Page 1 of 1

for-if loop. Why does this not work????

Posted: Tue Sep 05, 2006 7:44 pm
by Clukey
This is part of a code for a registration page, and both adults and children, but has different codes for both of them. When I run this code with 2 adults and 2 children it only rarely inserts all four, most of the time its three and sometimes it's only one or two, and I can't figure out why.

Code: Select all

for ($i=1;$i<=$totalPeople;$i++) {
	if ($i<=$numAdults) {
		$adult_child = "adult";
		$fullName = $HTTP_POST_VARS['adultName' . $i];
		$parent_guardian = "";
		$phNum = $HTTP_POST_VARS['adultPhNum' . $i];
		$email = $HTTP_POST_VARS['adultEmail' . $i];
		$address = $HTTP_POST_VARS['adultAddress' . $i];
		$city = $HTTP_POST_VARS['adultCity' . $i];
		$state = $HTTP_POST_VARS['adultState' . $i];
		$zip = $HTTP_POST_VARS['adultZip' . $i];
		$shirtSize = $HTTP_POST_VARS['adultShirtSize' . $i];
		$IdNum;
		for ($y=0; $y<30; $y++) {
			$IdNum .= chr(mt_rand(35, 126));
		}
		$sql2 = sprintf("INSERT INTO people (IdNum, payerIdNum, adultChild, fullName, parentGuardian, phNum, email, address, city, state, zip, shirtSize) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)",
			GetSQLValueString($IdNum, "text"),
			GetSQLValueString($payerIdNum, "int"),
			GetSQLValueString($adult_child, "text"),
			GetSQLValueString($fullName, "text"),
			GetSQLValueString($parent_guardian, "text"),
			GetSQLValueString($phNum, "text"),
			GetSQLValueString($email, "text"),
			GetSQLValueString($address, "text"),
			GetSQLValueString($city, "text"),
			GetSQLValueString($state, "text"),
			GetSQLValueString($zip, "int"),
			GetSQLValueString($shirtSize, "text"));
		mysql_query($sql2, $RR);
	} else {
		$x = $i - $numAdults;
		$adult_child = "child";
		$fullName = $HTTP_POST_VARS['childName' . $x];
		$parent_guardian = $HTTP_POST_VARS['childParent-guardian' . $x];
		$phNum = $HTTP_POST_VARS['childPhNum' . $x];
		$email = $HTTP_POST_VARS['childEmail' . $x];
		$address = $HTTP_POST_VARS['childAddress' . $x];
		$city = $HTTP_POST_VARS['childCity' . $x];
		$state = $HTTP_POST_VARS['childState' . $x];
		$zip = $HTTP_POST_VARS['childZip' . $x];
		$shirtSize = $HTTP_POST_VARS['childShirtSize' . $x];
		$IdNum;
		for ($z=0; $z<30; $z++) {
			$IdNum .= chr(mt_rand(35, 126));
		}
		$sql2 = sprintf("INSERT INTO people (IdNum, payerIdNum, adultChild, fullName, parentGuardian, phNum, email, address, city, state, zip, shirtSize) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)",
			GetSQLValueString($IdNum, "text"),
			GetSQLValueString($payerIdNum, "int"),
			GetSQLValueString($adult_child, "text"),
			GetSQLValueString($fullName, "text"),
			GetSQLValueString($parent_guardian, "text"),
			GetSQLValueString($phNum, "text"),
			GetSQLValueString($email, "text"),
			GetSQLValueString($address, "text"),
			GetSQLValueString($city, "text"),
			GetSQLValueString($state, "text"),
			GetSQLValueString($zip, "int"),
			GetSQLValueString($shirtSize, "text"));
		mysql_query($sql2, $RR);
	}
	$IdNum = "";
}

Thanks

Posted: Tue Sep 05, 2006 8:08 pm
by Christopher
What are the values of $totalPeople and $numAdults? Before the loop add:

Code: Select all

echo "totalPeople=$totalPeople, numAdults=$numAdults<br/>";
It could also be that your are not really escaping the values that you are inserting so the SQL my be invalid. Checking for errors after a query is a good practice.

