Re: [PHP-DB] Conditional updating...
Thank you for the thought, however, I don't have a shell that I can run in, hence, I have to rely on help from others. ""JupiterHost.Net"" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > > Grae Wolfe - PHP wrote: >> Sorry I have been out of touch... I thought I had this problem beat, >> but I was wrong. I decided that the best thing to do was to filter the >> variables as the $sql statement was being created. I tried using the >> following code, and got a message back that it was invalid and my Query >> couldn't execute... Can anyone tell me where I screwed this one up?? > > Print out $sql and then try to manually do it in your mysql (or whatver DB > engine) shell. > > I imagine you have a syntax error and that will tell you exactly what and > where it is :) > > And I hope you're only criteria for the value of each colum isn't that its > just not empty. > > If so you will be vilnerable to SQL injection attacks and your data will > be compromised. You should at the very least quote the values with a valid > SQL quoting function. (IE not just wraping it in quotes but one that > actually escapes certain characters and wraps it in quotes as need be) > > Do not rely on that automaticaly being done (IE think how crappliy > unreliable and dangerous relying on "Magic Quotes" is, oi what pile *that* > is...) -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Conditional updating...
Sorry I have been out of touch... I thought I had this problem beat, but I was wrong. I decided that the best thing to do was to filter the variables as the $sql statement was being created. I tried using the following code, and got a message back that it was invalid and my Query couldn't execute... Can anyone tell me where I screwed this one up?? $sql = "UPDATE $table SET; if(!empty($first_name)) $sql .='first_name='.$first_name.','; if(!empty($last_name)) $sql .='last_name='.$last_name.','; if(!empty($hs_last_name)) $sql .='hs_last_name='.$hs_last_name.','; if(!empty($street_address1)) $sql .='street_address1='.$street_address1.','; if(!empty($street_address2)) $sql .='street_address2='.$street_address2.','; if(!empty($city)) $sql .='city='.$city.','; if(!empty($state)) $sql .='state='.$state.','; if(!empty($zip)) $sql .='zip='.$zip.','; if(!empty($phone1)) $sql .='phone1='.$phone1.','; if(!empty($phone2)) $sql .='phone2='.$phone2.','; if(!empty($email_address)) $sql .='email_address='.$email_address.','; if(!empty($current_info)) $sql .='current_info='.$current_info.','; if(!empty($today)) $sql .='date_registered='.$today; WHERE first_name='$first_name' AND last_name='$last_name'"; "Jeffrey" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Perhaps I have misunderstood something here. But it seems to me that > anyone who just happens to put John Smith's name in could alter Mr. > Smith's data. > > If users can update their own data, should you not have a log in process > to ensure that only the original user can update his data? Them once he > has logged in, you can populate all fields with data from the DB. > > Jeffrey > > Grae Wolfe - PHP wrote: >> That was the first thing that I was going to do, but there is a concern >> there for security of the data being input... This is a registration >> site, and I don't want to provide information on "John Smith" to anyone >> who just happens to put his name in. >> >> >> ""Alejandro Tesone"" <[EMAIL PROTECTED]> wrote in message >> news:[EMAIL PROTECTED] >> >>>Why don't you try populating the fields the user intends to modify >>>with the information you already have? >>> >>>Alex T >>> >>>On 6/17/06, Grae Wolfe - PHP <[EMAIL PROTECTED]> wrote: >>> >>>>Good day! >>>> I have been working on this little "free" project for a while, and now >>>> I >>>>have hit another major hiccup. Is there a simple way to only update >>>>fields >>>>that have something in them? >>>> The problem that I am having is that if someone fills out information >>>> and >>>>submits it, it saves to the DB just fine. However, if they come back >>>>later >>>>and just put in, for example, a new phone number, it replaces all of the >>>>other information with blanks. >>>> Here is my current $sql query: >>>> >>>>$sql = "UPDATE $table >>>>SET >>>>first_name='$first_name', >>>>last_name='$last_name', >>>>hs_last_name='$hs_last_name', >>>>guest_name='$guest_name', >>>>street_address1='$street_address1', >>>>street_address2='$street_address2', >>>>city='$city', >>>>state='$state', >>>>zip='$zip', >>>>phone1='$phone1', >>>>phone2='$phone2', >>>>email_address='$email_address', >>>>farmers_barn='$farmers_barn', >>>>wrhs_tour='$wrhs_tour', >>>>crystal_rose='$crystal_rose', >>>>registration_comments='$registration_comments', >>>>date_registered='$today' >>>>WHERE first_name='$first_name' AND last_name='$last_name'"; >>>> >>>> >>>> >>>>-- >>>>PHP Database Mailing List (http://www.php.net/) >>>>To unsubscribe, visit: http://www.php.net/unsub.php >>>> >>>> >> -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Conditional updating...
