Problems saving to sql after updating to PHP 7.3

[JerryTellez]

Im not a PHP expert, quite new, It is a reservation system, it was previously built on 5.6 and the server owner just decided to updated to MariaDB 10 and PHP 7.3 without giving a notice. The Mysqli errors have been fixed and all the queries should be connected correctly, However there is this persistent issue that was not present before the update, clients try to make a One Way reservation (Value 1 in $id_traslado) but the data is not sent and stored in the DB so admins can see the reservation, but if clients do a Round Trip reservation (Value 2 in $id_traslado) it works perfectly. I dont get any errors in the error log but I cannot seem to find the issue.

This is the file where clients submit their info, the $iGuardo checks if a reservation was succesfully saved and should send a 1 value.

<?php
	
	$Total = 0;
	if($_POST['idTarifa']!=0){
		$dt = new reg_DeTarifas($_POST['idTarifa']);
		
		$reg_Paquetes = new reg_Paquetes($dt->getId_paquete());
		$reg_Traslados = new reg_Traslados($dt->getId_traslado());
		$reg_Aeropuertos = new reg_Aeropuertos($dt->getId_lugar_origen());
		$reg_Lugares = new reg_Lugares($dt->getId_lugar_destino());
		if ($dt->getId_paquete() == 1) {
			$Total = ($dt->getCosto())*($_POST['iPasajeros']);
		}
	}
	
	$mr = new reg_MaResevaciones();
	$mr->setNombre($_POST['TxtNombre']);
	$mr->setPaterno($_POST['TxtPaterno']);
	$mr->setDireccion($_POST['TxtDireccion']);
	$mr->setCiudad($_POST['TxtCiudad']);
	$mr->setEstado($_POST['TxtEstado']);
	$mr->setCP($_POST['TxtCP']);
	$mr->setPais($_POST['TxtPais']);
	$mr->setTelefono($_POST['TxtTelefono']);
	$mr->setCelular($_POST['TxtCelular']);
	$mr->setCorreo($_POST['TxtEmail']);
	$mr->setId_tarifa($_POST['idTarifa']);
	$mr->setOtherAirport($_POST['SAirport']);
	$mr->setIdPaquete($_POST['idPaquete']);
	$mr->setIdTraslado($_POST['idTraslado']);
	$mr->setIdHotel($_POST['idHotel']);
	$mr->setAerolinea($_POST['TxtAerolinea']);
	$mr->setNo_vuelo($_POST['TxtNoVuelo']);
	$HoraFormateada = date('H:i:s', strtotime($_POST['TxtHora']));
	
	if(isset($_POST['TxtNoches'])){
		$TxtNoches = $_POST['TxtNoches'];}
	else{
		$TxtNoches = 0;}
	
	if(isset($_POST['TxtFechaSalida'])){
		$TxtFechaSalida = $_POST['TxtFechaSalida'];}
	else{
		$TxtFechaSalida = null;}
		
	if(isset($_POST['TxtAerolineaSalida'])){
		$TxtAerolineaSalida = $_POST['TxtAerolineaSalida'];}
	else{
		$TxtAerolineaSalida = '';}
	
	if(isset($_POST['TxtNoVueloSalida'])){
		$TxtNoVueloSalida = $_POST['TxtNoVueloSalida'];}
	else{
		$TxtNoVueloSalida = 0;}
		