Posted: Tue Sep 05, 2006 9:00 pm
by Clukey
I tried that just now and it says that totalPeople=4 and numAdults=2, but it is still being fickle

and there were no errors in the log

Posted: Wed Sep 06, 2006 2:41 am
by Ollie Saunders
I spent a long time looking over that and the logic seems fine.
Add...

Code: Select all

ini_set('display_errors', 'On');
error_reporting(E_ALL | E_STRICT);
...to the top of your script and change your query line to...

Code: Select all

mysql_query($sql2, $RR) or die('Query Error: ' . mysql_error($RR) . ' -- ' . $sql2);
...and show us the definition of GetSQLValueString()

Posted: Wed Sep 06, 2006 10:57 pm
by Clukey
I added those codes, and it returned this:
Query Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '6cByDp:G,@(MA?5aJV7VF(dm', 2147483647, 'adult', 'Adult 1', NULL, '111-111-1111',' at line 1 -- INSERT INTO people (IdNum, payerIdNum, adultChild, fullName, parentGuardian, phNum, email, address, city, state, zip, shirtSize) VALUES ('YRI*t'6cByDp:G,@(MA?5aJV7VF(dm', 2147483647, 'adult', 'Adult 1', NULL, '111-111-1111', '111@111.com', '111 One Lane', 'Wonsville', 'WO', 11111, 'small')
Then I did it again and it returned this:
Query Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '[ZU', 2147483647, 'adult', 'Adult 2', NULL, '222-222-2222', '222@222.com', '222 ' at line 1 -- INSERT INTO people (IdNum, payerIdNum, adultChild, fullName, parentGuardian, phNum, email, address, city, state, zip, shirtSize) VALUES (']?SG:}2@BSwF(2zl/v9fmi)o
For the idNum I have it picking 30 random characters so could that mess it up if it picks like a " or a '??

And what did you mean by "show us the definition of GetSQLValueString()"?

Thanks

Posted: Thu Sep 07, 2006 2:29 am
by Mordred
The way you generate IdNum is not correct, sometimes it adds a quote to the string which breaks the SQL.
Drop this entirely and just use the DB autoincrement feature with an INT index.

Posted: Thu Sep 07, 2006 5:11 am
by Ollie Saunders
use

Code: Select all

mysql_real_escape_string()
to prevent " characters mucking it up. Missing this out it a serious security risk called an SQL Injection vulnerability.
And what did you mean by "show us the definition of GetSQLValueString()"?
This is the definition of a function called addNums

Code: Select all

function addNums($a, $b)
{
    return $a + $b;
}
show me that for GetSQLValueString() :), its likely you will want to put mysql_real_escape_string in there.

Posted: Thu Sep 07, 2006 7:53 am
by feyd
Last I saw, GetSQLValueString was a function supplied by Macromedia Dreamweaver... While I can (barely) understand the wish to use Dreamweaver, their function is quite antiquated.

Posted: Thu Sep 07, 2006 10:37 am
by Clukey
feyd is right it is supplied by dreamweaver I just copied and pasted it into my code, and it is this:

Code: Select all

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
And a note about dreamweaver being antiquated this is dreamweaver v6 so the new ones might be better, but I wouldn't know.

Thanks

Posted: Thu Sep 07, 2006 10:58 am
by Ollie Saunders
try this:

Code: Select all

function GetSQLValueString($v) 
{
    if (is_numeric($v)) {
        // these are added just as they are, only in string form
        $inputDb = (string)$v;
    } else if (is_null($v) or $v === '') {
        // nulls and empty strings are added as SQL NULL literals
        $inputDb = 'NULL';
    } else if (is_string($v)) {
        // a string needed to be quoted and escaped
        $inputDb = '\''. mysql_real_escape_string($v) . '\'';
    } else if (is_bool($v)) {
        // booleans are added as '0' and '1' for portibility
        $inputDb = (string)(int)$v;
    } else if (is_object($v) or (is_array($v))) {
        // objects and arrays are added as escaped, quoted, serialize versions of themselves
        // serialize is a good choice because of __sleep() magic method
        $inputDb = '\''. mysql_real_escape_string(serialize($v)) . '\'';
    } else {
        die('Unhandled type: ' . gettype($v) . ' ' . __FUNCTION__);
    }
}
...you don't need to specify a second argument with this.