That was the first thing that I was going to do, but there is a concern there for security of the data being input... This is a registration site, and I don't want to provide information on "John Smith" to anyone who just happens to put his name in. ""Alejandro Tesone"" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Why don't you try populating the fields the user intends to modify > with the information you already have? > > Alex T > > On 6/17/06, Grae Wolfe - PHP <[EMAIL PROTECTED]> wrote: >> Good day! >> I have been working on this little "free" project for a while, and now >> I >> have hit another major hiccup. Is there a simple way to only update >> fields >> that have something in them? >> The problem that I am having is that if someone fills out information >> and >> submits it, it saves to the DB just fine. However, if they come back >> later >> and just put in, for example, a new phone number, it replaces all of the >> other information with blanks. >> Here is my current $sql query: >> >> $sql = "UPDATE $table >> SET >> first_name='$first_name', >> last_name='$last_name', >> hs_last_name='$hs_last_name', >> guest_name='$guest_name', >> street_address1='$street_address1', >> street_address2='$street_address2', >> city='$city', >> state='$state', >> zip='$zip', >> phone1='$phone1', >> phone2='$phone2', >> email_address='$email_address', >> farmers_barn='$farmers_barn', >> wrhs_tour='$wrhs_tour', >> crystal_rose='$crystal_rose', >> registration_comments='$registration_comments', >> date_registered='$today' >> WHERE first_name='$first_name' AND last_name='$last_name'"; >> >> >> >> -- >> PHP Database Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Conditional updating...
Good day! I have been working on this little "free" project for a while, and now I have hit another major hiccup. Is there a simple way to only update fields that have something in them? The problem that I am having is that if someone fills out information and submits it, it saves to the DB just fine. However, if they come back later and just put in, for example, a new phone number, it replaces all of the other information with blanks. Here is my current $sql query: $sql = "UPDATE $table SET first_name='$first_name', last_name='$last_name', hs_last_name='$hs_last_name', guest_name='$guest_name', street_address1='$street_address1', street_address2='$street_address2', city='$city', state='$state', zip='$zip', phone1='$phone1', phone2='$phone2', email_address='$email_address', farmers_barn='$farmers_barn', wrhs_tour='$wrhs_tour', crystal_rose='$crystal_rose', registration_comments='$registration_comments', date_registered='$today' WHERE first_name='$first_name' AND last_name='$last_name'"; -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Combining Fields
Again, my many thanks - I didn't know about the 'explode' function - that
may be a huge help.
Hopefully, I am on the right track now... thanks!
"Brad Bonkoski" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
>
>
> Grae Wolfe - PHP wrote:
>
>>Thank you Brad - That is what I was looking for, but now that I see how it
>>behaves, I am thinking that it isn't going to work the way I wanted. I
>>need to then be able to pass the "ID" back to MySQL so that it will
>>retrieve just the one record for editing.
>>
>>I guess I need to go back to making the DB create an auto-incrementing ID
>>number. Hmmm...
>>
>>Thanks!!
>>
>>
> Well, the unique ID would probably be the *best* way to go, but you could
> also get the record with the below solution, of course this requires every
> combination of first and last name is unique...
> if you do:
> $id = "Smith,Adam"
> Then:
> list($fname, $lname) = explode(",",$id);
> select * from table where first_name = '$fname' and last_name='$lname'
> would do the trick...