	if(isset($_POST['TxtHoraSalida'])) {
		$TxtHoraSalida = date('H:i:s', strtotime($_POST['TxtHoraSalida']));
	} else {
		$TxtHoraSalida = null;
	}
	$mr->setHora_vuelo($HoraFormateada);
	$mr->setNo_noches($TxtNoches);
	$mr->setFecha_salida($TxtFechaSalida);
	$mr->setAerolinea_salida($TxtAerolineaSalida);
	$mr->setNo_vuelo_salida($TxtNoVueloSalida);
	$mr->setHora_vuelo_salida($TxtHoraSalida);
	$mr->setInfo_adicional($_POST['TxtInfo']);
	$mr->setPasajeros($_POST['iPasajeros']);
	$mr->setPeticiones_adicionales($_POST['TxtInfoA']);
	$mr->setFecha_llegada($_POST['TxtFecha']);
	$mr->setTipo($_POST['Tipo']);
	$mr->setTotal($_POST['hidTotal']);
	$VIP_Service = 0;
	if(isset($_POST['cmbVIP']) && $_POST['cmbVIP']==1){
		if(isset($_POST['cerv']) && $_POST['cerv']>0){
			$VIP_Service = $_POST['cerv'];
		}elseif(isset($_POST['ref']) && $_POST['ref']>0){
			$VIP_Service = $_POST['ref'];
		}elseif(isset($_POST['vino']) && 0 < $_POST['vino']) {
			$VIP_Service = $_POST['vino'];
		}
	}

	if(isset($_POST['cmbGrocery']))
		$cmbGrocery = $_POST['cmbGrocery'];
	else
		$cmbGrocery = 0;
	
	$mr->setVip($VIP_Service);
	$mr->setGrocery($cmbGrocery);
	$mr->setTipoCobro($_POST['cmbTipoCobro']);
	

	

    $iGuardo = $mr->guardar();
		$to = $_POST['TxtEmail'];
		$from = "MAILHERE";
		$subject = "Reservation Request Received ".$mr->getNombre()." ".$mr->getPaterno();
		$body = '
		<html>
		#MAIL BODY NO ISSUES HERE
		</html>
		';
		
		$body2 = '
		<html>
		#MAIL BODY NO ISSUES HERE
		</html>
		';
	
		$to = preg_replace("([\r\n])", "", $to);
		$from = preg_replace("([\r\n])", "", $from);
		$subject = preg_replace("([\r\n])", "", $subject);
	
		$match = "/(bcc:|cc:|content\-type:)/i";
		if(preg_match($match, $from) ||
			preg_match($match, $subject) ||
			preg_match($match, $body)) {
			die("Header injection detected.");
		}
		
		$headers  = 'MIME-Version: 1.0' . "\r\n";
		$headers .= 'Content-Type: text/html; charset="iso-8859-1" \r\n';
		$headers = "From: ".$from."\r\n";
		$headers .= "Reply-to: ".$from."\r\n";
		$headers .= 'Content-Type: text/html; charset="iso-8859-1" \r\n';
		$headers .= 'X-Mailer: PHP/' . phpversion(). "\r\n";
		
		
		
		// send mail
		//if(*mail($to,$subject,$body,$headers)){
		if(mail($to,$subject,$body,$headers)){
            #EMAILS ARE SENT HERE WITHOUT PROBLEM
		}
        
        if (isset($_POST['hidTotal']) && !empty($_POST['hidTotal']) && strlen(trim($_POST['hidTotal']))>1) {	            
            $precio = base64_encode(trim($_POST['hidTotal']));  
            $idres = base64_encode($iGuardo);
            $sCodedTF = hash('sha256',hash('sha256','a1b2c3d4e5'.base64_encode(base64_encode($precio)).'a1b2c3d4e5'));	        
            $sCodedIR = hash('sha256',hash('sha256','f6g7h8i9j0'.base64_encode(base64_encode($idres)).'f6g7h8i9j0'));	
        }
		if($VIP_Service!=0){
			include("Connection/nrc.php");
			$sqlvip = "INSERT INTO de_vip (res,vip1,vip2,vip3,cant1,cant2,cant3) VALUES (".$iGuardo.",".$_POST['cerv'].",".$_POST['ref'].",".$_POST['vino'].",".$_POST['marcerv'].",".$_POST['marref'].",".$_POST['marvin'].");";
			$resvip = mysqli_query($nrc,$sqlvip) or die(mysqli_error());
			}
        if(($iGuardo == 0)||($iGuardo == NULL)){
?>
<script type="text/javascript"> 
window.location="error.php"; 
</script> 
<?
    header("Location:error.php");}
        else{ 
            if ($mr->getTipoCobro() != 1) {
                echo "";
?>
<script type="text/javascript"> 
    window.location="success.php?true=1"; 
</script> 
<?
    header("Location:success.php?true=1");      
        }
        else
?>
<script type="text/javascript"> 
window.location="<? echo "final.php?true=1&w=".$sCodedTF.'&m='.$precio.'&v='.$sCodedIR.'&a='.$idres; ?>";
</script> 
          <?
    }
}

Here is the file that has the function that gets the reservation saved in the DB [guardar()], there are no issues if id_traslado is 2 but it its 1, it seems to not save the submitted info correctly.

