Jump to content

slove05

Members
  • Posts

    14
  • Joined

  • Last visited

slove05's Achievements

Newbie

Newbie (1/5)

0

Reputation

  1. I was originally using a prepared statement and only switched to PDO at mac_gyver's urging. Is a mysqli prepared statement enough to overcome sql infection vulnerabilities? I had the update function working with the following if (isset($_POST['create'])) { $title = $_POST['title']; $date = $_POST['date']; $time = $_POST['time']; $descrip = $_POST['descrip']; $presenter = $_POST['presenter']; $id = $_POST['id']; $statement = $con->prepare("UPDATE events SET title=?, date=?, time=?, descrip=?, presenter=? WHERE id=?"); //bind parameters for markers, where (s = string, i = integer, d = double, b = blob) $statement->bind_param('sssssi', $title, $date, $time, $descrip, $presenter, $id); $results = $statement->execute(); if($results){ print 'Success! record updated'; }else{ print 'Error : ('. $mysqli->errno .') '. $mysqli->error; } } I assume this is open to attack because I am posting the id in a hidden field?
  2. Ok I have the error reporting giving me a better idea of what is erroring out. I am now getting the following error message. Fatal error: Uncaught exception 'mysqli_sql_exception' with message 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Event with Upload edit, 2015-02-03, 11:00:00, Testing the event with upload. Mak' at line 1' in /home/content/60/8676960/html/membersadmin/edit_test.php:31 Stack trace: #0 /home/content/60/8676960/html/membersadmin/edit_test.php(31): mysqli->prepare('UPDATE events S...') #1 {main} thrown in /home/content/60/8676960/html/membersadmin/edit_test.php on line 31 Lines 30 and 31 look as follows. $sql = "UPDATE events SET $title, $date, $time, $descrip, $presenter WHERE id = '{$id}')"; $stmt = $con->prepare($sql); The form I have to process looks like this... <form method="POST" action="<?php echo basename($_SERVER['PHP_SELF']); ?>" enctype="multipart/form-data"> <?php if (mysqli_num_rows($result) > 0) {?> <?php while($row = mysqli_fetch_assoc($result)) {;?> <input type="text" name="id" id="id" value="<?php echo $row['id']?>" /> <p> <label for="title">Event Title:</label> <input type="text" name="title" id="title" value="<?php echo $row['title']?>"> </p> <p> <label for="date">Date:</label> <input type="text" name="date" id="date" value="<?php echo $row['date']?>"> please format YYYY-MM-DD<p> <label for="time">Time:</label> <input type="text" name="time" id="time" value="<?php echo $row['time']?>" > please format HH:MM:SS<p> <label for="descrip">Description:</label> <input type="text" name="descrip" id="descrip" value="<?php echo $row['descrip']?>"> <p> <input type="text" name="presenter" id="presenter" value="<?php echo $row['presenter']?>"> </p> <input type="submit" name="create" value="create"> </p> <?php }/*End Loop*/ ?> <?php } else { ?> <h2>Nothing to display.</h2> <?php }/*End Rows Checking*/ ?> </form> My statement preparation looks as follows. if (isset($_POST['create'])) { $id = $_POST['id']; $title = $_POST['title']; $date = $_POST['date']; $time = $_POST['time']; $descrip = $_POST['descrip']; $presenter = $_POST['presenter']; try { $sql = "UPDATE events SET $title, $date, $time, $descrip, $presenter WHERE id = '{$id}')"; $stmt = $con->prepare($sql); $stmt->execute(); echo $stmt->rowCount() . " records UPDATED successfully"; } catch(PDOException $e) { echo $sql . "<br>" . $e->getMessage(); } } It is telling my my syntax is no correct but I do not see why. I am obviously new so help with my Update statement is what I believe I need help with now.
  3. Sorry Edit. it gave me this error object(mysqli)#1 (0) { } mysqli_prepare() failed:
  4. I fixed that. and added var_dump($con); directly after $stmt = mysqli_prepare($con, $sql); which gave me this... which I assume means my database is not connected?
  5. I am wanting to update some information in my events using a prepared statement but my mysqli_prepare fails. I think I am missing something silly. Below is the code I am running if (isset($_POST['create'])) { $title = $_POST['title']; $date = $_POST['date']; $time = $_POST['time']; $desc = $_POST['desc']; $presenter = $_POST['business']; $id = $_POST['id']; $sql = "UPDATE events SET title=?, date=?, time=?, desc=? presenter=? WHERE id=?)"; $stmt = mysqli_prepare($con, $sql); if ( false===$stmt ) { die('mysqli_prepare() failed: ' . htmlspecialchars($mysqli->error)); } mysqli_stmt_bind_param($con, "sssssi", $title, $date, $time, $desc, $presenter, $id); mysqli_stmt_execute($stmt); echo "Success"; } The error message I receive is mysqli_prepare() failed: Any guidance or better error checking would be appreciated.
  6. Oh my land after HOURS of reading it totally clicked and I have the code working flawlessly. Thank you so much requinix for pointing me in the correct direction, showing me the value of prepared statements. I would not have done any of that without your urging.
  7. Ah yes and now I am back in "I have no idea what you are talking about land." I have not used switch before and have no idea where I would even put the code. I would assume I would add... $file_error = $_FILES['image']['error']; to the following... or does it replace that completely with the rest of the code you suggested. $errors= array(); $file_name = $_FILES['image']['name']; $file_size =$_FILES['image']['size']; $file_tmp =$_FILES['image']['tmp_name']; $file_type=$_FILES['image']['type']; $file_ext=strtolower(end(explode('.',$_FILES['image']['name'])));
  8. 1. The insert happens on line 46. 2. You are correct that I receive an error about an invalid extension when the upload is left blank. I assumed (because I have little experience with mysqli and php) this would be an if else statement. If there is if(isset($_FILES['image'])){ then run $sql if not run $sql2 from your statement I see that this is not the case at all. So to clarify my question could I have some guidance as to how I would modify the code to accept an empty upload.
  9. I have a form that adds an event to my database. It collects some basic information as well as allows me to upload an image/pdf. This works flawlessly as long as there is an image/pdf to upload but I would also like it to allow the image fields to be left null if there is no image. I am just beginning in mysqli and think the solution is something along the lines of an if else statement but am unfamiliar enough to not be sure where this should occur. Below is the code I am using. if (isset($_POST['create'])) { $title = $_POST['title']; $date = $_POST['date']; $time = $_POST['time']; $desc = $_POST['desc']; $presenter = $_POST['business']; $picname = $_POST['picname']; $size = $_POST['size']; $type = $_POST['type']; $path = $_POST['path']; if(isset($_FILES['image'])){ $errors= array(); $file_name = $_FILES['image']['name']; $file_size =$_FILES['image']['size']; $file_tmp =$_FILES['image']['tmp_name']; $file_type=$_FILES['image']['type']; $file_ext=strtolower(end(explode('.',$_FILES['image']['name']))); $expensions= array("jpeg","jpg","pdf"); if(in_array($file_ext,$expensions)=== false){ $errors[]="extension not allowed, please choose a JPEG or pdf file."; } if($file_size > 2097152){ $errors[]='File size must be under 2 MB'; } if(empty($errors)==true){ move_uploaded_file($file_tmp,"upload/".$file_name); }else{ print_r($errors); } } $sql = "INSERT INTO events VALUES(id, '{$title}', '{$date}', '{$time}', '{$desc}', '{$presenter}', '{$file_name}', '{$file_size}', '{$file_type}')"; mysqli_query($con, $sql) or die (mysqli_error($con)); echo "Success"; } I would think after the last { I would create an else statement similar to what I am posting below. } else{ $sql2 = "INSERT INTO events VALUES(id, '{$title}', '{$date}', '{$time}', '{$desc}', '{$presenter}', 'NULL', 'NULL', 'NULL')"; mysqli_query($con, $sql2) or die (mysqli_error($con)); echo "Success"; } However I know this returns an error relating to the first error check in the file upload. Do I just need to switch the statements around? Any guidance would be appreciated.
  10. you sir are a saint... and it makes sense. I want the value of the option labeled business... Thank you so kindly for all your help. I really do appreciate it. All my best and you truly are guru...
