slove05

I was originally using a prepared statement and only switched to PDO at mac_gyver's urging. Is a mysqli prepared statement enough to overcome sql infection vulnerabilities? I had the update function working with the following if (isset($_POST['create'])) { $title = $_POST['title']; $date = $_POST['date']; $time = $_POST['time']; $descrip = $_POST['descrip']; $presenter = $_POST['presenter']; $id = $_POST['id']; $statement = $con->prepare("UPDATE events SET title=?, date=?, time=?, descrip=?, presenter=? WHERE id=?"); //bind parameters for markers, where (s = string, i = integer, d = double, b = blob) $statement->bind_param('sssssi', $title, $date, $time, $descrip, $presenter, $id); $results = $statement->execute(); if($results){ print 'Success! record updated'; }else{ print 'Error : ('. $mysqli->errno .') '. $mysqli->error; } } I assume this is open to attack because I am posting the id in a hidden field?

Ok I have the error reporting giving me a better idea of what is erroring out. I am now getting the following error message. Fatal error: Uncaught exception 'mysqli_sql_exception' with message 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Event with Upload edit, 2015-02-03, 11:00:00, Testing the event with upload. Mak' at line 1' in /home/content/60/8676960/html/membersadmin/edit_test.php:31 Stack trace: #0 /home/content/60/8676960/html/membersadmin/edit_test.php(31): mysqli->prepare('UPDATE events S...') #1 {main} thrown in /home/content/60/8676960/html/membersadmin/edit_test.php on line 31 Lines 30 and 31 look as follows. $sql = "UPDATE events SET $title, $date, $time, $descrip, $presenter WHERE id = '{$id}')"; $stmt = $con->prepare($sql); The form I have to process looks like this... <form method="POST" action="<?php echo basename($_SERVER['PHP_SELF']); ?>" enctype="multipart/form-data"> <?php if (mysqli_num_rows($result) > 0) {?> <?php while($row = mysqli_fetch_assoc($result)) {;?> <input type="text" name="id" id="id" value="<?php echo $row['id']?>" /> <p> <label for="title">Event Title:</label> <input type="text" name="title" id="title" value="<?php echo $row['title']?>"> </p> <p> <label for="date">Date:</label> <input type="text" name="date" id="date" value="<?php echo $row['date']?>"> please format YYYY-MM-DD<p> <label for="time">Time:</label> <input type="text" name="time" id="time" value="<?php echo $row['time']?>" > please format HH:MM:SS<p> <label for="descrip">Description:</label> <input type="text" name="descrip" id="descrip" value="<?php echo $row['descrip']?>"> <p> <input type="text" name="presenter" id="presenter" value="<?php echo $row['presenter']?>"> </p> <input type="submit" name="create" value="create"> </p> <?php }/*End Loop*/ ?> <?php } else { ?> <h2>Nothing to display.</h2> <?php }/*End Rows Checking*/ ?> </form> My statement preparation looks as follows. if (isset($_POST['create'])) { $id = $_POST['id']; $title = $_POST['title']; $date = $_POST['date']; $time = $_POST['time']; $descrip = $_POST['descrip']; $presenter = $_POST['presenter']; try { $sql = "UPDATE events SET $title, $date, $time, $descrip, $presenter WHERE id = '{$id}')"; $stmt = $con->prepare($sql); $stmt->execute(); echo $stmt->rowCount() . " records UPDATED successfully"; } catch(PDOException $e) { echo $sql . "<br>" . $e->getMessage(); } } It is telling my my syntax is no correct but I do not see why. I am obviously new so help with my Update statement is what I believe I need help with now.

Sorry Edit. it gave me this error object(mysqli)#1 (0) { } mysqli_prepare() failed:

I fixed that. and added var_dump($con); directly after $stmt = mysqli_prepare($con, $sql); which gave me this... which I assume means my database is not connected?

