Forum Moderators: coopster
Only problem is that although it *appears* to work (in that it goes through to the confirmation page) the values don't get updated.
It doesn't throw a syntax error so I guess it just isn't seeing the condition in the WHERE clause- but don't see how.
This is the code:
[PHP]
<?php
include ('../inc/dbconnect.php');
if($_POST['stocklist_updatetable'])
{
// Grab the data from the first Stock List update form and assign to variables
$carid = $_POST['_CarID'];
$title1 =@$_POST['_IsLive'];
$title2 =@$_POST['_IsArchived'];
$title3 =@$_POST['_IsSold'];
$title4 =@$_POST['_Title'];
$title5 =@$_POST['_Variant'];
$title6 =@$_POST['_Price'];
$title7 =@$_POST['_Make'];
$title8 =@$_POST['_BodyType'];
$title9 =@$_POST['_ModelType'];
$title10 =@$_POST['_ChassisNumber'];
$title11 =@$_POST['_EngineNumber'];
$title12 =@$_POST['_RegNumber'];
$title13 =@$_POST['_DateFirstReg'];
$title14 =@$_POST['_YearOfCar'];
$title15 =@$_POST['_ExteriorColour'];
$title16 =@$_POST['_InteriorColour'];
$title17 =@$_POST['_Hood'];
$title18 =@$_POST['_Odometer'];
$title19 =@$_POST['_Steering'];
$title20 =@$_POST['_Transmission'];
$title21 =@$_POST['_FourWheelDrive'];
$title22 =@$_POST['_NumberOfDoors'];
$title23 =@$_POST['_EngineSize'];
$title24 =@$_POST['_FuelType'];
$title25 =@$_POST['_PreviousOwners'];
$title26 =@$_POST['_Options'];
$title27 =@$_POST['_Description'];
$title28 =@$_POST['_Pic1'];
$title29 =@$_POST['_Pic2'];
$title30 =@$_POST['_Pic3'];
$title31 =@$_POST['_Pic4'];
$title32 =@$_POST['_Pic5'];
$title33 =@$_POST['_Pic6'];
$title34 =@$_POST['_Pic7'];
$title35 =@$_POST['_Pic8'];
$title36 =@$_POST['_Pic9'];
$title37 =@$_POST['_Pic10'];
$title38 =@$_POST['_Pic11'];
$title39 =@$_POST['_Pic12'];
$title40 =@$_POST['_Pic13'];
$title41 =@$_POST['_Pic14'];
$title42 =@$_POST['_Pic15'];
$title43 =@$_POST['_Pic16'];
$title44 =@$_POST['_Pic17'];
$title45 =@$_POST['_Pic18'];
$title46 =@$_POST['_Pic19'];
$title47 =@$_POST['_Pic20'];
$trimmed1 = trim($title1); //trim whitespace from the stored variable
$trimmed2 = trim($title2);
$trimmed3 = trim($title3);
$trimmed4 = trim($title4);
$trimmed5 = trim($title5);
$trimmed6 = trim($title6);
$trimmed7 = trim($title7);
$trimmed8 = trim($title8);
$trimmed9 = trim($title9);
$trimmed10 = trim($title10);
$trimmed11 = trim($title11);
$trimmed12 = trim($title12);
$trimmed13 = trim($title13);
$trimmed14 = trim($title14);
$trimmed15 = trim($title15);
$trimmed16 = trim($title16);
$trimmed17 = trim($title17);
$trimmed18 = trim($title18);
$trimmed19 = trim($title19);
$trimmed20 = trim($title20);
$trimmed21 = trim($title21);
$trimmed22 = trim($title22);
$trimmed23 = trim($title23);
$trimmed24 = trim($title24);
$trimmed25 = trim($title25);
$trimmed26 = trim($title26);
$trimmed27 = trim($title27);
$trimmed28 = trim($title28);
$trimmed29 = trim($title29);
$trimmed30 = trim($title30);
$trimmed31 = trim($title31);
$trimmed32 = trim($title32);
$trimmed33 = trim($title33);
$trimmed34 = trim($title34);
$trimmed35 = trim($title35);
$trimmed36 = trim($title36);
$trimmed37 = trim($title37);
$trimmed38 = trim($title38);
$trimmed39 = trim($title39);
$trimmed40 = trim($title40);
$trimmed41 = trim($title41);
$trimmed42 = trim($title42);
$trimmed43 = trim($title43);
$trimmed44 = trim($title44);
$trimmed45 = trim($title45);
$trimmed46 = trim($title46);
$trimmed47 = trim($title47);
$apostrophefix_description = str_replace("'", "'", $trimmed27);
// Build SQL Query
$query = "UPDATE cars SET is_live = '$trimmed1', is_archived = '$trimmed2', Sold = '$trimmed3', title = '$trimmed4', Variant = '$trimmed5', Price = '$trimmed6', Make = '$trimmed7', Body_type = '$trimmed8', Model_type = '$trimmed9', Chassis_no = '$trimmed10', Engine_no = '$trimmed11', Full_registration = '$trimmed12', First_registration = '$trimmed13', Year_of_car = '$trimmed14', Colour = '$trimmed15', Interior = '$trimmed16', Hood = '$trimmed17', Mileage = '$trimmed18', Steering = '$trimmed19', Transmission = '$trimmed20', Four_wheel_drive = '$trimmed21', Doors = '$trimmed22', Engine_size = '$trimmed23', Fuel_type = '$trimmed24', Previous_owners = '$trimmed25', Options = '$trimmed26', car_description = '$apostrophefix_description', pic1 = '$trimmed28', pic2 = '$trimmed29', pic3 = '$trimmed30', pic4 = '$trimmed31', pic5 = '$trimmed32', pic6 = '$trimmed33', pic7 = '$trimmed34', pic8 = '$trimmed35', pic9 = '$trimmed36', pic10 = '$trimmed37', pic11 = '$trimmed38', pic12 = '$trimmed39', pic13 = '$trimmed40', pic14 = '$trimmed41', pic15 = '$trimmed42', pic16 = '$trimmed43', pic17 = '$trimmed44', pic18 = '$trimmed45', pic19 = '$trimmed46', pic20 = '$trimmed47' WHERE carid = '$carid'"; // specify the table and field names for the SQL query
