Array Warning: addslashes() expects parameter 1 to be string, array given

[bravo14]

Hi Guys

 

I have a script that I have used before without any issues based on a tutorial.  However when I do Update Cart get the following error

 

Array Warning: addslashes() expects parameter 1 to be string, array given in /home/sites/starkeracing.co.uk/public_html/library/config.php on line 5

 

The form is made up of the following code

<form action="/cart.php?action=update" method="post" name="frmCart" id="frmCart">

 <table width="780" border="0" align="center" cellpadding="5" cellspacing="1" class="entryTable">

  <tr class="entryTableHeader">

   <td colspan="2" align="center">Item</td>

   <td align="center">Unit Price</td>

   <td width="75" align="center">Quantity</td>

   <td align="center">Total</td>

  <td width="75" align="center"> </td>

 </tr>

  <tr class="content">

  <td width="80" align="center"><a href="main.php?c=2&p=1"><img src="img/product/f9bf45f907835051aa131dde0ec00ef8.jpg" border="0"></a></td>

  <td><a href="main.php?c=2&p=1">Soft Shell Jacket</a></td>

   <td align="right">£40.00</td>

  <td width="75"><input name="txtQty[]" type="text" id="txtQty[]" size="5" value="1" class="box" onKeyUp="checkNumber(this);">

  <input name="hidCartId[]" type="hidden" value="15">

  <input name="hidProductId[]" type="hidden" value="1">

  </td>

  <td align="right">£40.00</td>

  <td width="75" align="center"> <input name="btnDelete" type="button" id="btnDelete" value="Delete" onClick="window.location.href='/cart.php?action=delete&cid=15';" class="box">

  </td>

 </tr>

  <tr class="content">

  <td colspan="4" align="right">Sub-total</td>

  <td align="right">£40.00</td>

  <td width="75" align="center"> </td>

 </tr>

<tr class="content">

   <td colspan="4" align="right">Shipping </td>

  <td align="right">£5.00</td>

  <td width="75" align="center"> </td>

 </tr>

<tr class="content">

   <td colspan="4" align="right">Total </td>

     <td align="right">£45.00</td>

  <td width="75" align="center"> </td>

 </tr>  

 <tr class="content">

  <td colspan="5" align="right"> </td>

  <td width="75" align="center">

<input name="btnUpdate" type="submit" id="btnUpdate" value="Update Cart" class="box"></td>

 </tr>

</table>

</form>

The following function is called

if (!get_magic_quotes_gpc()) {

    if (isset($_POST)) {

        foreach ($_POST as $key => $value) {

        echo $value;

            $_POST[$key] =  trim(addslashes($value));

        }

    }

    

    if (isset($_GET)) {

        foreach ($_GET as $key => $value) {

            $_GET[$key] = trim(addslashes($value));

        }

    }    

}

It appears as I have echoed the $value from the get_magic_quotes function that no values are being posted.

 

The following notice is also displayed

1 Notice: Uninitialized string offset: 0 in /home/sites/starkeracing.co.uk/public_html/library/cart-functions.php on line 133 Notice: Uninitialized string offset: 0 in /home/sites/starkeracing.co.uk/public_html/library/cart-functions.php on line 136

Below is the updateCart function that is generating the error above.

function updateCart()

{

    $cartId     = $_POST['hidCartId'];

    $productId  = $_POST['hidProductId'];

    $itemQty    = $_POST['txtQty'];

    $numItem    = count($itemQty);

    $numDeleted = 0;

    $notice     = '';

    

    for ($i = 0; $i < $numItem; $i++) {

        $newQty = (int)$itemQty[$i];

        if ($newQty < 1) {

            // remove this item from shopping cart

            deleteFromCart($cartId[$i]);    

            $numDeleted += 1;

        } else {

            // check current stock

            $sql = "SELECT pd_name, pd_qty

                    FROM tbl_product

                    WHERE pd_id = {$productId[$i]}";

            $result = dbQuery($sql);

            $row    = dbFetchAssoc($result);

            

            if ($newQty > $row['pd_qty']) {

                // we only have this much in stock

                $newQty = $row['pd_qty'];



                // if the customer put more than

                // we have in stock, give a notice

                if ($row['pd_qty'] > 0) {

                    setError('The quantity you have requested is more than we currently have in stock. The number available is indicated in the "Quantity" box. ');

                } else {

                    // the product is no longer in stock

                    setError('Sorry, but the product you want (' . $row['pd_name'] . ') is no longer in stock');



                    // remove this item from shopping cart

                    deleteFromCart($cartId[$i]);    

                    $numDeleted += 1;                    

                }

            }

                            

            // update product quantity

            $sql = "UPDATE tbl_cart

                    SET ct_qty = $newQty

                    WHERE ct_id = {$cartId[$i]}";

                

            dbQuery($sql);

        }

    }

    

    if ($numDeleted == $numItem) {

        // if all item deleted return to the last page that

        // the customer visited before going to shopping cart

        header("Location: $returnUrl" . $_SESSION['shop_return_url']);

    } else {

        header('Location: cart.php');    

    }

    

    exit;

}

[Jacques1]

Where on earth did you dig that script out?

 

This “magic quotes” stuff comes from the early days of PHP and was finally removed around 5 years ago. The whole idea of blindly adding slashes to all input is just nonsense. It's also well-known that addslashes() does not reliably prevent SQL injections, because it fails to take the character encoding into account. That's why back in 2002, the PHP developer added mysql_real_escape_string(). That was 12 years ago! 

 

The whole MySQL extension you're using is obsolete since at least a decade and will be removed in the future.

 

I strongly suggest that you update your PHP and the code. Software definitely doesn't get better over time.

 

Nowadays, we use PDO or MySQLi to access databases: http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers

[mac_gyver]

your first error is because you have used array names for some of your form fields, so you are submitting arrays of post variables, not just scaler post variables and that code wasn't designed to handle arrays. whatever code you end up with needs to take into account the structure of the data it is dealing with.

 

in addition to what has already been mentioned about the code, you should only (properly) escape (or cast numerical values) the data as it is being put into the sql query statement (or use prepared queries) so that the original data can be used as is by the rest of the program.

 

i didn't look into the second error since the line number mentioned in the error wasn't identified in the posted code, but this error is probably also related to using array names for the form fields. so, the same comment would apply - whatever code you end up with needs to take into account the structure of the data it is dealing with.

Edited April 11, 2014 by mac_gyver