UPDATING null into MySQL

[hungryOrb]

So, hmm.. I'd like to UPDATE a datetime field ONLY IF the database holds "" null already. This works using the checkbox. However, if I do not tick the checkbox, then it tries to update the datetime field in the database with "" null. This gives the error:

 

Error: Incorrect datetime value: '' for column 'Started' at row 1

 

Of course it is correct, "" is not a correct datetime value. Does anyone know how I can simply get it to do nothing if the 'Started' box is not checked?

 

cod:

 

<?php
include("functionlibrary.php");
include("menu.php");
connect();
mysql_select_db("itdb");

// After selecting DB, some database field's values are put into vars. **
$started_query = mysql_query("SELECT Started FROM jobs
WHERE
`ID`='".$_POST["id"]."'");
$query_row = mysql_fetch_array($started_query, MYSQL_ASSOC);

IF (($_POST['started'] == "chk") && ($query_row['Started'] == ""))
	{ 
	$started_store = date('Y-m-d H:i:s');
	}ELSE
	{
	}
// Checks if Box is checked AND(&&) if database has no value in that field already. 
// ---------------------- Start Update ----- 
$sql="UPDATE jobs SET Priority='".$_POST["priority"]."', `IT Staff`='".$_POST["itstaff"]."', `Started`='".$started_store."'
WHERE
`ID`='".$_POST["id"]."'";

// echo $sql."\n<br>\n<br>";
if (!mysql_query($sql))
  {
  die('Error: ' . mysql_error());
  }
echo "<font color=\"green\"><br><br>1 record amended";
mysql_close();

?>

 

Thankyou in advance and kisses.

[hungryOrb]

I have also tried the:

 

IF (($_POST['started'] == "chk") && ($query_row['Started'] == ""))
	{ 
	$started_store = date('Y-m-d H:i:s');
	}ELSE{
	$started_store = NULL;
	}

 

approach, which gives the same error  ???  ....

[hungryOrb]

Shameless bump & btw:

 

Does anyone know how to affect an included .php with a css? If the stylesheet is simply included shouldn't it affect all body/head/etc?

[hungryOrb]

No-one knows about or? Its too simple? 

[MmmVomit]

Great googly moogly, man!  Filter your data!

 

// After selecting DB, some database field's values are put into vars. **
$started_query = mysql_query("SELECT Started FROM jobs
WHERE
`ID`='".$_POST["id"]."'");

[hungryOrb]

NO! I don't know what you mean by that as well! 

[MmmVomit]

RULE #0) Never use any raw user submitted data in any output. Ever.

 

"Any output" includes all sql queries.  Even if you're only running a select query, you have to consider the text of the query as output to the database.  The piece of code I quoted is open to sql injection attacks.

 

Filtering data simply means putting it through a series of checks to make sure that it is safe to be used in sql queries or output as html.  It should be standard practice.  A good approach would be something this.

 

<?php

// this array is for storing filtered data
// it will eventually have an element corresponding to every element in $_POST
$clean = Array()
$sqldata = Array() // contains escaped output for use in queries

if(isset($_POST['username']))
{
  if($_POST['username'] != '')
  {
    if(preg_match(CONST_REGEX, $_POST['username']))
    {
      if(...   )
      {
        $clean['username'] = $_POST['username'];
        $sqldata['username'] = mysql_real_escape_string($clean['username']);
        $html['username'] = htmlentities($clean['username']);
      }
    }
  }
}

// from this point forward you don't touch $_POST
// you only use $clean, $sqldata, and $html

?>

 

In the filtering process, you can check the value of $clean['username'] and set $sqldata['username'] accordingly so that it will drop into your sql statement correctly.

[hungryOrb]

I see, thankyou Vomit ;] (brings such a pleasant image... ._.)

 

I definetly needed to know that, although, in this case it doesn't matter, because the site im putting together is just something that will be used internally in a company, and not open to the outside www.