Okay, here is the required information:
Apache/2.2.22 (Ubuntu)
MySQL client version: 5.5.34
PHP extension: mysqli
Here are the three raw sql statements, using sample data. Statement 1:
SELECT uuid FROM EmptyCart WHERE uuid = '52b6392b-c55f-71ef-2437-c0645d3d5ea0'
Statement 2:
UPDATE EmptyCart SET fname="so", lname="this", company="should", address="insert", city="", state="", zip="", phone="", country="US", cart_coupon="", email="", orderSubTotal="46.15", orderTotal="46.15", numOfItems="2", items="a:2:{i:0;s:5:item1;i:1;s:5:item2;}", ids="a:2:{i:0;s:3:id1;i:1;s:3:id2;}", codes="a:2:{i:0;s:5:code1;i:1;s:5:code2;}", qtys="a:2:{i:0;s:1:1;i:1;s:1:1;}", price="a:2:{i:0;s:5:44.95;i:1;s:3:1.2;}", orderTax="0", orderShipping="0", appliedPromoIdList="", coupon="", storeId="storeid", activeShipPromotionCount="", itemImages="a:2:{i:0;s:6:image1;i:1;s:6:image2;}", date="Mon Dec 02 2013 13:40:38 GMT-0500 (Eastern Standard Time)" WHERE uuid='52b6392b-c55f-71ef-2437-c0645d3d5ea0'
Statement 3:
INSERT INTO EmptyCart (uuid,fname,lname,company,address,city,state,zip,phone,country,cart_coupon,email,orderSubTotal,orderTotal,numOfItems,items,ids,codes,qtys,price,orderTax,orderShipping,appliedPromoIdList,coupon,storeId,activeShipPromotionCount,itemImages,date) VALUES ("52b6392b-c55f-71ef-2437-c0645d3d5ea0","so","this","should","insert","","","","","US","","","46.15","46.15","2","a:2:{i:0;s:5:item1;i:1;s:5:item2;}","a:2:{i:0;s:3:id1;i:1;s:3:id2;}","a:2:{i:0;s:5:code1;i:1;s:5:code2;}","a:2:{i:0;s:1:1;i:1;s:1:1;}","a:2:{i:0;s:5:44.95;i:1;s:3:1.2;}","0","0","","","storeid","","a:2:{i:0;s:6:image1;i:1;s:6:image2;}","Mon Dec 02 2013 13:40:38 GMT-0500 (Eastern Standard Time)")
No errors are being returned, in fact, the queries all work fine.
What is happening is actually within the PHP, however I have included the SQL statements as they may be causing the logic errors in the PHP code operation.
Here is the section of PHP code where the error is happening:
mysqli_select_db($con,$mysql_database);
$prequery = mysqli_query($con,"SELECT uuid FROM ".$mysql_table." WHERE uuid = '".$tablevalues[0]."'");
$tango = $prequery->fetch_assoc();
if ($tango["uuid"]=$tablevalues[0]) {
$new_count = count($tablefields);
$mysql_update = "";
for ($z=1;$z<$new_count-1;$z++){
$mysql_update .= $tablefields[$z]."=".$tablevalues[$z].", ";
}
$mysql_update .= $tablefields[27]."=".$tablevalues[27];
$sql = "UPDATE ".$mysql_table." SET ".$mysql_update." WHERE uuid='".$tango["uuid"]."'";
} else {
$sql = "INSERT INTO {$mysql_table} ({$tablefields_implode}) VALUES ({$tablevalues_implode})";
}
// pprint_r($sql);
mysqli_query($con,$sql);
mysqli_close($con);
The Correct Functionality should be:
On the client-side, a new user visits the page the form resides on and begins filling out the form. Upon initial visit, a unique identifier is assigned to the user and stored in localstorage.
Every time a form field is updated/changed the value is stored in localstorage.
Every 30 seconds, selected contents of the form data (as pulled from localstorage) are sent to our server database via Ajax POST.
The PHP Processing file receives the POST data and performs a series of SQL injection prevention functions on the data.
The PHP file constructs a new array of cleaned data and uses that data array to construct the mysqli queries above.
What should happen is the unique identifier should be checked against existing database entries and if it exists the relevant entry should be updated. If the unique identifier does not exist, a new entry is made.
What is currently happening:
Every incoming POST is evaluated and results in an UPDATE statement, even if the unique identifier does not exist in the database.
Things I have tried:
I have tried changing the value of the request for $prequery to reference a variable established earlier in the processing, but the result was the same. The code selects from the database and is still somehow evaluating that nothing = something.
Notes:
The first SQL statement, the select one, is the reason for the change of the variable to one earlier in the array processing. The value of the variable was being displayed with double quotes around it and breaking the SQL statement, however even with the new variable that does not have the double quotes the operation is still resulting in an Update instead of Insert despite the uuid not being in the database.