Re: newbie help

Sat, 07 Sep 2002 14:33:29 -0700 

On Friday 06 September 2002 05:50 pm, Marcelo Simon wrote:

Well, I'm not 100% certain since I don't know what environment you're working 
in, but a typical example from perl might be something like....

my $query = "INSERT INTO foo 
VALUES(".$cgi->param('myintfield').",'".$cgi->param('mydatefield')."')";

Now if the integer field is empty then the result of 
$cgi->param('myintfield') is going to be an empty string and the result is 

INSERT INTO foo VALUES(,'whatever was in datefield')

which is NOT legal SQL... 

You would need to check your input parameter and it is an empty string 
replace that with the string 'NULL' (if you want a null there). As for the 
date field, once again an empty quoted string will not insert properly into a 
database.

NOW having said all of this, DO NOT EVER INSERT FORM FIELD VALUES DIRECTLY 
INTO A DATABASE THIS WAY WITHOUT FIRST PREPROCESSING THEM. You are creating a 
GIANT security hole in your system if you do!

If you're using PHP, basically the exact same comments etc apply.

One simple way to fix your problem in perl at least, is to use placeholders 
and bind params. Its much safer and much easier.



> Hi,
>
> First time here, hope someone can understand me and help me.
>
> I have a field wich type that is int(4), and I'm updating it from a form.
> it is working ok, unless the formfield is empty. When it's empty I'm
> receiving an SQL error number 51().
>
> In the db the field is setup to receive empty values.
> In the query the field is not surranded by ' ' ( since it's a number ).
>
> does anyone can explain to me what is happening ? how can I leave that
> field empty on the form.
>
> Also the same thing is happening with a date field. ! anyclues ?
>
> TIA
> Marcelo Simon
>
>
> ---------------------------------------------------------------------
> Before posting, please check:
>    http://www.mysql.com/manual.php   (the manual)
>    http://lists.mysql.com/           (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail
> <[EMAIL PROTECTED]> Trouble
> unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Reply via email to