Puzzeling Data Entry Problem, Data Inserts On One Computer But Not Another

[TecTao]

I am working with a client, located in another state.  I have written a simple data entry form entering merchants with just a few fields, company name, address, phone, that sort of thing.

 

I've tested it and can enter data with now problem.  My client says they enter information and click the submit button and nothing gets inserted into the database.  He says they are running Window XP which is what I am running.  Obviously I can't watch what they are doing but they say they are doing what is usually done in entering data.

 

I have logged into an admin account and have entered data with no problem.

 

Has anyone every run into this and if so, any ideas what could be going on.

[PFMaBiSmAd]

Your code is doing something that is browser or connection specific. You also need to provide information like - does this involve two different servers (one working - yours and one not - the customer's) or is it one server and it works for your browser and it does not work for the browser/connection that the customer is using. Also, what browser are you using and what is your customer using?

 

Posting your code will get the quickest answer as to what it might be doing that is  browser specific.

[TecTao]

It's a pretty simple insert code, passing the variable from the form.  One server.  I'm using firefox and IE and both work from my end.  here's the code:

 

<?

include("include/db_connect.php");

$m_email=mysql_real_escape_string($_POST['m_email']);
$m_name=mysql_real_escape_string($_POST['m_name']);
$g_id=mysql_real_escape_string($_POST['g_id']);
$g_admin_fname=mysql_real_escape_string($_POST['g_admin_fname']);
$g_admin_lname=mysql_real_escape_string($_POST['g_admin_lname']);
$g_name=mysql_real_escape_string($_POST['g_name']);
$m_id=mysql_real_escape_string($_POST['m_id']);
$m_name=mysql_real_escape_string($_POST['m_name']);
$m_company=mysql_real_escape_string($_POST['m_company']);
$m_address1=mysql_real_escape_string($_POST['m_address1']);
$m_address2=mysql_real_escape_string($_POST['m_address2']);
$m_city=mysql_real_escape_string($_POST['m_city']);
$m_state=mysql_real_escape_string($_POST['m_state']);
$m_zip=$_POST['m_zip'];
$m_phone=$_POST['m_phone'];
$m_fax=$_POST['m_fax'];
$m_mainCat2=mysql_real_escape_string($_POST['m_mainCat2']); 
$m_subCat2=mysql_real_escape_string($_POST['m_subCat2']);
$m_mem_assoc=$_POST['m_mem_assoc'];
$maj_retailer=$_POST['maj_retailer'];
$time = time();
mysql_query(" INSERT INTO users (  username, password, userid, userlevel, email, timestamp, g_id, g_admin_fname, g_admin_lname,g_name, m_id, m_name, 
m_company, m_address1, m_address2, m_city, m_state, m_zip, m_phone, m_fax, m_mainCat2, m_subCat2, m_mem_assoc, maj_retailer, m_datein) VALUES (  
'$m_id', '$m_id', '0', '1', '$m_id', '$time', '$g_id', '$g_admin_fname', '$g_admin_lname', '$g_name', '$m_id', '$m_name', '$m_company ', '$m_address1', '$m_address2', '$m_city', '$m_state', '$m_zip', '$m_phone', '$m_fax', '$m_mainCat2', '$m_subCat2', '$m_mem_assoc', '$maj_retailer', NOW())");

?>

[PFMaBiSmAd]

Your code is not escaping all the data values being put into the query, so some of the data they are trying to insert could be breaking the query syntax and causing the query to fail.

 

A) You must escape all string data put into a query that could contain sql special characters or could be used for sql injection,

B) Real life application code must have error checking (check if something like a query worked or failed), error reporting/logging (output a meaningful user message and log everything possible about the failure so that you can find and fix the problem), and error recover (take an appropriate action when something fails.)

[TecTao]

I think I understand.

Regarding Point A

 

Most of the variables passed use the mysql_real_escape_string and there are 5 that do not.  I didn't pass them using the mysql_real_escape_string because they are number or numbers separated with a hyphen, two are codes that pass only a single numeric variable.

 

This could have a bearing on the insert?

 

Regarding Point B, can you refer me to a link with example code?

 

Thanks for your insight...

[PFMaBiSmAd]

because they are number or numbers separated with a hyphen, two are codes that pass only a single numeric variable.

 

Yes, but how do you know the customer isn't entering them in the form with quotes around them or in them or with tab characters, newlines or some other special characters? You cannot trust ALL external data, even if the customer entering that data has no harmful motives, and must validate it and escape it before putting it into a query.

 

As to examples of error checking, error reporting/logging, and error recovery, I have not seen any because you do exactly what those three things state. Php functions that can fail return a FALSE status when they fail. You must test for that. Outputting a meaningful user message is just an echo statement inside of the conditional statement that is testing for the FALSE value, telling the user that the code could not complete the intended operation. Php has several methods to log information, but the most useful is the error_log function as you can use it to write anything you want to anywhere you want (I recommend writing to a log file you create.) Log the mysql_error() and the exact query that was being executed, along with all the other who, what, when, where information that is available that would help find and fix the problem.  Error recovery just means that you use logic to prevent code from being executed that depends on the results in a previous step that failed.

 

Since your code does not have any form of error checking and error reporting/logging, it is not telling you why it is failing, so it is going to be a little hard for anyone in a forum to tell you exactly why it is failing either. Best guess based on what you have posted is what makes me think the query is failing due to something in the pieces of data that are not being escaped.

[TecTao]

Thanks, I understand what you are saying on all point.  The point about not knowing what the viewer is inserting is right on target.  I'll correct and research the error logging.  You are absolutely right, if I have not way of seeing why then I'm just bumping around in the dark.