MySQL - PHP update issue

urbanxtremes · 25th June 2008, 11:20 AM

Hello,

I have been using this code to update my news section for quite a long time; however, since the upgrade I have noticed strange things happening.

I can only add new news, and update a few news pages... Not sure why this is, UH has looked into it, and can not see where the issue is coming from - they suggested the code.

The following code is what I have been using:

PHP Code:

  <?

$ud_id=$_POST['ud_id'];

$ud_mtitle=$_POST['ud_mtitle'];

$ud_mkey=$_POST['ud_mkey'];

$ud_mdesc=$_POST['ud_mdesc'];

$ud_header=$_POST['ud_header'];

$ud_content=$_POST['ud_content'];

$ud_oneliner=$_POST['ud_oneliner'];

$ud_cat=$_POST['ud_cat'];

$ud_img=$_POST['ud_img'];

$ud_navlink=$_POST['ud_navlink'];

$ud_nav=$_POST['ud_nav'];

 
$db="site_com_-_tbl_news";

$link = mysql_connect("127.0.0.1","username", "password");

if (! $link)

die("Couldn't connect to MySQL");

 
mysql_select_db($db , $link)

or die("Couldn't open $db: ".mysql_error());

 
mysql_query("UPDATE tbl_Hpages  SET HpagesMTitle='$ud_mtitle' ,HpagesMKey='$ud_mkey' ,HpagesMDesc='$ud_mdesc' ,HpagesHeader='$ud_header' ,HpagesContent='$ud_content' ,HpagesOne_liner='$ud_oneliner', HpagesCat='$ud_cat' ,HpagesImg='$ud_img' ,HpagesNavLink='$ud_navlink' ,HpagesNav='$ud_nav' WHERE HpagesID='$ud_id'");

echo "Record Updated";

mysql_close($link);

?>

Any suggestions?

MrBen · 25th June 2008, 12:04 PM

mysql_error should be useful here - PHP: mysql_error - Manual

You don't appear to be doing any cleaning or validation on your data leaving yourself open to SQL injection.

I suspect it the error will be due to apostrophes or special characters in your input. If magic_quotes was previously set to on these would have been escaped properly. See Apostrophies in text boxes creating mysql error

Ben

urbanxtremes · 25th June 2008, 01:22 PM

Hello MrBen,

The code is kept behind a secure directory, so I did not think it required any validation.

I have looked through the documentation which you kindly put a link to; however, makes no sense to me. If it was to do with special characters in my input, then this would effect all post and not just a select few: or would it?

The main admin for inputing new news follows the same style of code which works fine, it is just the update that is being a bit weird?

Regards,

Mark

knapper · 25th June 2008, 03:10 PM

Quote:

Originally Posted by urbanxtremes

I have looked through the documentation which you kindly put a link to; however, makes no sense to me. If it was to do with special characters in my input, then this would effect all post and not just a select few: or would it?

It would be possible that not all news items contain the special charters that are causing the problem, so it could just effect some.

Quote:

Originally Posted by urbanxtremes

The main admin for inputing new news follows the same style of code which works fine, it is just the update that is being a bit weird?

It might be useful if you post that code as well, just for comparison.

urbanxtremes · 25th June 2008, 03:42 PM

Hello Knapper,

This is the code I use for adding news:

PHP Code:

  <?

$HpagesMTitle=$_POST['MTitle'];

$HpagesMKey=$_POST['MKey'];

$HpagesMDesc=$_POST['MDesc'];

$HpagesHeader=$_POST['title'];

$HpagesContent=$_POST['content'];

$HpagesOne_liner=$_POST['oneliner'];

$HpagesImg=$_POST['Img'];

$HpagesCat=$_POST['category'];

$HpagesNav=$_POST['Nav'];

$HpagesNavLink=$_POST['NavLink'];

 
 
$db="site_com_-_tbl_news";

$link = mysql_connect("127.0.0.1","username", "password");

if (! $link)

die("Couldn't connect to MySQL");

 
mysql_select_db($db , $link) or die("Select Error: ".mysql_error());

 
$result=mysql_query("INSERT INTO tbl_Hpages (HpagesMTitle, HpagesMKey, HpagesMDesc, HpagesHeader, HpagesContent, HpagesOne_liner, HpagesImg, HpagesCat, HpagesNav, HpagesNavLink) VALUES ('$HpagesMTitle','$HpagesMKey','$HpagesMDesc','$HpagesHeader','$HpagesContent','$HpagesOne_liner','$HpagesImg','$HpagesCat','$HpagesNav','$HpagesNavLink')")or die("Insert Error: ".mysql_error());

mysql_close($link);

print "Record added\n";

?>

Regards,

Mark

urbanxtremes · 25th June 2008, 04:19 PM

So, it is the "Apostrophies" that I put in the input forms that are causing the trouble with updating the MySQL DB...

What the hell do I do now???????

How do I fix this code.

I have about ten sites that use this style code...

TygerTyger · 25th June 2008, 04:37 PM

Code:

$Hpageswhatever = mysql_real_escape_string($_POST['whatever']);

urbanxtremes · 26th June 2008, 03:14 PM

Thank you TygerTyger - that works perfectly. I owe you a big drink.

Wran · 28th July 2008, 06:12 PM

Hi,

TygerTyger is going to be having a free night out at this rate.......

I had the same problem and yes all related to the Magic_Quotes_GPC setting being 'off' now instead of 'on' as it was previously.

First of all i'm wondering if UH meant this change? Also, could it be turned back on?
Also, woulda been nice to let us know! (Or did you?

).....

C'mon UH support, Tygers earning all the beer!.......

I had to use

$articletext = urldecode(mysql_real_escape_string($_POST['articletext']));

to get rid of all the %20 's...but it worked a treat....and i'm a basic .php user - i figured out this was because of the Magic_Quotes_GPC setting..surprised though we had to wait for Tyger to point this out to us....

.....those UH support guys are drinking too many beers me thinks

Wran.

Terra · 29th July 2008, 08:11 AM

The Magic_Quotes_GPC explains a lot - we had scripts failing since switching to PHP5 & weren't aware of that issue.

I've now checked 2 sites on different servers, and yes - the old PHP4 had Magic_Quotes_GPC ON, whereas the new PHP5 has it OFF.

Would have been useful to know in advance

Simon · 29th July 2008, 09:25 AM

I think we were told in advance, can't remember where, but I do remember checking all my sites to make sure they would be ok for this change.

Terra · 29th July 2008, 09:46 AM

mh - the only reference I found is The most requested support issues?
and that's not even an "official" thread. Don't think that can count "as we were told".

Simon · 29th July 2008, 10:23 AM

I'm not going to go looking for it, but we were all told about the upgrade to PHP5 and there is a list of changes on the PHP.net website, PHP developers should be aware of this kind of config change, its been around for at least 2 years.

Wran · 29th July 2008, 06:17 PM

Aaah... so what Simon is saying is this is a change in the default configuration of .php when version 5 was released from that of version 4. Made by the developers as opposed to a config change made by UH when they installed/upgraded it.

Thats fair enough i guess....

I supposed it teaches all to write safer code in the long run as as a newbie developer the security of these things is probably my biggest headache.

Friends again UH support - if you'll have me!

Wran.

UH-Matt · 29th July 2008, 08:38 PM

Yes basically php5 has a lot of different (opposite) default settings in its php.ini file if you compare the stock ini from v4 to v5, you would find the thing you mention is one of those changes. Its not something WE implemented