SQL query issue

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
nawhaley
Forum Commoner
Posts: 85
Joined: Wed May 18, 2005 11:43 am

SQL query issue

Post by nawhaley »

Hey its me again I have some odd issues coming up with an SQL query thats acting funny. I'm setting it up to where it pulls the questions up in a drop down list. Once the question is selected you can edit it which will fill the text box in the next page with the value selected so you can edit it or change the entire question. The issue appears when you submit the edited question. Once you do it blanks out that part of the record HOWEVER if you go in and do the exact same process now that its blank and type in the question it saves it perfectly fine.

Code: Select all

$newquestion = $_POST['newquestion'];
 $originalquestion = $_SESSION['question'];
 $editsql = "UPDATE tblQuestions SET Question ='$newquestion' WHERE Question ='$originalquestion'";
 $editresult = odbc_exec($link,$editsql);
this is my code to update the record from the best I can tell everything is in order but I cannot explain why its only updating every other time data is entered its just odd.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

maybe it doesn't like that you are using the same field on both sides of the WHERE clause. Why not use the record ID? At any rate, you could have a security problem with just using posted data without any filtering/validation ... read through the security forum for details on how to help prevent SQL injection.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Try echoing out $editsql, see if the query looks right.

I agree with feyd on the security issue, but I know that the SET foo='' WHERE foo='' is a legitimate query syntax so that's not the problem.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

yeah, I've never had a problem before with using the same field on both sides, but I also don't work with ODBC too often ;)
nawhaley
Forum Commoner
Posts: 85
Joined: Wed May 18, 2005 11:43 am

Post by nawhaley »

yeah I can see the injection error happening I havent gotten so far as to do security on this thing which is going to be another nightmare to overcome. I'm not using the same field on both sides because I'm changing it from one value to another value and using the record ID would require me to do two odbc_exec commands one to find the record and pull the record ID and the other to insert it which I suppose is a solution but it would be easier overall if I could use the two seperate values. I mean I dont fully understand the usefulness of a "update" feature if you cant search for one value and replace it with another.
korto
Forum Commoner
Posts: 36
Joined: Thu Aug 18, 2005 6:30 am
Location: Greece
Contact:

Post by korto »

perhaps it would be useful to post the part of code that handles form input.
Are using a textarea element for editing the question?
Post Reply