Page 1 of 1

Did a program create a bad script?

Posted: Sun Feb 08, 2004 4:25 pm
by KeithO
I used a program called PHP Database Wizard to create the PHP for a project I'm working on. I then started pulling the info into notepad then editing the html so that it was in the look I wanted to pull off what I need. However the update function does not work properly. Instead of updating the information, it only repulls the data from the MySQL db. Seeing as how I've only worked with PHP for a couple of weeks, can any of the experts here help me figure this out and get it running?

I am running the latest stable edtions of PHP, Apache (as a local host), and MySql.

I think it has something to do with those periods but I'm too inexperienced with this to figure out whats really going on.

Code: Select all

<?php
        require_once('Db\db_connection.php');
        global $MyDb;
	
        $actPage = $HTTP_SERVER_VARS&#1111;"PHP_SELF"];
        $maxRows = 24;
        $pageNr  = 0;
        $rowbg = 'true';

        $pageNr   = $_POST&#1111;'pageNr'];
        $orderSql = $_POST&#1111;'orderSql'];


        $selectAllSql  = "SELECT * FROM txtprices ".$filterSql;
        $ResultAll     = $MyDb->f_ExecuteSql($selectAllSql);
        $ResultAllRows = $MyDb->f_GetSelectedRows($ResultAll);

        $startRow = $pageNr * $maxRows;
 
        $selectSql = "SELECT * FROM txtprices";
        $limitSql  = " LIMIT ".$startRow." , ".$maxRows;
        $selectSql = $selectSql.$filterSql.$orderSql.$limitSql;

        $Result        = $MyDb->f_ExecuteSql($selectSql);
        $Resultset     = $MyDb->f_GetRecord($Result);
        $ResultRowNr   = $MyDb->f_GetSelectedRows($Result);
        $actRow=0;
?>

<html>
<head>
 <title>Ticket Prices</title>
 <link href="Style/style.css" rel="stylesheet" type="text/css">
 <script languange="javascript" src="Scripts/script.js"></script>
</head>
<body>

<form name="UpdateForm" method="post" action="<?php echo $PHP_SELF ?>">
<table width="330" border="0" align="center" cellpadding="0" cellspacing="0" class="tableborder">
 <tr>
  <td>
   <table border="0" cellspacing="0" cellpadding="0" width="100%">
    <tr>
     <th class="th1" width="70">Ticket ID</th>
     <th class="th1" width="130">Ticket Type</th>
     <th class="th1">Regular Prices</th>
     <th class="th1">Group Prices</th>
    </tr>
     	<?php do &#123; ?>
    <tr <?php if ($rowbg =='true') &#123; $rowbg='false'; echo 'class="tr1"';&#125; else &#123; $rowbg='true'; echo 'class="tr2"';&#125;  echo "onMouseOver="this.className='tract'""; if ($rowbg == 'true') echo ' onMouseOut="this.className=''tr2''"'; else echo 'onMouseOut="this.className=''tr1''"';?> >
     <td class="td1"><font face="verdana" color="#000000"><?php if ($Resultset&#1111;'txtid'] != "") echo $Resultset&#1111;'txtid']; else echo "&nbsp;";?> </font></td>
     <td class="td1"><font face="verdana" color="#000000"><?php if ($Resultset&#1111;'type'] != "") echo $Resultset&#1111;'type']; else echo "&nbsp;";?> </font></td>
      <td class="td1" align="center">
       <input class="input_normal"
               type="text"
               name="rprices"
               id="rprices"
               value="<?php echo $Resultset&#1111;'rprices']; ?>"
               size="10"
               maxlength="7"
               onFocus="this.className='inputact'"
               onBlur="this.className='inputOk'">
      </td>      
      <td class="td1" align="center">
       <input class="input_normal"
               type="text"
               name="gprices"
               id="gprices"
               value="<?php echo $Resultset&#1111;'gprices']; ?>"
               size="10"
               maxlength="7"
               onFocus="this.className='inputact'"
               onBlur="this.className='inputOk'">
      </td>
    </tr>
	<?php &#125; while ($Resultset = $MyDb->f_GetRecord($Result)); ?>
   </table>
  </td>
 </tr>
</table>
<center><input type="image" src="Images/update.gif" name="SubmitForm" border=0></center>
</form>
</body>
</html>

<?php
 $updateSql = "UPDATE txtprices SET "
 .",rprices="".$_POST&#1111;'rprices']."""
 .",gprices="".$_POST&#1111;'gprices']."""
 ." WHERE  = '".$_GET&#1111;'']."'";
 $MyDb->f_ExecuteSql($updateSql);
?>

Posted: Sun Feb 08, 2004 4:40 pm
by DuFF
The problem is with the WHERE part of the query. Before it wasn't specifying anything, it just said WHERE = '', when it should be more like WHERE id='$id'.

#1. Add in this inside of the form:

Code: Select all

<input type="hidden" name="txtid" value="<?php echo $Resultset&#1111;'txtid']; ?>">
#2. Change the query to:

Code: Select all

$updateSql = "UPDATE txtprices SET rprices='" . $_POST&#1111;'rprices'] . "', gprices='" . $_POST&#1111;'gprices'] . "' WHERE  txtid= '" . $_POST&#1111;'txtid'] . "'";

Posted: Sun Feb 08, 2004 5:26 pm
by KeithO
I copy and pasted that in to no avail. I placed the

Code: Select all

<input type="hidden" name="txtid" value="<?php echo $Resultset&#1111;'txtid']; ?>">
line on the line after the submit button. Is there something else I am missing?

Posted: Sun Feb 08, 2004 5:29 pm
by DuFF
Try seeing what the query looks like. Fill out the form and press submit after replacing the bottom code with:

Code: Select all

<?php
$updateSql = "UPDATE txtprices SET rprices='" . $_POST['rprices'] . "', gprices='" . $_POST['gprices'] . "' WHERE  txtid= '" . $_POST['txtid'] . "'";
echo $updateSql; //ECHO FOR DEBUGGING
$MyDb->f_ExecuteSql($updateSql);
?>
There is probably something wrong with the query.

Posted: Sun Feb 08, 2004 5:38 pm
by KeithO
all that happens is that it refreshes the page. I'm wondering if maybe its not actually getting to the updatesql portion.

Posted: Mon Feb 09, 2004 11:15 pm
by KeithO
help?

Posted: Tue Feb 10, 2004 12:32 am
by Michael 01
It seems that this is like the 5th topic on SQL that involves using $_post variables within the SQL query, so now I am starting to second guess myself a bit.

Maybe somebody could clear this up for me, but I have been very successful with just using set variables with the addslashes and htmspecialchars funtion, and than placing the variables within the SQL query.

Is there any difference, or should I say, any reason not to do it this way? Has the way that I have been doing, been ruled out for the $_post method because of security concerns? 8O

Posted: Tue Feb 10, 2004 12:38 am
by Michael 01
At any rate, you would be better off just to make a single SQL statement in this case, rather than the function sets you have above for the SQL statement. Adding Java into a SQL return probably should not be done either because there really is nothing defined differently than what a normal HTML drop-down could pull off.

My 2 cents on the problem. :wink: