Jump to content

Fermac

Members
  • Posts

    17
  • Joined

  • Last visited

Fermac's Achievements

Newbie

Newbie (1/5)

0

Reputation

  1. 2 different sections of code needed fixed for the cart to work correctly. Firstly, the displaying of the cart was not selecting any of the items from the database that associated with the cart ID. It was re-written to select only the details needed to keep code to a minimum and also to be a lot cleaner with correct error debugging. Secondly, the updating of the cart when the "Update" button was pressed. It was taking the long way around a short simple task, it was performing updates on items that hadn't changed quantities, it was re-written as follows: - Quantities are changed to between 0-10 and update is submitted. - Script checks to see which quantities have changed (if any). - If there are changes to the quantities, the script selects which items have been changed. - It then loops through all of the quantity changes and either removes the row (if the value is 0) or updates the row (i the values is 1 or more).
  2. Hi all, thanks for your help, this has now been resolved.
  3. Hi I've taken over a website which worked on the previous hosting but has a specific part of the site no longer working on my host. I have posted about it here: http://forums.phpfreaks.com/topic/281566-possible-sql-injection-error/ so you might be able to get at least a sense of how much work is involved. Would appreciate anyone contacting me by Skype: john_ferris or by email: john@fermacconsulting.com and let me know you're hourly rate. Thanks
  4. Guru, this was a copy and paste from the original source code. I'm happy to pay someone to have a look at this, so maybe best I post on the freelance page.
  5. Okay, here's the shopping cart page in its entirety: <?php include 'include/functions.php'; $colname_rsOrderInformation = "-1"; if (isset($_SESSION['cartId'])) { $colname_rsOrderInformation = $_SESSION['cartId']; } mysql_select_db($database_conDB, $conDB); $query_rsCartInformation = sprintf("SELECT * FROM tabCart WHERE cartId = %s", GetSQLValueString($colname_rsOrderInformation, "int")); $rsCartInformation = mysql_query($query_rsCartInformation, $conDB) or die(mysql_error()); $row_rsCartInformation = mysql_fetch_assoc($rsCartInformation); $totalRows_rsCartInformation = mysql_num_rows($rsCartInformation); ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <link rel="shortcut icon" href="favicon.ico" /> <link href="main.css" rel="stylesheet" type="text/css"/> <style type="text/css"> .slideshow { height:319px; width:476px; margin-right:0px; margin-bottom:0px; z-index:0; background-color: #fff;} .slideshow img { height: 319px !important; width: 476px !important; padding-left: 0px; } </style> <!-- include jQuery library --> <script type="text/javascript" src="include/jquery.min.js"></script> <!-- include Cycle plugin --> <script type="text/javascript" src="include/java.js"></script> <script type="text/javascript"> $(document).ready(function() { $('.slideshow').cycle({ fx: 'fade' // choose your transition type, ex: fade, scrollUp, shuffle, etc... }); }); </script><?php if (!isset($_SESSION['memUsername'])) {?> <script type="text/javascript"> function changeToPassword(){ document.getElementById("txtLogPassword").type = "password"; document.getElementById("txtLogPassword").value = "" } function resetPassword() { if (document.getElementById("txtLogPassword").value == "") { document.getElementById("txtLogPassword").type = "text"; document.getElementById("txtLogPassword").value = "Password"; } } </script> <?php }?> <script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-9218136-12']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); </script> </head> <body> <div id="head"> <div id="header"><img src="images/logo.png" alt="" title="" /> <a href="http://www.hgffghghf.com" target="_blank"><img src="images/aaa.png" alt="ghffgh" class="jhghjj" border="0" /></a> <div id="nav"> <a href="index.php">Home</a> <a href="about.php">About Us</a> <a href="chefs.php">Chefs</a> <a href="classes.php">Cookery Classes</a> <span class="brown">Gift Vouchers</span> <a href="testimonials.php">Testimonials</a> <a href="faqs.php">FAQ's</a> <a href="contact.php">Contact Us</a></div> <div id="contact"><p>T: 02890 234 722<br />E: <a href="mailto:info@belfastcookeryschool.com">info@belfastcookeryschool.com</a></p> <?php include 'include/memberstuff.php';?> </div> </div> </div> <div id="content"> <div class="contentholder"> <div class="contentleft"> <h1>shopping cart</h1> <p>Your current shopping cart is shown below.</p> <?php include 'include/shopping-cart.php';?> </div> <div class="contentright"> <div class="slideshow"> <img src="images/homeimg1.jpg" alt="" /> <img src="images/homeimg2.jpg" alt="" /> <img src="images/homeimg3.jpg" alt="" /> </div> </div> </div> </div> <div id="content2"> <div class="contentholder"> <div class="contentleft2"> <?php include("include/classes.php"); ?> <br style="clear:both;" /> <?php include("include/chefs.php"); ?> </div> <div class="contentright2"> <?php include("include/twitter.php"); ?> </div> </div> </div> <?php include("include/footer.php"); ?> </body> </html> Next is the /includes/functions.php <?php require_once('Connections/conDB.php'); session_start(); date_default_timezone_set('Europe/Belfast'); if (!function_exists("GetSQLValueString")) { function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } } if (!isset($_SESSION['cartId'])) { @$_SESSION['cartId'] = date('U').rand(1000,9999); } mysql_select_db($database_conDB, $conDB); $query_rsSite = "SELECT * FROM tabSite"; $rsSite = mysql_query($query_rsSite, $conDB) or die(mysql_error()); $row_rsSite = mysql_fetch_assoc($rsSite); $totalRows_rsSite = mysql_num_rows($rsSite); $url = $row_rsSite['siteURL']; $colname_rsMemberDetails = "-1"; if (isset($_SESSION['memUsername'])) { $colname_rsMemberDetails = $_SESSION['memUsername']; } mysql_select_db($database_conDB, $conDB); $query_rsMemberDetails = sprintf("SELECT * FROM tabMembers WHERE cusEmail = %s", GetSQLValueString($colname_rsMemberDetails, "text")); $rsMemberDetails = mysql_query($query_rsMemberDetails, $conDB) or die(mysql_error()); $row_rsMemberDetails = mysql_fetch_assoc($rsMemberDetails); $totalRows_rsMemberDetails = mysql_num_rows($rsMemberDetails); if ($totalRows_rsMemberDetails>0 AND $row_rsMemberDetails['cusMedical']!='Y' AND !isset($_SESSION['promptdisplayed'])) { $_SESSION['mustsign']="true"; } $customerCredits = @$row_rsMemberDetails['cusCredit']; // WHO'S ONLINE if (!isset($_SESSION['cartId'])) { $_SESSION['cartId']=date('U').rand(1000,9999); } $colname_rsBooking = "-1"; if (isset($_SESSION['cartId'])) { $colname_rsBooking = $_SESSION['cartId']; } mysql_select_db($database_conDB, $conDB); $query_rsBooking = sprintf("SELECT * FROM tabBookings WHERE bookBookingReference = %s", GetSQLValueString($colname_rsBooking, "text")); $rsBooking = mysql_query($query_rsBooking, $conDB) or die(mysql_error()); $row_rsBooking = mysql_fetch_assoc($rsBooking); $totalRows_rsBooking = mysql_num_rows($rsBooking); $colname_rsOpenOrder = "-1"; if (isset($_SESSION['cartId'])) { $colname_rsOpenOrder = $_SESSION['cartId']; } mysql_select_db($database_conDB, $conDB); $query_rsOpenOrder = sprintf("SELECT * FROM tabOrders WHERE orderId = %s", GetSQLValueString($colname_rsOpenOrder, "text")); $rsOpenOrder = mysql_query($query_rsOpenOrder, $conDB) or die(mysql_error()); $row_rsOpenOrder = mysql_fetch_assoc($rsOpenOrder); $totalRows_rsOpenOrder = mysql_num_rows($rsOpenOrder); function urlreplace($name) { include 'includes/find_and_replaces.php'; return strtolower(str_replace($find, $replace, $name)); } function reverseurl($name) { include 'includes/find_and_replaces.php'; return ucwords(str_replace($replace, $find, $name)); } function selfURL() { $s = empty($_SERVER["HTTPS"]) ? '' : ($_SERVER["HTTPS"] == "on") ? "s" : ""; $protocol = strleft(strtolower($_SERVER["SERVER_PROTOCOL"]), "/").$s; $port = ($_SERVER["SERVER_PORT"] == "80") ? "" : (":".$_SERVER["SERVER_PORT"]); return $protocol."://".$_SERVER['SERVER_NAME'].$port.$_SERVER['REQUEST_URI']; } function strleft($s1, $s2) { return substr($s1, 0, strpos($s1, $s2)); } $browesrtype = $_SERVER['HTTP_USER_AGENT']; if (strpos($browesrtype, "MSIE 6.0")>0) $browser = "IE"; // ** Logout the current user. ** $logoutAction = $_SERVER['PHP_SELF']."?doLogout=true"; if ((isset($_SERVER['QUERY_STRING'])) && ($_SERVER['QUERY_STRING'] != "")){ $logoutAction .