mrsaywho Posted March 13, 2012 Share Posted March 13, 2012 Hello, this question was already answered on this form but the answer was deleted by admin a year or so ago. anyway, I have an edit items page with multiple images and I do not want to have to relocate all of the images manually but if I do not then an empty variable is passed to mysql, thus deleting my image. What do I need to know to write a code that will not pass an empty variable to my table? Do I use sprint? Quote Link to comment Share on other sites More sharing options...
Psycho Posted March 13, 2012 Share Posted March 13, 2012 I have no idea what you are talking about. Just check the value - if empty then don't process it. There's no need to not pass empty fields. . . . if I do not then an empty variable is passed to mysql, thus deleting my image. The empty value is only passed to MySQL because your code allows it. Quote Link to comment Share on other sites More sharing options...
mrsaywho Posted March 13, 2012 Author Share Posted March 13, 2012 How do I not allow it to pass a empty value??? I know I can't just post the values over through upload forms for safety reasons so I am stuck. <code> <?php require_once('storescripts/connect.php'); mysql_select_db($database_phpimage,$phpimage); $uploadDir = 'upload/'; if(isset($_POST['upload' . $config])) { foreach ($_FILES as $file) { $fileName = $file['name']; $tmpName = $file['tmp_name']; $fileSize = $file['size']; $fileType = $file['type']; if($fileName==""){ $filePath = 'upload/'; } else{ $filePath = $uploadDir . $fileName; } $filePath = str_replace(" ", "_", $filePath); $result = move_uploaded_file($tmpName, $filePath); if(!get_magic_quotes_gpc()) { $fileName = addslashes($fileName); $filePath = addslashes($filePath); } $fileinsert[]=$filePath; } } $mid = mysql_real_escape_string($_POST['mid']); $cat = mysql_real_escape_string($_POST['cat']); $item = mysql_real_escape_string($_POST['item']); $price = mysql_real_escape_string($_POST['price']); $about = mysql_real_escape_string($_POST['about']); $name1=mysql_real_escape_string(basename($_FILES['name1']['name'])); $name2=mysql_real_escape_string(basename($_FILES['name2']['name'])); $name3=mysql_real_escape_string(basename($_FILES['name3']['name'])); $name4=mysql_real_escape_string(basename($_FILES['name4']['name'])); $update = "REPLACE INTO image (mid,cid,item,price,about,name1,name2,name3,name4) VALUES('$mid','$cat','$item','$price','$about','$name1','$name2','$name3','$name4')"; $result = mysql_query($update) or die (mysql_error()); ?> </code> Quote Link to comment Share on other sites More sharing options...
Psycho Posted March 13, 2012 Share Posted March 13, 2012 Again, your request is invalid. The problem is not that the form passes empty values, the problem is that your processing code needs to properly handle the empty values. The only way to prevent empty values from being passed in the POST data would be through JavaScript, which would be a very poor solution. Just change your code to properly handle the empty fields. Also, you are using mysql_real_escape_string() on all the input. Bit, some of those fields appear to be numeric fields, so you should be using the proper methods for those fields instead of mysql_real_escape_string(). $mid = mysql_real_escape_string(trim($_POST['mid'])); $cat = mysql_real_escape_string(trim($_POST['cat'])); $item = mysql_real_escape_string(trim($_POST['item'])); $price = mysql_real_escape_string(trim($_POST['price'])); $about = mysql_real_escape_string(trim($_POST['about'])); //Preprocess the input values to be validated $name2 = mysql_real_escape_string(basename(trim($_FILES['name2']['name']))); $name3 = mysql_real_escape_string(basename(trim($_FILES['name3']['name']))); $name4 = mysql_real_escape_string(basename(trim($_FILES['name4']['name']))); //Create temp vars to gatrher which //fields and values are to tbe updated $nameFields = ''; $nameValues = ''; //Validate the inputs for($i=1; $i<=4; $i++) { $nameIndex = 'name'.$i; $nameValue = mysql_real_escape_string(basename(trim($_FILES[$nameIndex]['name']))); if($nameValue != '') { //If input is not empty add to fields/values vars $nameFields .= ", $nameIndex"; $nameValues .= ", '$nameValue'"; } } //Create the query with only the name fields to be updated $update = "REPLACE INTO image (mid, cid, item, price, about $nameFields) VALUES('$mid', '$cat', '$item', '$price', '$about' $nameValues)"; $result = mysql_query($update) or die (mysql_error()); Quote Link to comment Share on other sites More sharing options...
mrsaywho Posted March 13, 2012 Author Share Posted March 13, 2012 What do you mean? If the form didn't pass any empty values i would have no problem. You can't echo post through upload input so now I have to manually update them to pass the values. The same problem still exists will the solution you offered. Quote Link to comment Share on other sites More sharing options...
