Updating tables

Question

vanessia_1999 0 Junior Poster in Training

15 Years Ago

Hi,
I am having diffculty in my administration page. Half of the code is correct but the other half I think is wrong. I am working with two tables to update the information. One is "products" and the other is "color". The product information work but the color information is displaying a parse error.
May some one check my coding to see what I am doing wrong?

<?php   $delete = $_POST['button'];
   if ($delete == "Delete Product")
   {
      $prodid = $_POST['prodid'];
      $query = "DELETE from products WHERE prodid = $prodid";
      $result = mysql_query($query);
      if ($result)
      {
         echo "<h2>Product: $prodid deleted</h2>\n";
         exit;
      } else
      {
         echo "<h2>Problem deleting $prodid</h2>\n";
         exit;
      }
   } else
   {
      $prodid = $_POST['prodid'];
      $catid = $_POST['catid'];
      $description = $_POST['description'];
      $price = $_POST['price'];
      $detail = $_POST['detail'];
     $quantity = $_POST['quantity'];
   
	   if (get_magic_quotes_gpc())
      {
         $description = stripshlashes($desription);
      }
      $description = mysql_real_escape_string($description);      if (isset($_POST['onsale']))
         $onsale = 1;
      else
         $onsale = 0;      $PictName = $_FILES['picture']['name'];      if ($PictName)
      {
         $thumbnail = getThumb($_FILES['picture']);
         $thumbnail = mysql_real_escape_string($thumbnail);
         $query = "UPDATE products SET catid='$catid', description = '$description', " .
                 "price = $price, quantity = $quantity, detail = '$detail', onsale = $onsale, picture = '$thumbnail' " .
                 "WHERE prodid = $prodid";
      }
      else
      {
         $query = "UPDATE products SET catid='$catid', description = '$description', " .
                 "price = $price, quantity = $quantity,  detail = '$detail', onsale = $onsale " .
                 "WHERE prodid = $prodid";
      }      $result = mysql_query($query) or die(mysql_error());
      if ($result)
      {
         echo "<h2>Product information changed.</h2>\n";
      }
      else
      {
         echo "<h2>Sorry, I could not change the product information.</h2>\n";
      }
   }
   

  //Color update     

    $delete = $_POST['button'];
   if ($delete == "Delete Product")
   {
      $colorid = $_POST['colorid'];
      $query = "DELETE from color WHERE colorid = $colorid";
      $result = mysql_query($query);
      if ($result)
      {
         echo "<h2>Color: $colorid deleted</h2>\n";
         exit;
      } else
      {
         echo "<h2>Problem deleting $colorid</h2>\n";
         exit;
      }
   } 

else
   {
      $colorid = $_POST['colorid'];
      $item_color=$_POST['item_color'];
    
   
	   if (get_magic_quotes_gpc())
      {
         $item_color = stripshlashes($item_color);
      }
      $item_color = mysql_real_escape_string($item_color);      
         $query = "UPDATE color 
		 SET item_color='$item_color' 
		 WHERE colorid = $colorid";
      }
      else
      {
         
      }      $result = mysql_query($query) or die(mysql_error());
      if ($result)
      {
         echo "<h2>Color information changed.</h2>\n";
      }
      else
      {
         echo "<h2>Sorry, I could not change the color information.</h2>\n";
      }
   }
  ?>

php

2 Contributors
3 Replies
83 Views
20 Hours Discussion Span
Latest Post 15 Years Ago Latest Post by cwarn23

cwarn23 387 Occupation: Genius

15 Years Ago

$query = "DELETE from color WHERE colorid = $colorid";

That line should be the following:

$query = "DELETE from color WHERE colorid = '".mysql_real_escape_string($colorid)."'";

And add the mysql_real_escape_string() to all inputs into mysql like I did in the problem line above otherwise your script like it is now won't be very secure.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

vanessia_1999 0 Junior Poster in Training · Answer 1 · 2009-04-24T13:34:43+00:00

thank you for the mysql secure tip. I thought that it would be automatically secure.

I am still recieving an error but I am trying to work on all my bugs. I had fix the color statement today and now winding up with a lot of bugs in all my pages because I am writing some wrong in them.

May I ask you why this statement continue to say undefine Undefined variable: item_color

when the variable is define.
this is the code

$query = "SELECT colorid, item_color from color where prodid = $prodid ORDER BY item_color";
$result = mysql_query($query); 

echo "<tr><td><h3>Color:</h3></td><td> <select name=\"item_color\" id=\"$item_color\">\n";
while ($row=mysql_fetch_array($result, MYSQL_ASSOC))
{
$item_color = $row['item_color'];
$colorid = $row['colorid'];
echo "<option value=\"$colorid\">$item_color</option>\n";
}
echo "</select></td></tr>\n";

When I change around the coding to what I will place below the undefine variable error goes away. But then I have a problem! I get the amount of item_color for that item. so if I have red and pink for one item. It comes ups
Color: red
Color: pink

//$query = "SELECT colorid, item_color from color where prodid = $prodid ORDER BY item_color";
$result = mysql_query($query); 
echo "<tr><td><b>Color:</b> <select name=\"item_color\" id=\"$item_color\">\n";
while ($row=mysql_fetch_array($result, MYSQL_ASSOC))
{
$item_color = $row['item_color'];
$colorid = $row['colorid'];
echo "<option value=\"$colorid\">$item_color</option>\n";
}
echo "</select></td></tr>\n";

That line should be the following:
$query = "DELETE from color WHERE colorid = '".mysql_real_escape_string($colorid)."'";
And add the mysql_real_escape_string() to all inputs into mysql like I did in the problem line above otherwise your script like it is now won't be very secure.

cwarn23 387 Occupation: Genius Team Colleague Featured Poster · Answer 2 · 2009-04-24T15:47:23+00:00

I thought that it would be automatically secure.

The reason why it is never secure to place even just $_POST variables into a mysql query is because someone can just write a script using curl to send $_POST variables to the page. Also mysql_real_escape_string does more than just securing the variable. It also makes the variable bug free. That is why I recommend it.

undefine Undefined variable: item_color

That silly e_notice error again. Unless ya want to be a professional commercial programmer, it is easiest to just add the following to the top of your page(s) as it is an unnecessary/useless error.

error_reporting(E_ALL ^ E_NOTICE);

You will find the e_notice being disabled is also the universal default before administrators change it. If however you want to be a professional commercial programmer then you need to define your variables before doing .= or += or -= or *= or []=

<?
//define an array
$variable_a=array();

//define a string
$variable_b='';

//define a number
$variable_c=0;

Hope that answers your question.