="&". htmlentities($_SERVER['QUERY_STRING']); } if ((isset($_GET['doLogout'])) &&($_GET['doLogout']=="true")){ //to fully log out a visitor we need to clear the session varialbles $_SESSION['memUsername'] = NULL; $_SESSION['mustsign'] = NULL; $_SESSION['promptdisplayed'] = NULL; unset($_SESSION['memUsername']); unset($_SESSION['mustsign']); unset($_SESSION['promptdisplayed']); header("LOCATION: /"); exit; } // REDIRECTS if (@$_POST['hidAction']=="bookclass") include 'functions/f_bookclass.php'; if (@$_POST['hidAction']=='register') include 'functions/f_register.php'; if (@$_POST['hidAction']=="cancelbooking") include 'functions/f_cancelbooking.php'; if (@$_POST['hidAction']=='login') include 'functions/f_login.php'; if (@$_POST['hidAction']=='updatebooking') include 'functions/f_update_booking.php'; if (@$_POST['hidAction']=='makepayment' AND @$_POST['button']=="Apply") include 'functions/f_checkcard.php'; if (@$_POST['hidAction']=='makepayment' AND @$_POST['button']=="Pay Now") include 'functions/f_makepayment.php'; if (@$_POST['hidAction']=='makepayment' AND @$_POST['button']=="Update Price") include 'functions/f_checkdiscount.php'; if (@$_POST['hidAction']=='buydiscount1') include 'functions/f_buydiscount1.php'; if (@$_POST['hidAction']=='buydiscount2') include 'functions/f_update_order.php'; if (@$_POST['hidAction']=='makepaymentdiscount') include 'functions/f_makepayment_cards.php'; if (@$_POST['hidAction']=='registercode') include 'functions/f_checkcard.php'; if (@$_POST['hidAction']=='resetpassword') include 'functions/f_resetpassword.php'; if (@$_POST['hidAction']=='updatedetails') include 'functions/f_update_account.php'; if (@$_POST['hidAction']=='addorder' AND @$_POST['button']=="Checkout") include 'functions/f_add_order.php'; if (@$_POST['hidAction']=='addorder' AND @$_POST['button']=="Update") include 'functions/f_updatecart.php'; mysql_free_result($rsSite); ?> and here is the f_updatecart.php file: <?php for ($x=1; $x<=$_POST['hidTotalCartItems']; $x++) { $tempCartQty = "selQty".$x; $newCartQty = @$_POST[$tempCartQty]; $tempCartItemId = "hidCartRowId".$x; $cartItemId = @$_POST[$tempCartItemId]; $tempCartItemPrice = 'hidCartPrice'.$x; $cartItemPrice = @$_POST[$tempCartItemPrice]; mysql_select_db($database_conDB, $conDB); $query_rsUpdateCartLine = sprintf("SELECT * FROM tabCart WHERE Id = %s", $cartItemId); $rsUpdateCartLine = mysql_query($query_rsUpdateCartLine, $conDB) or die(mysql_error()); $row_rsUpdateCartLine = mysql_fetch_assoc($rsUpdateCartLine); $totalRows_rsUpdateCartLine = mysql_num_rows($rsUpdateCartLine); if ($newCartQty>0) { $newCartItemPrice = $newCartQty * $cartItemPrice; $updateSQL = sprintf("UPDATE tabCart SET cartQty=%s, cartTotal=%s WHERE Id = %s", GetSQLValueString(@$newCartQty, "int"), GetSQLValueString(@$newCartItemPrice, "double"), GetSQLValueString($cartItemId, "int")); mysql_select_db($database_conDB, $conDB); $Result1 = mysql_query($updateSQL, $conDB) or die(mysql_error()); mysql_free_result($rsUpdateCartLine); } if ($newCartQty==0) { $deleteSQL = sprintf("DELETE FROM tabCart WHERE Id = %s", GetSQLValueString($cartItemId, "int")); mysql_select_db($database_conDB, $conDB); $Result1 = mysql_query($deleteSQL, $conDB) or die(mysql_error()); } } ?> These are the three files I was surmising were the issue.
  6. Through functions.php file <?php include 'include/functions.php';
  7. Sorry, here it is: function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } }
  8. This is what appears: Caused an error on server, that error was : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 when running with a $newCartQty of 1
  9. And only reason why I thought it was a versioning problem was because it worked fine on the last host of the person who had it, if that makes sense?
  10. Sorry I wasn't more specific, yes I changed it to mysql_error($conDB) and then that's when the "Query was empty" message came up. This was a system inherited from someone else. I'm aware coding isn't great on it, but don't know enough about this to fix. I did add this to my .htaccess file as described by my host to help: php_flag display_errors on php_value error_reporting E_ALL But it still came up with the same "Query was empty" message.
  11. Don't know if it matters but site is using PHP 5.3.27
  12. I was using the die($updateSQL."<br><br>Caused an error on server, that error was :<br><br>".mysql_error()); I tried using the mysql_query and it came up with this: Query was empty
  13. Removed the @ and it's still coming up with same response as last time, an empty value beside "that error was : "
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.