Posted: Thu Sep 07, 2006 11:21 am
by Clukey
I just tried adding your GetSQLValueString function and I got rid of the second argument and it returned this error:
Query Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' , , , , , , , , , , )' at line 1 -- INSERT INTO people (IdNum, payerIdNum, adultChild, fullName, parentGuardian, phNum, email, address, city, state, zip, shirtSize) VALUES (, , , , , , , , , , , )
It looks like your function isn't returning anything, is it supposed to have a

Code: Select all

return $inputDb;
at the end of it?

Posted: Thu Sep 07, 2006 11:27 am
by Ollie Saunders
is it supposed to have a

Code: Select all

return $inputDb;
at the end of it?
Yep. That it be.
Sorry I adapted it something else and quickly patched it.

Posted: Thu Sep 07, 2006 11:58 am
by Clukey
Thanks that fixed it, but now that I did that is't giving me a different problem. The following code comes right before the code I posted in my first post, and is the information for the purchaser of the registration and is entered into a different table within the same database. I give the payer an id num called $payerIdNum which I also enter into the registrants records, and it is a 30 digit number, and in the registrants record it is correct, but in the payer's record it is a complety different number, and odly enough it is always the same 10 digit number! Why is this??

Code: Select all

$payerIdNum = "";
for ($i=0; $i<30; $i++) {
	$payerIdNum .= chr(mt_rand(48, 57));
}
	$sql = sprintf("INSERT INTO payers (idNum, fullName, phNum, email, address, city, state, zip, numAdults, numChilds, cardLast4, cardExpM, cardExpY, small, medium, large, xl, 2xl, 3xl, reunionDocumentary, price) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)",
		GetSQLValueString($payerIdNum),
		GetSQLValueString($payerName),
		GetSQLValueString($payerPhNum),
		GetSQLValueString($payerEmail),
		GetSQLValueString($payerAddress),
		GetSQLValueString($payerCity),
		GetSQLValueString($payerState),
		GetSQLValueString($payerZip),
		GetSQLValueString($payerNumAdults),
		GetSQLValueString($payerNumChilds),
		GetSQLValueString($payerCardLast4),
		GetSQLValueString($payerCardExpM),
		GetSQLValueString($payerCardExpY),
		GetSQLValueString($payerSmall),
		GetSQLValueString($payerMedium),
		GetSQLValueString($payerLarge),
		GetSQLValueString($payerXl),
		GetSQLValueString($payer2Xl),
		GetSQLValueString($payer3Xl),
		GetSQLValueString($payerReunionDocumentary),
		GetSQLValueString($amount));
	mysql_query($sql, $RR);
Thanks

Posted: Thu Sep 07, 2006 1:40 pm
by Mordred
Can you explain, in simple terms, why do you insist to have that 30-digit monster for an id? The 4-byte (~12 digits) type INT can hold more than 4000000000 unique ids, do you expect to have more payers (lucky you ;) )? It has the added bonus that the DB will care for making it unique, which is not (theoretically) the case with your random.

$payerIdNum here looks correct, maybe something else happens in the missing code? Unless of course GetSQLValueString() garbles it in some way.

Posted: Thu Sep 07, 2006 2:01 pm
by Clukey
I don't really expect that many payers, I just figured I might as well make it big, and I've never heard that there is a way to make the db care if an id number is unique, that is really what I am looking for so could you please explain how to do that? Thanks