Mysql DB --> PHP problem

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
andycain
Forum Newbie
Posts: 19
Joined: Thu Jul 31, 2008 5:21 pm

Mysql DB --> PHP problem

Post by andycain »

Hi Guys.

I have a bit of script that reads a text string from a database and outputs it to a form which is dynamically generated by my PHP script. This is to allow users to update their contact information if there any errors.

Problem I am having is that if there is a space or any whitespace in one of the fields in the database then the script will only output the first 'chunk' of data before it moves onto the next column. I have considered removing the whitespace as it is input but I would prefer to give my users the choice.

For example....

name field on db = 'smith a'

outputtted field on html form = 'smith'

It's as though it's truncating it as soon as it sees some whitespace.

I'm using mysql_fetch_row.

Any assistance would be appreciated.

Code below.

Code: Select all

<?
 
$db = mysql_connect('localhost', 'DBLOGIN', 'DBPASSWORD') or die('Could not connect.');
if(!$db) 
    die('no db');
if(!mysql_select_db('DBNAME',$db))
    die('No database selected.');
    
$id = $_GET['id'];
 
$query = "SELECT RANK, NAME, MOBILE, EMAIL, id FROM NCO_contact WHERE ID = $id";
 
$dataraw = mysql_query($query);
 
while($data = mysql_fetch_row($dataraw)) {
 
echo "
<form id='editdetails' method='post' action='edit.php'>
  <p>
    <label>Rank</label>
  </p>
  <p>
    <select name='rank' id='rank'>
      <option value='$data[0]' selected='selected'>$data[0]</option>
      <optgroup label='NCOs'>
      <option value='Cpl'>Corporal</option>
      <option value='Sgt'>Sergeant</option>
      <option value='FS'>Flight Sergeant</option>
      <option value='CWO'>CWO</option>
      <optgroup label='Staff'>
      <option value='CI'>CI</option>
      <option value='Plt Off'>Plt Off</option>
      <option value='Fg Off'>Fg Off</option>
      <option value='Flt Lt'>Flt Lt</option>
    </select>
  </p>
  <p>
    <label>Surname</label>
  </p>
  <p>
    <input type='text' name='name' id='name' value=$data[1] />
  </p>
  <p>
    <label>Mobile Number</label>
  </p>
  <p>
    <input type='text' name='mobile' id='mobile' value=$data[2] />
  </p>
  <p>
    <label>MSN / Email Address</label>
  </p>
  <p>
    <input type='text' name='email' id='email' value='$data[3]'/>
  </p>
  <p>
    <input type='submit' name='edit' id='edit' value='Update details' />
  </p>
  <input type='hidden' name='id' id='id' value='$id' />
</form>
 
</body>
";
} 
?>
Thanks guys. :banghead:
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Mysql DB --> PHP problem

Post by VladSun »

You should surround the variable in quotes when outputting it in HTML:

Code: Select all

<input type='text' name='mobile' id='mobile' value=$data[2] />
=>

Code: Select all

<input type='text' name='mobile' id='mobile' value='$data[2]' />
Also, there are too many vulnerabilities in your code - SQL injection, XSS etc.

Sanitize the user input before using it!
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: Mysql DB --> PHP problem

Post by jaoudestudios »

Well there could be a few reasons. Are the white spaces be saved in the database correctly?

Your html is incorrect! value=$value should be value='$value'. If you want to be perfect then all that will be in double quotes, so break out of the double quotes for the php variable.
i.e. ".... value='".$value."'......."; // much more efficient

NB: your sql is not secure, but thats another story.
andycain
Forum Newbie
Posts: 19
Joined: Thu Jul 31, 2008 5:21 pm

Re: Mysql DB --> PHP problem

Post by andycain »

Yer I imagine there would be.

I'm pretty new to PHP. Any general tips on how to protect from SQL injection attacks?
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: Mysql DB --> PHP problem

Post by jaoudestudios »

VladSun you beat me to it :lol:

I would get it working first, then worry about security. We pointed it out so you would bare it in mind for the near future.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Mysql DB --> PHP problem

Post by VladSun »

andycain wrote:Yer I imagine there would be.

I'm pretty new to PHP. Any general tips on how to protect from SQL injection attacks?
Sorry, but I have to say it - use google ;)
google for:

PHP SQL injection
PHP XSS
PHP security
There are 10 types of people in this world, those who understand binary and those who don't
andycain
Forum Newbie
Posts: 19
Joined: Thu Jul 31, 2008 5:21 pm

Re: Mysql DB --> PHP problem

Post by andycain »

Thanks for your help guys. :D
Post Reply