<?php

public function guardar(){

if (null != $this->getFecha_salida() || '00/00/0000' != $this->getFecha_salida()) {
$salida = date('Y-m-d', strtotime($this->getFecha_salida()));
} else {
$salida = '0000-00-00';
}
if (null != $this->getFecha_llegada()) {
$llegada = date('Y-m-d', strtotime($this->getFecha_llegada()));
} else {
$salida = '0000-00-00';
}

if ($this->getHora_vuelo('H:i:s') == null) {
$hora_vuelo = "'NULL'";
} else {
$hora_vuelo = "'".$this->getHora_vuelo()."'";
}

if ($this->getHora_vuelo_salida('H:i:s') == null) {
$hora_vuelo_salida = "'NULL'";
} else {
$hora_vuelo_salida = "'".$this->getHora_vuelo_salida()."'";
}

if($this->getId()>0){#si se cumple la condicion hace un update en la tabla cat_Lugares
$mysqli = new mysqli("localhost", "root", "????", "niceridecabo");
$sql = "UPDATE ma_reservaciones SET nombre='".$this->getNombre()."',
paterno='".$this->getPaterno()."',
materno='".$this->getMaterno()."',
direccion='".$this->getDireccion()."',
ciudad='".$this->getCiudad()."',
estado='".$this->getEstado()."',
cp='".$this->getCP()."',
pais='".$this->getPais()."',
telefono='".$this->getTelefono()."',
celular='".$this->getCelular()."',
correo='".$this->getCorreo()."',
id_tarifa=".$this->getId_tarifa().",
aerolinea='".$this->getAerolinea()."',
no_vuelo='".$this->getNo_vuelo()."',
hora_vuelo=".$hora_vuelo.",
no_noches='".$this->getNo_noches()."',
fecha_salida='".$salida."',
aerolinea_salida='".$this->getAerolinea_salida()."',
no_vuelo_salida='".$this->getNo_vuelo_salida()."',
hora_vuelo_salida=".$hora_vuelo_salida.",
info_adicional='".$this->getInfo_adicional()."',
pasajeros=".$this->getPasajeros().",
peticiones_adicionales='".$this->getPeticiones_adicionales()."',
fecha_llegada='".$llegada."',
OtherAirport='".$this->getOtherAirport()."',
IdPaquete=".$this->getIdPaquete().",
IdTraslado=".$this->getIdTraslado().",
IdHotel=".$this->getIdHotel().",
vip=".$this->getVip().",
total=".$this->getTotal().",
id_tipocobro=".$this->getTipoCobro().",
pagado=".$this->getPagado().",
grocery=".$this->getGrocery()."
WHERE id_reservacion = ".$this->getId().";";

if($mysqli->multi_query($sql)){
$this->setMsg('La reservacion se modifico correctamente.');
return 1;
}else{
$this->setMsg('Error al modificar la reservacion.');
return 0;
}

}else{#en caso de que entre en el else se hace un  insert sobre la tabla cat_Lugares

