Is this a php version issue, and how to fix?

[Shamrox]

I just moved a client from a shared server host to a dedicated server, and in the process the PHP version went from 4 to 5. Most of the pages work, no errors appear but certain values are not passed to links that would show records. In another situation, i have a page that lists all the vendors. It does this correctly, but when you click a link to go to a specific vendor's detail page, the same record loads no matter which vendor you click.  Are there some changes in PHP 5 that would affect this?  I can try to post some examples of the code if that would help, but it's pretty extensive. Thanks for any and all help. 

[kenrbnsn]

This is probably due to register_globals going from enabled to disabled. Please read the [url=http://www.php.net/register_globals]section on register_globals[/url] in the manual.

Ken

[Shamrox]

Ok, that partially fixed things. Thanks!

Now I'm getting a PHP notice error of:
PHP Notice:  Undefined offset:  1 in /var/www/vhosts/domain.com/httpdocs/folder/file.php on line 76

that points to this code. Anything wrong here?
if(isset($_POST['submit_create_record'])){
$varorderdate = preg_split("/(-|\/)/",$_POST['orderdate']);
$varorderdate = $varorderdate[2]."-".$varorderdate[0]."-".$varorderdate[1];
$varinvoicedate = preg_split("/(-|\/)/",$_POST['invoicedate']);
$varinvoicedate = $varinvoicedate[2]."-".$varinvoicedate[0]."-".$varinvoicedate[1];
$varstartdate = preg_split("/(-|\/)/",$_POST['startdate']);
$varstartdate = $varstartdate[2]."-".$varstartdate[0]."-".$varstartdate[1];
$varenddate = preg_split("/(-|\/)/",$_POST['enddate']);
$varenddate = $varenddate[2]."-".$varenddate[0]."-".$varenddate[1];

[wildteen88]

Echo $_POST['orderdate'] variable. What does it contain?

[Shamrox]

Hmmm, i get this error displayed in my browser when I submit.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Training Company','Dirk Digler','[email protected]','400 7th St','Roo' at line 2

[wildteen88]

That is a another issue, Looks like you're not escaping your quotes. The single quotes are breaking your SQL query. Post the relevant code for the error here.

[Shamrox]

line 2 has nothing to do with that. Line to is my include for the database connection.

It seems that all my other issues came from moving from php4 to 5. I had to turn register_globals ON at the server to fix one issue. Would this have anything to do with magic quotes?

[Shamrox]

Ok, here is the code used for the submit of the record. I hope this gives a clue to what's going on.

[code]
if(isset($_POST['submit_create_record'])){
$varorderdate = preg_split("/(-|\/)/",$_POST['orderdate']);
$varorderdate = $varorderdate[2]."-".$varorderdate[0]."-".$varorderdate[1];
$varinvoicedate = preg_split("/(-|\/)/",$_POST['invoicedate']);
$varinvoicedate = $varinvoicedate[2]."-".$varinvoicedate[0]."-".$varinvoicedate[1];
$varstartdate = preg_split("/(-|\/)/",$_POST['startdate']);
$varstartdate = $varstartdate[2]."-".$varstartdate[0]."-".$varstartdate[1];
$varenddate = preg_split("/(-|\/)/",$_POST['enddate']);
$varenddate = $varenddate[2]."-".$varenddate[0]."-".$varenddate[1];

