$row['company']."'></br>".

                                " Status: <input name='status' 
type='text' value='".$row['status']."'></br>".

                                " Postings: <input name='postings' 
type='text' value='".$row['postings']."'></br>".

                                " Job Color: \n".

                                "<select name='color'>\n".

                                "<option value='#ff0000'>Red</option>\n".

                                "<option value='#ffa500'>Orange</option>\n".

                                "<option value='#ffff00'>Yellow</option>\n".

                                "<option value='#00ff7f'>Spring 
Green</option>\n".

                                "<option value='#32cd32'>Lime 
Green</option>\n".

                                "<option value='#c0c0c0'>Silver</option>\n".

                                "<option value='#0000cd'>Medium 
Blue</option>\n".

                                "<option value='#191970'>Midnight 
Blue</option>\n".

                                "<option value='#4169e1'>Royal 
Blue</option>\n".

                                "<option value='#c71585'>Medium Violet 
Red</option>\n".

                                "<option 
value='#ff00ff'>Fuchsia</option>\n".

                                "</select>\n".

                                "<input name='saveedit' type='submit' 
value='Save Edit'>".

                                "<input name='cancel' type='submit' 
value='Cancel'>".

                                "</form>".

                        "</fieldset>\n";

        }

 

……. Rest of application.

 

Now the big problem are the three PHP statements after the “if” 
statement.  When I click edit job nothing appears even in the debug 
statement, I am not returning a valid id from $row[‘id’] nor does any of 
the data appear in the form(which is just an integer).  I have 
scrutinized the SQL query a million times, even tried to qualify it with 
the database name using `foobar`.`jobsdb` and that still not do 
anything.  I know the $_POST[‘id’] variable is passing the right id 
based on the echo command.  Is this a SQL issue or a PHP issue?  I have 
looked at my databases in phpMyAdmin and even checked them using the 
command line on our box and they have the right permissions for the 
users that can access them.  If this is  a SQL issue can you guys point 
me in the right direction?  I was thinking of pulling my data base 
handle code and the SQL queries and just throwing them into a bare 
script to see what happens.  If anyone needs to see the HTML output I 
can get that as well.

 

Any help is appreciated.

 

Thanks,

 

/Anthony/


------------------------------------------------------------------------

_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php

--

Thanks!
- Brian Dailey
Software Developer
New York, NY
www.dailytechnology.net
begin:vcard
fn:Brian Dailey
n:Dailey;Brian
org:;Department of Geekery
adr;dom:;;;New York;NY
email;internet:[EMAIL PROTECTED]
title:Senior Software Engineer
tel;home:423 506 0349
x-mozilla-html:FALSE
url:http://dailytechnology.net
version:2.1
end:vcard

_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php