$mysqli = new mysqli("localhost", "root", "????", "niceridecabo");
$sql ="INSERT INTO ma_reservaciones	(nombre,paterno,materno,direccion,ciudad,estado,cp,pais,telefono,celular,correo,id_tarifa,aerolinea,no_vuelo,hora_vuelo,no_noches,fecha_salida,aerolinea_salida,no_vuelo_salida,hora_vuelo_salida,info_adicional,pasajeros,peticiones_adicionales,fecha_llegada,OtherAirport,IdPaquete,IdTraslado,IdHotel,tipo,total,fec_creacion,id_tipocobro,grocery,vip)
VALUES
('".$this->getNombre()."','".$this->getPaterno()."','".$this->getMaterno()."','".$this->getDireccion()."','".$this->getCiudad()."','".$this->getEstado()."','".$this->getCP()."','".$this->getPais()."','".$this->getTelefono()."','".$this->getCelular()."','".$this->getCorreo()."',".$this->getId_tarifa().",'".$this->getAerolinea()."','".$this->getNo_vuelo()."',".$hora_vuelo.",".$this->getNo_noches().",'".$salida."','".$this->getAerolinea_salida()."','".$this->getNo_vuelo_salida()."',".$hora_vuelo_salida.",'".$this->getInfo_adicional()."',".$this->getPasajeros().",'".$this->getPeticiones_adicionales()."','".$llegada."','".$this->getOtherAirport()."',".$this->getIdPaquete().",".$this->getIdTraslado().",".$this->getIdHotel().",'".$this->getTipo()."',".$this->getTotal().",sysdate(),".$this->getTipoCobro().",".$this->getGrocery().",".$this->getVip().");";

if($mysqli->multi_query($sql)){
$this->setMsg('Reservation request received successfully.');
return $mysqli->insert_id;
}else{
$this->setMsg('Something wrong happened while making the reservation.');
return 0;
}
}
}

 

Edited November 11, 2021 by Barand

[Barand]

Two suggestions.

• Stop createing a new mysql connection every time you want to execute a query. Just connect once for each page.
• Stop using multi_query() - use query()

[mac_gyver]

It's possible that some of the data values that are not present for a one-way trip don't have an acceptable default value and/or are not allowed to be a null value in the database table definition, and the database server mode is now set to strict mode, which will cause an error for those columns, rather than truncating data to the nearest min/max value.

11 hours ago, JerryTellez said:

I dont get any errors in the error log

this code doesn't have any (useful) error handling for the database statements that can fail and the one place it does have some, won't work, because the connection variable is missing from the msyqli_error(...) call. the easiest way of adding error handling for all the database statements, without adding logic at each statement, is to use exceptions for database statement errors and in most cases let php catch and handle the exception, where php will use its error related settings to control what happens with the actual error information (database statement errors will get displayed/logged the same as php errors.) to use exceptions for errors for the mysqli extension, add the following line of code before the point where you make the one/single/first connection -

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

i hope that this code is just part of an assignment and is not on a live/public server, because it has no protection against sql special characters in the data values from breaking the sql query syntax, which is how sql injection is accomplished. you should be using prepared queries when supplying external, unknown, dynamic values to a query when it gets executed.

 

Edited November 11, 2021 by mac_gyver

[JerryTellez]

31 minutes ago, mac_gyver said:

It's possible that some of the data values that are not present for a one-way trip don't have an acceptable default value and/or are not allowed to be a null value in the database table definition, and the database server mode is now set to strict mode, which will cause an error for those columns, rather than truncating data to the nearest min/max value.

this code doesn't have any (useful) error handling for the database statements that can fail and the one place it does have some, won't work, because the connection variable is missing from the msyqli_error(...) call. the easiest way of adding error handling for all the database statements, without adding logic at each statement, is to use exceptions for database statement errors and in most cases let php catch and handle the exception, where php will use its error related settings to control what happens with the actual error information (database statement errors will get displayed/logged the same as php errors.) to use exceptions for errors for the mysqli extension, add the following line of code before the point where you make the one/single/first connection -

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

i hope that this code is just part of an assignment and is not on a live/public server, because it has no protection against sql special characters in the data values from breaking the sql query syntax, which is how sql injection is accomplished. you should be using prepared queries when supplying external, unknown, dynamic values to a query when it gets executed.

 

Thank you, it turns out strict mode got enabled in MariaDB after update, after disabling it through terminal and restarting sql it now saved data correctly. I will also follow the suggestions made to improve the code!