$sql = "SELECT `invoicenumber` FROM `spec_invoice` WHERE `invoicenumber` REGEXP '^" . date('Y') . "[0-9]*$' ORDER BY LENGTH(`invoicenumber`) DESC, `invoicenumber` DESC LIMIT 1;";
$results = mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($results) > 0){
$row = mysql_fetch_assoc($results);
$invoicenumber_invoice = substr($row['invoicenumber'], 4);
$invoicenumber_invoice = date('Y').($invoicenumber_invoice+1);
}else{
$invoicenumber_invoice = date('Y')."1";
}
$sql = "SELECT `invoice` FROM `spec_registrar` WHERE `invoice` REGEXP '^" . date('Y') . "[0-9]*$' ORDER BY LENGTH(`invoice`) DESC, `invoice` DESC LIMIT 1;;";
$results = mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($results) > 0){
$row = mysql_fetch_assoc($results);
$invoicenumber_registrar = substr($row['invoice'], 4);
$invoicenumber_registrar = date('Y').($invoicenumber_registrar+1);
}else{
$invoicenumber_registrar = date('Y')."1";
}
if($invoicenumber_registrar > $invoicenumber_invoice){
$invoicenumber = $invoicenumber_registrar;
}else{
$invoicenumber = $invoicenumber_invoice;
}
$vendor_stb_po_number = "V".$invoicenumber;
$sql = "INSERT INTO `spec_registrar` ( `registrarid` , `studentid` , `scheduelid` , `clientid` , `clientcontactid` , `stbrepid` , `invoice` , `training_agreement_sent` , `agreement_received` , `order_placed_vendor` , `confirmation_received_vendor` , `confirmation_sent_student` , `invoiced_status` , `old_studentid` , `old_courseid` , `old_scheduleid` , `old_vendorid` , `orderdate` , `invoicedate` , `quantity` , `discount` , `sale_price` , `stb_discount` , `salesterms` , `vendorpromocode`, `stbpromocode`, `vendorlistprice` , `vendororder` , `confirmationnumber` , `paymentmethod` , `cogs` , `comment` , `coursecode` , `vendorname` , `VendorStbPoNumber` , `VendorStbPoDescription` , `VendorStbPoTerms` , `courselength` , `startdate` , `enddate` , `starttime` , `endtime` , `timenotes` , `vendorid` , `billingcompanyname` , `billname` , `billemail` , `billaddress1` , `billaddress2` , `billcity` , `billstate` , `billclientid` , `billcontactid` , `billzip` , `purchase_order` , `contract_number` , `payment_method` , `cc_number` , `approvalcode` , `cc_notes` , `cost_center` , `status` , `lastupdate` )
VALUES(".
"'',". //registrarid
"'" . $_POST['selectstudent'] . "',". //studentid
"'',". //scheduleid
"'" . $_POST['selectclient'] . "',". //clientid
"'" . $_POST['selectclient_contact'] . "',". //clientcontactid
"'" . $_POST['stbrepid'] . "',".
"'" . $invoicenumber . "',". //invoice
"'" . @$_POST['training_agreement_sent'] . "',".
"'" . @$_POST['agreement_received'] . "',".
"'" . @$_POST['order_placed_vendor'] . "',".
"'" . @$_POST['confirmation_received_vendor'] . "',".
"'" . @$_POST['confirmation_sent_student'] . "',".
"'" . @$_POST['invoiced_status'] . "',".
"'',". //old_studentid
"'',". //old_courseid
"'',". // old_scheduleid
"'',". //old_vendorid
"'" . $varorderdate . "',". //orderdate
"'" . $varinvoicedate . "',". //invoicedate
"'" . $_POST['quantity'] . "',". //quantity
"'" . $_POST['discount'] . "',". //discount
"'" . $_POST['sale_price'] . "',". //sale_price
"'" . $_POST['stb_discount'] . "',". //stb_discount
"'" . $_POST['salesterms'] . "',". //salesterms
"'" . $_POST['vendorpromocode'] . "',". //vendor promo code
"'" . $_POST['stbpromocode'] . "',". //stb promo code
"'" . $_POST['vendorlistprice'] . "',". //vendorlistprice
"'',". //vendororder
"'" . $_POST['confirmationnumber'] . "',". //confirmationnumber
//"'" . $_POST['cancellationby'] . "',". //cancelby
//"'" . $_POST['cancellationcomments'] . "',". //cancelcomment
//"'" . $_POST['cancellationdate'] . "',". //canceldate
"'" . $_POST['paymentmethod'] . "',". //paymentmethod
"'" . $_POST['cogs'] . "',". //cogs
"'" . $_POST['comments'] . "',". //comment
"'" . $_POST['coursecode'] . "',". //coursecode
"'" . $_POST['vendor'] . "',". //vendorname
"'" . $vendor_stb_po_number . "',". //VendorStbPoNumber
"'" . $_POST['stb_po_description'] . "',". //VendorStbPoDescription
"'" . $_POST['stb_po_terms'] . "',". //VendorStbPoTerms
"'" . $_POST['courselength'] . "',". //courselength
"'" . $varstartdate . "',". //startdate
"'" . $varenddate . "',". //enddate
"'" . $_POST['starttime'] . "',". //starttime
"'" . $_POST['endtime'] . "',". //endtime
"'" . $_POST['timenotes'] . "',". //timenotes
"'" . $_POST['vendor_id'] . "',". //vendorid
"'" . $_POST['billingcompanyname'] . "',". //billingcompanyname
"'" . $_POST['billingname'] . "',". //billname
"'" . $_POST['billingemail'] . "',". //billemail
"'" . $_POST['billingaddress1'] . "',". //billaddress1
"'" . $_POST['billingaddress2'] . "',". //billaddress2
"'" . $_POST['billingcity'] . "',". //billcity
"'" . $_POST['billingstate'] . "',". //billstate
"'',". //billclientid
"'',". //billcontactid
"'" . $_POST['billingzip'] . "',". //billzip
"'" . $_POST['purchase_order'] . "',". //purchase_order
"'',". //contract_number
"'" . $_POST['paymentmethod'] . "',". //payment_method
"'" . $_POST['cc_number'] . "',". //cc_number
"'" . $_POST['approvalcode'] . "',". //approval code
"'" . $_POST['cc_notes'] . "',". //cc_notes
"'" . $_POST['cost_center'] . "',". //cost_center
"'" . $_POST['registrationstatus'] . "',". //status
"'');"; //lastupdate
$results = mysql_query($sql) or die(mysql_error());
if($results){
$message = "Registrar Created.";
$registrarid = mysql_insert_id();
}else{
$message = "Error Creating Registrar!";
}
[/code]

[wildteen88]

You are putting your POST'd data straight into the database and you are not doing any sort of validation. So your whole site is prone to SQL injection attacks, and yes this is because of magic_quotes (being off).

Do not turn magic quotes on. Leave it off. Look into using mysql_real_escape_string on your user input that you are inserting into your database. This will help to prevent SQL Injection attacks.

[Shamrox]

Like this?

"'" . mysql_real_escape_string($_POST['registrationstatus']) . "',".

[joshi_v]

$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
          mysql_real_escape_string($user),
          mysql_real_escape_string($password));