Page 1 of 1

SQL query issue

Posted: Wed Aug 17, 2005 9:21 am
by nawhaley
Hey its me again I have some odd issues coming up with an SQL query thats acting funny. I'm setting it up to where it pulls the questions up in a drop down list. Once the question is selected you can edit it which will fill the text box in the next page with the value selected so you can edit it or change the entire question. The issue appears when you submit the edited question. Once you do it blanks out that part of the record HOWEVER if you go in and do the exact same process now that its blank and type in the question it saves it perfectly fine.

Code: Select all

$newquestion = $_POST['newquestion'];
 $originalquestion = $_SESSION['question'];
 $editsql = "UPDATE tblQuestions SET Question ='$newquestion' WHERE Question ='$originalquestion'";
 $editresult = odbc_exec($link,$editsql);
this is my code to update the record from the best I can tell everything is in order but I cannot explain why its only updating every other time data is entered its just odd.

Posted: Wed Aug 17, 2005 9:26 am
by feyd
maybe it doesn't like that you are using the same field on both sides of the WHERE clause. Why not use the record ID? At any rate, you could have a security problem with just using posted data without any filtering/validation ... read through the security forum for details on how to help prevent SQL injection.

Posted: Wed Aug 17, 2005 9:28 am
by nielsene
Try echoing out $editsql, see if the query looks right.

I agree with feyd on the security issue, but I know that the SET foo='' WHERE foo='' is a legitimate query syntax so that's not the problem.

Posted: Wed Aug 17, 2005 9:32 am
by feyd
yeah, I've never had a problem before with using the same field on both sides, but I also don't work with ODBC too often ;)

Posted: Thu Aug 18, 2005 7:30 am
by nawhaley
yeah I can see the injection error happening I havent gotten so far as to do security on this thing which is going to be another nightmare to overcome. I'm not using the same field on both sides because I'm changing it from one value to another value and using the record ID would require me to do two odbc_exec commands one to find the record and pull the record ID and the other to insert it which I suppose is a solution but it would be easier overall if I could use the two seperate values. I mean I dont fully understand the usefulness of a "update" feature if you cant search for one value and replace it with another.

Posted: Thu Aug 18, 2005 8:14 am
by korto
perhaps it would be useful to post the part of code that handles form input.
Are using a textarea element for editing the question?