  11. Ok I made the changes but I don't think this is exactly what I am trying to accomplish. The code does not error out but it also does not update the vote field in the database. Maybe a complete view of the code would help..?? Goodness I will not take on another php mysqli project until I have a better understanding. So I have a form. Inside that form is a list dynamically populated from a data base. The user should make a selection and click the submit button to vote for that business. <form action="businesstype_update.php" method="post"> <?php require('Connections/Members_new.php'); if(isset($_POST['voteall'])) { $id = intval($_POST['voteall']); // ensure it's an integer $vote_lg = "update membertest set vote=vote+1 where id = $id"; $run_lg = mysqli_query($con, $vote_lg) or die(mysqli_error($con)); } $result_lg = mysqli_query($con, "SELECT id, business FROM membertest WHERE businesstype='large'"); echo "Vote for large business of the year! <SELECT name='business'>\n"; echo "<option>Select a large business</option>"; while($row_lg = $result_lg->fetch_assoc()) { echo "<option value='{$row_lg['id']}'>{$row_lg['business']}</option>\n"; } echo "</select></br></br>\n"; echo "<input type='submit' name='voteall' value='voteall'>"; $result_lg->close(); ?> </form> Don't I still have to tell $_POST where to get the id from? This will be the death of me. I will hire out from now on... silly silly designer..
  12. Ok that narrowed it down to the exact thing I thought was wrong which is the where id={$row_lg['id']} Which I am getting from the following echo "<option>Select a large business</option>"; while($row_lg = $result_lg->fetch_assoc()) { echo "<option value='{$row_lg['id']}'>{$row_lg['business']}</option>\n"; } do I need to echo out the selected option somewhere... also now that I am looking it probably be mysqli_fetch_assoc maybe?? The code works to update every row in the table if I remove the where id... so this is the last peice of the puzzle..
  13. That really helped! At least now I am getting an error message I can use. Now I get You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id= SET vote=vote+1' at line 1 So obviously I am on the right track thinking the update happens incorrect. I am calling the ID from the echoed option value in the form. Is should I be asking it to $_GET the id first? I am really confused. This is the last piece in my little project and could someone point me to an example of getting an id from an option value? Just some basic syntax or if your feeling generous help me fix this line. Thanks so much, I have so much to learn and forums like these connect me with people who tend to explain things in ways I can understand better than the manual.
  14. I am trying to create a simple voting form. Everything goes well until I submit and then I get a Warning: mysqli_error() expects exactly 1 parameter, 0 given on line 79 error. I am assuming it is not pulling the ID correctly but as I am new to php and mysqli I cannot exactly say if it the way the code is written or if I am calling the parameter incorrectly in the query. Again I am new to to this so please be gentle. Below is my code. It pulls the drop down list correctly and echo's correctly but I believe my post query to be a little out of wack. Could someone point me in the correct direction? It would be very appreciated. <form action="businesstype_update.php" method="post"> <?php if(isset($_POST['voteall'])){ $vote_lg = "update membertest where id={$row_lg['id']} set vote=vote+1"; $run_lg = mysqli_query($con, $vote_lg) or die(mysqli_error()); } $result_lg = mysqli_query($con, "SELECT id, business FROM membertest WHERE businesstype='large'"); echo "Vote for large business of the year! <SELECT name='business'>\n"; echo "<option>Select a large business</option>"; while($row_lg = $result_lg->fetch_assoc()) { echo "<option value='{$row_lg['id']}'>{$row_lg['business']}</option>\n"; } echo "</select></br></br>\n"; echo "<input type='submit' name='voteall' value='voteall'>"; $result_lg->close(); $con->close();
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.