Page 1 of 1

Update MySql row problem

Posted: Mon Mar 07, 2011 7:46 pm
by someguyhere
When I first started working on the code for this portion of my program, I was just using the values submitted right from the form. For security reasons (from what I've learned from members here) I've added the same code I've used elsewhere in the script, but now it won't update the row at all. Am I missing something or doing something wrong here?

Code: Select all

if($_POST['hidden'] == 'true'){

	$db = mysqli_connect("xxxx", "xxxx, "xxxx");

	$company_desc = "<p>" . implode( "</p>\n<p>", preg_split( '/\n(?:\s*\n)+/', $_POST['company_desc'] ) ) . "</p>";
	$company_desc = strip_tags($company_desc, '<p><b><i><ol><ul><li>');
	$oldtags = array('<p><ol>', '</ol></p>', '<p><ul>', '</ul></p>', '<p></p>');
	$newtags = array('<ol>', '</ol>', '<ul>', '</ul>', '');
	$company_desc = str_replace($oldtags, $newtags, $company_desc);

	$headshot = mysqli_real_escape_string($db, $_POST['headshot']);
	$logo = mysqli_real_escape_string($db, $_POST['logo']);
	$website = mysqli_real_escape_string($db, $_POST['website']);
		if(!empty($website)){
			$proper_url = strpos($website, 'http://');
				if($proper_url === false){
					$website = 'http://' . $website;
				}
		}
	$designation_array = $_POST['designation'];
		foreach ($designation_array as $value) {
			$designation .= '<li>' . $value . '</li>' . "\n";
		}
	$designation = '<ul>' . "\n" . $designation . '</ul>' . "\n";

	$phone = mysqli_real_escape_string($db, $_POST['phone']);
	$l_name = str_replace("-", " ", ucwords(mysqli_real_escape_string($db, $_POST['l_name'])));
	$f_name = ucwords(mysqli_real_escape_string($db, $_POST['f_name']));
	$title = mysqli_real_escape_string($db, $_POST['title']);
	$company = mysqli_real_escape_string($db, $_POST['company']);
	$company_desc = mysqli_real_escape_string($db, $company_desc);
	$address_1 = mysqli_real_escape_string($db, $_POST['address_1']);
	$address_2 = mysqli_real_escape_string($db, $_POST['address_2']);
	$city = mysqli_real_escape_string($db, $_POST['city']);
	$state = mysqli_real_escape_string($db, $_POST['state']);
	$zip = mysqli_real_escape_string($db, $_POST['zip']);
	$designation = mysqli_real_escape_string($db, $designation);
	$service_category = mysqli_real_escape_string($db, $_POST['service_category']);
	$keywords = mysqli_real_escape_string($db, $_POST['keywords']);

	$db->query("UPDATE wp_network_members SET headshot = '$headshot', logo = '$logo', website = '$website', phone = '$phone', l_name = '$l_name', f_name = '$f_name', title = '$title', company = '$company', company_desc = '$company_desc', address_1 = '$address_1', address_2 = '$address_2', city = '$city', state = '$state', designation = '$designation', service_category = '$service_category', company_desc = '$company_desc', keywords = '$keywords' WHERE f_name = '$_POST[f_name]' AND l_name = '$_POST[l_name]'");
}
I think the problem is in this particular line

Code: Select all

	$db->query("UPDATE wp_network_members SET headshot = '$headshot', logo = '$logo', website = '$website', phone = '$phone', l_name = '$l_name', f_name = '$f_name', title = '$title', company = '$company', company_desc = '$company_desc', address_1 = '$address_1', address_2 = '$address_2', city = '$city', state = '$state', designation = '$designation', service_category = '$service_category', company_desc = '$company_desc', keywords = '$keywords' WHERE f_name = '$_POST[f_name]' AND l_name = '$_POST[l_name]'");

Re: Update MySql row problem

Posted: Tue Mar 08, 2011 10:01 am
by Kadanis
At the very end of your query string you have embedded the $_POST array into the string, there are 2 issues that I'm aware of here.

First, if you are embedding an array value into a string in that fashion you need to enclose it in curly braces {}

Second, you have not put quote marks on the keys in your $_POST array

The end of your query should look something like this

Code: Select all


WHERE f_name = '{$_POST['f_name']}' AND l_name = '{$_POST['l_name']}'");
Alternatively you could break out of the string to call the array values like this

Code: Select all

WHERE f_name = '" . $_POST['f_name'] . "' AND l_name = '" . $_POST['l_name'] . "'");

Re: Update MySql row problem

Posted: Tue Mar 08, 2011 7:09 pm
by Weiry
Is there a reason your using $f_name and $l_name which have ucwords() applied when in your "WHERE" statement, your trying to match a raw $_POST['f_name'] value without ucwords() applied?

Especially if you consider this scenario:

SQL Server contains user 'f_name' = 'jeromy', 'l_name' = 'jones'
User sends 'f_name' with value of 'jeromy'
User sends 'l_name' with value of 'jones'
SQL Update user f_name 'Jeromy', l_name 'Jones' where f_name = 'jeromy' and l_name = 'jones'

jeromy jones no longer appears in the database.
Jeromy Jones appears in the database

jeromy jones != Jeromy Jones