11 replies to this topic

[Braunson]

Alright, here's my code:

if(isset($_POST["name_on_resume"])) {

	/* This is all of the submitted data being cleaned and then sent to the database */
	$name_on_resume				  = 	sAfe($_POST["name_on_resume"]);
	$sin_number 				= 	sAfe($_POST["sin_number"]);
	$address					 	=	sAfe($_POST["address"]);
	$phone					   	=	sAfe($_POST["phone"]);
	$email					   	= 	sAfe($_POST["email"]);
	$employed_by 			 	= 	sAfe($_POST["employed_by"]);
	$start_date 			 	= 	sAfe($_POST["start_date"]);
	$finish_date 			 	= 	sAfe($_POST["finish_date"]);
	$department_worked 		 	= 	sAfe($_POST["department_worked"]);
	$reason_for_leaving 		 	= 	sAfe($_POST["reason_for_leaving"]);
	$reason_for_leaving_details	  = 	sAfe($_POST["reason_for_leaving_details"]);
	$working_attitude 		 	= 	sAfe($_POST["working_attitude"]);
	$working_attitude_details		= 	sAfe($_POST["working_attitude_details"]);
	$working_with_others		 	= 	sAfe($_POST["working_with_others"]);
	$working_with_others_details 	= 	sAfe($_POST["working_with_others_details"]);
	$takes_direction			 	= 	sAfe($_POST["takes_direction"]);
	$takes_direction_details	 	= 	sAfe($_POST["takes_direction_details"]);
	$working_alone			   	= 	sAfe($_POST["working_alone"]);
	$working_alone_details		 	= 	sAfe($_POST["working_alone_details"]);
	$working_in_a_team		   	= 	sAfe($_POST["working_in_a_team"]);
	$working_in_a_team_details   	= 	sAfe($_POST["working_in_a_team_details"]);
	$respect_for_company_details	=	sAfe($_POST["respect_for_company_details"]);
	$respect_for_co_workers		  = 	sAfe($_POST["respect_for_co_workers"]);
	$good_qualities				  = 	sAfe($_POST["good_qualities"]);
	$bad_qualities			   	= 	sAfe($_POST["bad_qualities"]);
	$overview 			 	= 	sAfe($_POST["overview"]);


	/* This is all of the cleaned data being entered into the MYSQL database */
		$update_sql = "
		UPDATE `listing_base` SET 
	`name_on_resume` 		= 	'$name_on_resume', 
	`sin_number` 			= 	'$sin_number', 
	`address` 			= 	'$address', 
	`phone` 			= 	'$phone', 
	`email` 			= 	'$email', 
	`employed_by` 			= 	'$employed_by', 
	`start_date` 			= 	'$start_date', 
	`finish_date` 			= 	'$finish_date', 
	`department_worked` 		= 	'$department_worked', 
	`reason_for_leaving` 		= 	'$reason_for_leaving', 
	`reason_for_leaving_details` 	= 	'$reason_for_leaving_details', 
	`working_attitude` 		= 	'$working_attitude', 
	`working_attitude_details`	= 	'$working_attitude_details', 
	`working_with_others` 		= 	'$working_with_others', 
	`working_with_others_details` 	= 	'$working_with_others_details', 
	`takes_direction` 		= 	'$takes_direction',
	`takes_direction_details` 	= 	'$takes_direction_details',
	`working_alone` 		= 	'$working_alone',
	`working_alone_details` 	= 	'$working_alone_details', 
	`working_in_a_team` 		= 	'$working_in_a_team',
	`working_in_a_team_details` 	= 	'$working_in_a_team_details',
	`respect_for_company_details`	= 	'$respect_for_company_details',
	`respect_for_co_workers` 	= 	'$respect_for_co_workers',
	`good_qualities` 		= 	'$good_qualities',
	`bad_qualities` 		= 	'$bad_qualities',
	`overview` 			= 	'$overview'
		WHERE 
	`id` 				= 	'$id'
		";

		$do_sql = mysql_query($update_sql)or die(mysql_errno());
	

echo "
			<a name=\"workerupdated\"></a>			
			<div class=\"box\">
				
				<h1>Worker Information <span class=\"gray\">Successfully Updated</span></h1>

				<p>The information that you have just changed, has been successfully updated. You are being redirected back to the member panel.</p>
			</div>
";

echo "<meta http-equiv=\"refresh\" content=\"3;url=index.php?page=library/member&act=account_panel\">";

} else {

So here's my problem. Yes the $id is definied, and so is the function sAfe();
Now I tryed taking out the mysql_query part of the code so it would update and then the 'success message' displayed. but when I add the mysql_query back and try to update the sql, then the page when submitted is blank, nothing happends, nothing is displayed.

Any ideas? Thanks

Edited by Braunson, 07 July 2007 - 07:17 PM.

[rc69]

My bet is you have a parse error with error reporting turned off. Add the error_reporting() at the top of the script and set it to E_ALL then see what happens.

