What's being invisibley entered here?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Addos
Forum Contributor
Posts: 305
Joined: Mon Jan 17, 2005 4:13 pm

What's being invisibley entered here?

Post by Addos »

Something that has been puzzling me and I wonder if anybody can let me know what’s happening.

In my MySQL database I have the values in a specific field set to ‘null’ so that if an entry is made without a value sent to the database is will automatically set this to ‘null’. However when I run the following code my database shows a ‘blank’ field when I view this under phpMyAdmin when I expect to see ‘Null’ in italics. The field in phpMyAdmin looks empty when I click to view it and I cannot see any white space that might have been added by the query below.

Can anyone point out what’s invisible being sent to the database?

Thanks

Code: Select all

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
  $insertSQL = sprintf("INSERT INTO news (details) VALUES ('%s')",
                       $_POST['details']);

<form enctype="multipart/form-data" method="post" name="form1" action="<?php echo $editFormAction; ?>">
      Details:<textarea name="details" cols="50" rows="5"></textarea>
        <input type="submit" value="Insert record">
    <input type="hidden" name="MM_insert" value="form1">
    </form>
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Re: What's being invisibley entered here?

Post by shiznatix »

an empty string will override the null you have setup. So if you just click submit without putting anything into the field, it will still save just the empty string to the database, not a "null" for the field.

On a side note, you really really really need to look into using the function mysql_real_escape_string() on all variables that you put into a query. Look into SQL Injection for reasons why.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Re: What's being invisibley entered here?

Post by s.dot »

Yeah, null and empty strings are different.

Try this code and you'll see:

Code: Select all

<?php

class test
{
    private $_var;

    public function show()
    {
         return $this->_var;
    }

    public function __set($var, $value)
    {
        $this->$var = $value;
    }
}

$test = new test();
var_dump($a = $test->show()); //should show null

$test->_var = '';
var_dump($a = $test->show()); //should show string
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
jimthunderbird
Forum Contributor
Posts: 147
Joined: Tue Jul 04, 2006 3:59 am
Location: San Francisco, CA

Re: What's being invisibley entered here?

Post by jimthunderbird »

On a side note, you really really really need to look into using the function mysql_real_escape_string() on all variables that you put into a query. Look into SQL Injection for reasons why.
Yes, your code is not secure and vulnerable for sql injection attack, should considered filter it.
Also, if you know the input text is empty, maybe just don't execute the insert sql at all.
Post Reply