}
if($result = mysql_query($query))
{
//go to the new member confirmation page
header('location: updateconfirmed.php');
exit;
}
else
{
echo "ERROR: ".mysql_error();
}
?>
[/PHP]
Anyone got any ideas?
With the $_POSTS['post_name']; globals you could apply the function straight to the global, and place them directly into the sql query ie: trim($_POST['_IsLive']), without having to assign them to variables first, and then just break the line by doing this:-
is_live = '".htmlspecialchars(trim($_POST['_IsLive']))."', is_archived
etc, if you repeat the same process, the code will be reduced and *hopefully* the update will happen. Also you could add the htmlspecialchars function to strip any rubbish out.
Hope that helps a little,
MRb
First... please "clean" your user input before letting it touch your DB! A malicious user who knows what they're doing can submit data via your form to do an SQL injection [alter your database, even the possibilities of uploading files onto the server!]. The easiest method to do this would be to use PHP's mySQL function:
$trimmed2 = mysql_real_escape_string(trim($title2));This will significantly help to protect you. Just modify your existing coding as above to add the function to each user input! Anywhere you access data from "_POST" which will be used in a query, use this function to clean it!
Secondly... using mysql_error() is useful for debugging, but you should remove this from any code that hits production/public levels. Again, a malicious user can use info released from this function to learn about how your database/etc is structured. Keep that info private. It just makes it easier for someone to get into your site. Just change it to a generic error message, ex: "Error: Sorry, but your request could not be processed. Please contact us if this error continues!". If you really want to know what's going on when it is happening, you could add code to the error section that will email YOU a message when an error happens, in which you can include the query statement and the mySQL error... which you could use to debug the problem when one happens.
As for your problem...
No error indicates everything is working. You are likely correct that your issue is that SQL is searching and finding zero results. You get your "car ID" as:
$carid = $_POST['_CarID']; Try modifying the "success" section of your code to see what is happening, ex:
if($result = mysql_query($query))
{
//go to the new member confirmation page
//hide this for now: header('location: updateconfirmed.php');
echo "<b>Debugging Results</b><br>Process was a success!<br><br>";
echo "Car ID: $carid<br>";
echo "Query:<br>$query<br>";
exit;
}
You might notice that car ID is NULL. This means you need to check where it is coming from, there is likely an error on the previous page (the form).
If an ID is showing up... confirm it actually exists in the database. And look over the query statement to see why you are getting zero results.
Is usually where I start with something not updating so I can see what the query is exactly... It could be the $_POST['stocklist_updatetable'] if() from the form submission is not working correctly too, so you are not ever getting to the UPDATE. You'll know if the query is not echoed back when the script runs. Also, as previously stated, make sure you are using mysql_real_escape_string(), at least, for security purposes on the entered information.
But if "carid" is a numeric value (it should be,) change this
WHERE carid = '$carid'";
to this
WHERE carid = $carid";
Why? The following query will execute without error. It just won't do anything.
update table where numeric_id='';
But this one, however, will kick a mySQL error which will immediately alert you to the problem:
update table where numeric_id=;
So by leaving the quotes off the id selection, it will "debug" it for you.
The above being the case, an easy and simple filter on that input, test for zero. Any malicious string will evaluate to zero, and you will never have a unique database entry with a value of zero (or something is wrong.) Don't use is_numeric(), zero is numeric.
if ($carid > 0) {
// do your stuff, insert, etc.
}
else {
echo "<p>Whoops. Invalid car ID supplied.</p>";
exit;
}