My guess is about here:

mysql_query($update_sql)or die(mysql_errno());

But i didn't look at much else and i don't know exactly how "white-space indifferent" php is.

What i recommend regardless of what error_reporting() does is simplifing the code. You are going the basic brute-force way right now... try some loops.

if(isset($_POST["name_on_resume"])) {
	/* This is all of the submitted data being cleaned and then sent to the database */
	$data = array_map('sAfe', $_POST);

	/* This is all of the cleaned data being entered into the MYSQL database */
	$update_sql = 'UPDATE `listing_base` SET';
	while(list($key,$value) = each($data)){
		$update_sql .= '`'.$key.'` \''.$value.'\', ';
	}

	mysql_query(substr($update_sql, 0, -2).' WHERE `id` = $id') or die(mysql_errno());

echo '
			<a name="workerupdated"></a>			
			<div class="box">
				
				<h1>Worker Information <span class="gray">Successfully Updated</span></h1>

				<p>The information that you have just changed, has been successfully updated. You are being redirected back to the member panel.</p>
			</div>
';

echo '<meta http-equiv="refresh" content="3;url=index.php?page=library/member&act=account_panel">';

} else {

On a side note, you do know that php is case-insensative, so the function "sAfe" is the same as "safe" right?

[Braunson]

Added error_reporting("E_ALL"); Also changed mysql_errno(); to mysql_error();
Got this..

Quote

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''John Doe34', `sin_number` '56849372-1568427', `address` '1234 Dorchester St', `' at line 1

Hmm... :s

[Braunson]

Still the same error

[Demonslay]

You are missing your equals signs (=) between the columns and values.

/* This is all of the cleaned data being entered into the MYSQL database */
	$update_sql = 'UPDATE `listing_base` SET';
	while(list($key,$value) = each($data)){
		$update_sql .= '`'.$key.'`= \''.$value.'\', ';
	}

Silly rc, parser errors is for noobs.

- Just kidding, lol.

[Braunson]

ROFL How silly of me haha. Thank you Demonslay for pointing that out.

But now it's trying to update the submit button... :S

Unknown column 'finish_editing_worker' in 'field list'

finish_editing_worker is the submit button at the bottom, like a save button...

[Demonslay]

Try this then.
rc gave you a little to much freedom on the script he provided to be honest. Simply implement a white-list approach.

if(isset($_POST["name_on_resume"])) {
	/* This is all of the submitted data being cleaned and then sent to the database */
	$data = array_map('sAfe', $_POST);

   $allowed_data = array('name_on_resume', 'sin_number', 'address', 'phone', 'email', 'employed_by', 'start_date', 'finish_date', 'department_worked', 'reason_for_leaving', 'reason_for_leaving_details', 'working_attitude', 'working_attitude_details', 'working_with_others', 'working_with_others_details', 'takes_direction', 'takes_direction_details', 'working_alone', 'working_alone_details', 'working_in_a_team', 'working_in_a_team_details', 'respect_for_company_details', 'respect_for_co_workers', 'good_qualities', 'bad_qualities', 'overview');

	/* This is all of the cleaned data being entered into the MYSQL database */
	$update_sql = 'UPDATE `listing_base` SET';
	while(list($key,$value) = each($data)){
		if(in_array($key, $allowed_data))
			$update_sql .= '`'.$key.'` \''.$value.'\', ';
	}

	mysql_query(substr($update_sql, 0, -2).' WHERE `id` = $id') or die(mysql_errno());

echo '
			<a name="workerupdated"></a>			
			<div class="box">
				
				<h1>Worker Information <span class="gray">Successfully Updated</span></h1>

				<p>The information that you have just changed, has been successfully updated. You are being redirected back to the member panel.</p>
			</div>
';

echo '<meta http-equiv="refresh" content="3;url=index.php?page=library/member&act=account_panel">';

} else {

Note there was absolutely nothing wrong with rc's code (other than it not really filtering out the unwanted parts of the form), I'm just pickin' on him, lol.

[Braunson]

Awsum, didnt think of that
Did a bit of tweaking, now it works Thank you.

[rc69]

Man demon, i just got back from vacation, don't make me talk donna into sending you on one

My question is how the heck i missed the equal sign! I blame the hotel's i-net connection, it just didn't send all the data! But ya, i'll admit there are some security flaws in that, although you can't argue with the fact that from a maintenance point of view it is a lot nicer to look at. Heck, it actually fits on one page

Edited by rc69, 07 July 2007 - 11:11 PM.

[Braunson]

rc69, on Jul 8 2007, 04:10 AM, said:

Man demon, i just got back from vacation, don't make me talk donna into sending you on one

My question is how the heck i missed the equal sign! I blame the hotel's i-net connection, it just didn't send all the data! But ya, i'll admit there are some security flaws in that, although you can't argue with the fact that from a maintenance point of view it is a lot nicer to look at. Heck, it actually fits on one page

Security flaws? Still, Such as?

[Demonslay]

I believe he is referring to his original code.

[Braunson]

Ah Alrighty