Update MySql row problem

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
someguyhere
Forum Contributor
Posts: 181
Joined: Sun Jul 27, 2008 3:24 pm

Update MySql row problem

Post by someguyhere »

When I first started working on the code for this portion of my program, I was just using the values submitted right from the form. For security reasons (from what I've learned from members here) I've added the same code I've used elsewhere in the script, but now it won't update the row at all. Am I missing something or doing something wrong here?

Code: Select all

if($_POST['hidden'] == 'true'){

	$db = mysqli_connect("xxxx", "xxxx, "xxxx");

	$company_desc = "<p>" . implode( "</p>\n<p>", preg_split( '/\n(?:\s*\n)+/', $_POST['company_desc'] ) ) . "</p>";
	$company_desc = strip_tags($company_desc, '<p><b><i><ol><ul><li>');
	$oldtags = array('<p><ol>', '</ol></p>', '<p><ul>', '</ul></p>', '<p></p>');
	$newtags = array('<ol>', '</ol>', '<ul>', '</ul>', '');
	$company_desc = str_replace($oldtags, $newtags, $company_desc);

	$headshot = mysqli_real_escape_string($db, $_POST['headshot']);
	$logo = mysqli_real_escape_string($db, $_POST['logo']);
	$website = mysqli_real_escape_string($db, $_POST['website']);
		if(!empty($website)){
			$proper_url = strpos($website, 'http://');
				if($proper_url === false){
					$website = 'http://' . $website;
				}
		}
	$designation_array = $_POST['designation'];
		foreach ($designation_array as $value) {
			$designation .= '<li>' . $value . '</li>' . "\n";
		}
	$designation = '<ul>' . "\n" . $designation . '</ul>' . "\n";

	$phone = mysqli_real_escape_string($db, $_POST['phone']);
	$l_name = str_replace("-", " ", ucwords(mysqli_real_escape_string($db, $_POST['l_name'])));
	$f_name = ucwords(mysqli_real_escape_string($db, $_POST['f_name']));
	$title = mysqli_real_escape_string($db, $_POST['title']);
	$company = mysqli_real_escape_string($db, $_POST['company']);
	$company_desc = mysqli_real_escape_string($db, $company_desc);
	$address_1 = mysqli_real_escape_string($db, $_POST['address_1']);
	$address_2 = mysqli_real_escape_string($db, $_POST['address_2']);
	$city = mysqli_real_escape_string($db, $_POST['city']);
	$state = mysqli_real_escape_string($db, $_POST['state']);
	$zip = mysqli_real_escape_string($db, $_POST['zip']);
	$designation = mysqli_real_escape_string($db, $designation);
	$service_category = mysqli_real_escape_string($db, $_POST['service_category']);
	$keywords = mysqli_real_escape_string($db, $_POST['keywords']);

	$db->query("UPDATE wp_network_members SET headshot = '$headshot', logo = '$logo', website = '$website', phone = '$phone', l_name = '$l_name', f_name = '$f_name', title = '$title', company = '$company', company_desc = '$company_desc', address_1 = '$address_1', address_2 = '$address_2', city = '$city', state = '$state', designation = '$designation', service_category = '$service_category', company_desc = '$company_desc', keywords = '$keywords' WHERE f_name = '$_POST[f_name]' AND l_name = '$_POST[l_name]'");
}
I think the problem is in this particular line

Code: Select all

	$db->query("UPDATE wp_network_members SET headshot = '$headshot', logo = '$logo', website = '$website', phone = '$phone', l_name = '$l_name', f_name = '$f_name', title = '$title', company = '$company', company_desc = '$company_desc', address_1 = '$address_1', address_2 = '$address_2', city = '$city', state = '$state', designation = '$designation', service_category = '$service_category', company_desc = '$company_desc', keywords = '$keywords' WHERE f_name = '$_POST[f_name]' AND l_name = '$_POST[l_name]'");
User avatar
Kadanis
Forum Contributor
Posts: 180
Joined: Tue Jun 20, 2006 8:55 am
Location: Dorset, UK
Contact:

Re: Update MySql row problem

Post by Kadanis »

At the very end of your query string you have embedded the $_POST array into the string, there are 2 issues that I'm aware of here.

First, if you are embedding an array value into a string in that fashion you need to enclose it in curly braces {}

Second, you have not put quote marks on the keys in your $_POST array

The end of your query should look something like this

Code: Select all


WHERE f_name = '{$_POST['f_name']}' AND l_name = '{$_POST['l_name']}'");
Alternatively you could break out of the string to call the array values like this

Code: Select all

WHERE f_name = '" . $_POST['f_name'] . "' AND l_name = '" . $_POST['l_name'] . "'");
User avatar
Weiry
Forum Contributor
Posts: 323
Joined: Wed Sep 09, 2009 5:55 am
Location: Australia

Re: Update MySql row problem

Post by Weiry »

Is there a reason your using $f_name and $l_name which have ucwords() applied when in your "WHERE" statement, your trying to match a raw $_POST['f_name'] value without ucwords() applied?

Especially if you consider this scenario:

SQL Server contains user 'f_name' = 'jeromy', 'l_name' = 'jones'
User sends 'f_name' with value of 'jeromy'
User sends 'l_name' with value of 'jones'
SQL Update user f_name 'Jeromy', l_name 'Jones' where f_name = 'jeromy' and l_name = 'jones'

jeromy jones no longer appears in the database.
Jeromy Jones appears in the database

jeromy jones != Jeromy Jones
Post Reply