Psycho Posted March 13, 2012 Share Posted March 13, 2012 What do you mean? If the form didn't pass any empty values i would have no problem. You can't echo post through upload input so now I have to manually update them to pass the values. The same problem still exists will the solution you offered. The actual code I provided won't work out-of-the-box (I even forgot to remove some lines I had intended to remove). But the logic behind the code is sound. You need to test the POST data and build your query accordingly. You cannot suppress empty fields from being included in the post data. The "REPLACE INTO" is the wrong MySQL statement for what you want to accomplish. A REPLACE into will DELETE the original record and create a new one. So, if the user passed some empty values the REPLACE would empty out those fields unless you actually put something in them. You should be using an INSERT ON DUPLICATE KEY statement. Quote Link to comment Share on other sites More sharing options...
mrsaywho Posted March 14, 2012 Author Share Posted March 14, 2012 ah yes INSERT ON DUPLICATE KEY thanks... So if there is a UNIQUE(a,b) constraint on the table in the example, then the INSERT is equivalent to this UPDATE statement? Something like that? I am brand new to coding so it is taking some time to understand it all. what lines of code would you remove from your example? I can't seem to figure it out. Quote Link to comment Share on other sites More sharing options...
mrsaywho Posted March 14, 2012 Author Share Posted March 14, 2012 So if there is a UNIQUE(a,b) constraint on the table in the example, then the INSERT is equivalent to this UPDATE statement: UPDATE table SET c=c+1 WHERE a=1 AND b=2; (and not "a=1 OR b=2") Quote Link to comment Share on other sites More sharing options...
mrsaywho Posted March 14, 2012 Author Share Posted March 14, 2012 Wait my problem is when I am trying to UPDATE or edit an already existing table row. I have 4 photo files on my edit form. The 4 photos are already in the mysql table. I want to be able to only UPDATE one of the photos. The problem is that the other 3 photos get replaced with an empty value but I want them to stay the same. Quote Link to comment Share on other sites More sharing options...
Psycho Posted March 14, 2012 Share Posted March 14, 2012 Wait my problem is when I am trying to UPDATE or edit an already existing table row. I have 4 photo files on my edit form. The 4 photos are already in the mysql table. I want to be able to only UPDATE one of the photos. The problem is that the other 3 photos get replaced with an empty value but I want them to stay the same. And, I already gave you sample code to show how to do that. anyway, I think this should work. I did not test it - I'll leave that to you. Change your page to only echo the query instead of running it. Also, you didn't state what fields are unique, but you would want to remove those from the UPDATE part of the query. $mid = mysql_real_escape_string(trim($_POST['mid'])); $cat = mysql_real_escape_string(trim($_POST['cat'])); $item = mysql_real_escape_string(trim($_POST['item'])); $price = mysql_real_escape_string(trim($_POST['price'])); $about = mysql_real_escape_string(trim($_POST['about'])); //Create temp vars to gather which //fields and values are to be updated $fields = array(); $values = array(); $updateVals = array(); //Process the inputs for($i=1; $i<=4; $i++) { $fields[$i] = 'name'.$i; $values[$i] = mysql_real_escape_string(basename(trim($_FILES[$fields[$i]]['name']))); if($values[$i] != '') { $updateVals[] = "{$fields[$i]} = '{$values[$i]}'"; } } $updateNames = ''; if(count($updateVals)) { $updateNames = ", " . implode(', ', $updateVals); } //Create the query so all field will be added for new records, //if existing only the name fields with values will be updated $update = "INSERT INTO image (mid, cid, item, price, about, name1, name2, name3, name4) VALUES ('$mid', '$cat', '$item', '$price', '$about', '$values[1]', '$values[2]', '$values[3]', '$values[4]') ON DUPLICATE KEY UPDATE mid = '$mid', cid = '$cat', item = '$item', price = '$price', about = '$about' $updateNames"; $result = mysql_query($update) or die (mysql_error()); Quote Link to comment Share on other sites More sharing options...
mrsaywho Posted March 14, 2012 Author Share Posted March 14, 2012 Well it works perfectly. Thanks to your mind. I could not do it without your help because I don't understand: ' target='_blank'>' target='_blank'> for($i=1; $i<=4; $i++) { $fields[$i] = 'name'.$i; $values[$i] = mysql_real_escape_string(basename(trim($_FILES[$fields[$i]]['name']))); if($values[$i] != '') { $updateVals[] = "{$fields[$i]} = '{$values[$i]}'"; Where is the logic behind ' target='_blank'>' target='_blank'> for($i=1; $i<=4; $i++) [m] I only used the escape_string to allow me to type " ? ' , ; : without throwing any errors. It is proper to not use them at all in my case even though all fields use alphanumerics. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.