Update Query variable issues

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
migz
Forum Newbie
Posts: 2
Joined: Tue Jul 15, 2008 7:34 pm

Update Query variable issues

Post by migz »

Hi, I am a fairly new php programmer and I am baffled by why my update query is not working in updating my database.
The typical form code:

Code: Select all

<form action="editpublisher.php" method="post">
<table width="100%"  border="0" cellspacing="2" cellpadding="1">
<?=$publsher?>
<tr width = "100%" bgcolor="#1589FF" style="font-size: 23px;"><td><b>Edit Publisher</b></td></tr>
<tr><td>Company Name: <input type="text" name="companyname" value="<? echo $row['Companyname']; ?>" maxlength="30" size="30" class="required" style="position: absolute; left:120px;"/></td></tr>
<tr><td>Contact Person: <input type="text" name="contactperson" value="<? echo $row['Contactperson']; ?>" maxlength="50" class="required" style="position: absolute; left:120px;" size="30"/></td></tr>
<tr><td>Street Address: <input type="text" name="streetaddress" value="<? echo $row['Streetaddress']; ?>" maxlength="50" class="required" style="position: absolute; left:120px;" size="30"/></td></tr>
<tr><td>City: <input type="text" size="30" name="city" value="<? echo $row['City']; ?>" maxlength="55" class="required" style="position: absolute; left:120px;"/></td></tr>
<tr><td>State: <input type="text" name="state" value="<? echo $row['State']; ?>" maxlength="30" class="required" style="position: absolute; left:120px;" size="30"/></td></tr>
<tr><td>Zip: <input type="text" name="zip" value="<? echo $row['Zip']; ?>" maxlength="7" style="position: absolute; left:120px;" class="required validate-integer" size="30"/></td></tr>
<tr><td>Phone1: <input type="text" name="phone1" value="<? echo $row['Phone1']; ?>" style="position: absolute; left:120px;" maxlength="14" class="required" size="30"/></td></tr>
<tr><td>Phone2: <input type="text" name="phone2" value="<? echo $row['Phone2']; ?>" style="position: absolute; left:120px;" maxlength="14" size="30"/></td></tr>
<tr><td>User name: <input type="text" name="username" value="<? echo $row['Username']; ?>" maxlength="30" style="position: absolute; left:120px;" class="required" size="30"/></td></tr>
<tr style="position: absolute;"><td>Access Granted?:</td> <td class="radiop"><input type="radio"  name="Yes"/>Yes</td><td class="radiop2"><input type="radio" name="No"/>No</td></tr>
<tr style="position: absolute; top:300px;"><td><input type="submit" name="Submit"/></td></tr>
</table>
</form>
Here is where I think the problem is:

Code: Select all

include('../main/config.php');
$publsher = $_GET['project'];
$query2 = "SELECT * FROM publishers where Companyname='$publsher'";
$result=mysql_query($query2) or die (mysql_error());
$row=mysql_fetch_array($result);
 
if (isset($_POST['Submit'])) {
$companyname=$_POST['companyname'];
$contactperson=$_POST['contactperson'];
$streetaddress=$_POST['streetaddress'];
$city=$_POST['city'];
$state=$_POST['state'];
$zip=$_POST['zip'];
$phone1=$_POST['phone1'];
$phone2=$_POST['phone2'];
$email=$_POST['email'];
$username=$_POST['username'];
$passwordHash = md5($_POST['email']);
 
if(isset($_POST['Yes'])){
$grant=1;
}
else{
$grant=0;
}
$publsher = $publisher;
if(isset($publsher)){
$query="UPDATE publishers SET City = '$city' WHERE Companyname='".$publsher."'";
mysql_query($query) or die(mysql_error());
mysql_query("UPDATE publishers SET Contactperson='$contactperson' WHERE Companyname='$publsher'") or die(mysql_error()); 
mysql_query("UPDATE publishers SET Streetaddress='$streetaddress' WHERE Companyname='$publsher'") or die(mysql_error()); 
mysql_query("UPDATE publishers SET State='$state' WHERE Companyname='$publsher'") or die(mysql_error()); 
mysql_query("UPDATE publishers SET Zip='$zip' WHERE Companyname='$publsher'") or die(mysql_error()); 
mysql_query("UPDATE publishers SET Phone1='$phone1' WHERE Companyname='$publsher'") or die(mysql_error()); 
mysql_query("UPDATE publishers SET Phone2='$phone2' WHERE Companyname='$publsher'") or die(mysql_error()); 
mysql_query("UPDATE publishers SET Username='$username' WHERE Companyname='$publsher'") or die(mysql_error()); 
mysql_query("UPDATE publishers SET Assess='$grant' WHERE Companyname='$publsher'") or die(mysql_error()); 
header("Location: complete.php?id=editpublisher");
}
else{
header("Location: complete.php?id=error");
}
}
In the above script apparently the '$publsher' is not getting the $_GET['project']; variable to work in the update. However I am sure before the if (isset($_POST['Submit'])), the publsher does have the data. Pllleeeeasssseeeee any assistance appreciated.
migz
Forum Newbie
Posts: 2
Joined: Tue Jul 15, 2008 7:34 pm

Re: Update Query variable issues

Post by migz »

Resolved. Had to reassign the $publsher variable to the $_POST['companyname']
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Update Query variable issues

Post by Benjamin »

Hey there that's not resolved. That code is vulnerable to SQL injection and isn't written properly.

I would highly recommend that you rewrite it using a single query, add more data validation and protect against injection.

Here is the syntax for updating multiple fields with a single query.

Code: Select all

 
UPDATE table_name SET field1='foo', field2='foo', field3='foo' WHERE record_id = 10;
 
With your code, if someone set $_POST['companyname'] to ' or 0 = '0, all of the records would be updated.

To protect against this you will need to use the mysql_real_escape_string function on all user data used in database queries.
Post Reply