I am wanting to update some information in my events using a prepared statement but my mysqli_prepare fails. I think I am missing something silly. Below is the code I am running if (isset($_POST['create'])) { $title = $_POST['title']; $date = $_POST['date']; $time = $_POST['time']; $desc = $_POST['desc']; $presenter = $_POST['business']; $id = $_POST['id']; $sql = "UPDATE events SET title=?, date=?, time=?, desc=? presenter=? WHERE id=?)"; $stmt = mysqli_prepare($con, $sql); if ( false===$stmt ) { die('mysqli_prepare() failed: ' . htmlspecialchars($mysqli->error)); } mysqli_stmt_bind_param($con, "sssssi", $title, $date, $time, $desc, $presenter, $id); mysqli_stmt_execute($stmt); echo "Success"; } The error message I receive is mysqli_prepare() failed: Any guidance or better error checking would be appreciated.

Oh my land after HOURS of reading it totally clicked and I have the code working flawlessly. Thank you so much requinix for pointing me in the correct direction, showing me the value of prepared statements. I would not have done any of that without your urging.

Ah yes and now I am back in "I have no idea what you are talking about land." I have not used switch before and have no idea where I would even put the code. I would assume I would add... $file_error = $_FILES['image']['error']; to the following... or does it replace that completely with the rest of the code you suggested. $errors= array(); $file_name = $_FILES['image']['name']; $file_size =$_FILES['image']['size']; $file_tmp =$_FILES['image']['tmp_name']; $file_type=$_FILES['image']['type']; $file_ext=strtolower(end(explode('.',$_FILES['image']['name'])));

1. The insert happens on line 46. 2. You are correct that I receive an error about an invalid extension when the upload is left blank. I assumed (because I have little experience with mysqli and php) this would be an if else statement. If there is if(isset($_FILES['image'])){ then run $sql if not run $sql2 from your statement I see that this is not the case at all. So to clarify my question could I have some guidance as to how I would modify the code to accept an empty upload.

I have a form that adds an event to my database. It collects some basic information as well as allows me to upload an image/pdf. This works flawlessly as long as there is an image/pdf to upload but I would also like it to allow the image fields to be left null if there is no image. I am just beginning in mysqli and think the solution is something along the lines of an if else statement but am unfamiliar enough to not be sure where this should occur. Below is the code I am using. if (isset($_POST['create'])) { $title = $_POST['title']; $date = $_POST['date']; $time = $_POST['time']; $desc = $_POST['desc']; $presenter = $_POST['business']; $picname = $_POST['picname']; $size = $_POST['size']; $type = $_POST['type']; $path = $_POST['path']; if(isset($_FILES['image'])){ $errors= array(); $file_name = $_FILES['image']['name']; $file_size =$_FILES['image']['size']; $file_tmp =$_FILES['image']['tmp_name']; $file_type=$_FILES['image']['type']; $file_ext=strtolower(end(explode('.',$_FILES['image']['name']))); $expensions= array("jpeg","jpg","pdf"); if(in_array($file_ext,$expensions)=== false){ $errors[]="extension not allowed, please choose a JPEG or pdf file."; } if($file_size > 2097152){ $errors[]='File size must be under 2 MB'; } if(empty($errors)==true){ move_uploaded_file($file_tmp,"upload/".$file_name); }else{ print_r($errors); } } $sql = "INSERT INTO events VALUES(id, '{$title}', '{$date}', '{$time}', '{$desc}', '{$presenter}', '{$file_name}', '{$file_size}', '{$file_type}')"; mysqli_query($con, $sql) or die (mysqli_error($con)); echo "Success"; } I would think after the last { I would create an else statement similar to what I am posting below. } else{ $sql2 = "INSERT INTO events VALUES(id, '{$title}', '{$date}', '{$time}', '{$desc}', '{$presenter}', 'NULL', 'NULL', 'NULL')"; mysqli_query($con, $sql2) or die (mysqli_error($con)); echo "Success"; } However I know this returns an error relating to the first error check in the file upload. Do I just need to switch the statements around? Any guidance would be appreciated.