> Of course this has many "what-ifs" asociated with it...all of which would
> be taken care of with an auto-incrementing/primary key ID field for wach
> record ;-)
>
> -Brad
>
>>"Brad Bonkoski" <[EMAIL PROTECTED]> wrote in message
>>news:[EMAIL PROTECTED]
>>
>>>Grae Wolfe - PHP wrote:
>>>
>>>
>>>>Good Day!
>>>> I am trying to use my limited knowledge to create a VERY simple process
>>>> to display some of the information in my table, allow a particular
>>>> record to be selected, then opened on a page with text boxes to edit
>>>> the information, after which the UPDATE command will be used to update
>>>> the database.
>>>> That being said, I have a way that I think this will work, but I don't
>>>> have a unique record number in my table for each of the entries. I
>>>> have tried getting PHPMyAdmin to set this up, but I cannot seem to make
>>>> it work. SO - I need to try to create that ID on the fly. I figured I
>>>> could just combine the first and last names to make this ID, but I am
>>>> not sure what the syntax should be. Here is the code I have dealing
>>>> with defining the variables...
>>>>
>>>>Any help or thoughts would be splendid!
>>>>
>>>>while ($row = mysql_fetch_array($result)) {
>>>>$id = $row['last_name'],$row['first_name'];
>>>>$fname = $row['first_name'];
>>>>$lname = $row['last_name'];
>>>>
>>>>$option_block .= "$lname, $fname";
>>>>
>>>>
>>>>
>>>>
>>>Use the dot (.) for appending variables...
>>>so it would be:
>>>$id = $row['last_name'].$row['first_name'];
>>>...or course if you want that would look like this: 'SmithAdam'
>>>if you want 'Smith,Adam' as your id then:
>>>$id = $row['last_name'].",".$row['first_name'];
>>>-Brad
>>
>>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Combining Fields
Thank you Brad - That is what I was looking for, but now that I see how it
behaves, I am thinking that it isn't going to work the way I wanted. I need
to then be able to pass the "ID" back to MySQL so that it will retrieve just
the one record for editing.
I guess I need to go back to making the DB create an auto-incrementing ID
number. Hmmm...
Thanks!!
"Brad Bonkoski" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
>
>
> Grae Wolfe - PHP wrote:
>
>>Good Day!
>> I am trying to use my limited knowledge to create a VERY simple process
>> to display some of the information in my table, allow a particular record
>> to be selected, then opened on a page with text boxes to edit the
>> information, after which the UPDATE command will be used to update the
>> database.
>> That being said, I have a way that I think this will work, but I don't
>> have a unique record number in my table for each of the entries. I have
>> tried getting PHPMyAdmin to set this up, but I cannot seem to make it
>> work. SO - I need to try to create that ID on the fly. I figured I could
>> just combine the first and last names to make this ID, but I am not sure
>> what the syntax should be. Here is the code I have dealing with defining
>> the variables...
>>
>>Any help or thoughts would be splendid!
>>
>>while ($row = mysql_fetch_array($result)) {
>> $id = $row['last_name'],$row['first_name'];
>> $fname = $row['first_name'];
>> $lname = $row['last_name'];
>>
>> $option_block .= "$lname, $fname";
>>
>>
>>
> Use the dot (.) for appending variables...
> so it would be:
> $id = $row['last_name'].$row['first_name'];
> ...or course if you want that would look like this: 'SmithAdam'
> if you want 'Smith,Adam' as your id then:
> $id = $row['last_name'].",".$row['first_name'];
> -Brad
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Combining Fields
Good Day!
I am trying to use my limited knowledge to create a VERY simple process to
display some of the information in my table, allow a particular record to be
selected, then opened on a page with text boxes to edit the information,
after which the UPDATE command will be used to update the database.
That being said, I have a way that I think this will work, but I don't
have a unique record number in my table for each of the entries. I have
tried getting PHPMyAdmin to set this up, but I cannot seem to make it work.
SO - I need to try to create that ID on the fly. I figured I could just
combine the first and last names to make this ID, but I am not sure what the
syntax should be. Here is the code I have dealing with defining the
variables...
Any help or thoughts would be splendid!
while ($row = mysql_fetch_array($result)) {
$id = $row['last_name'],$row['first_name'];
$fname = $row['first_name'];
$lname = $row['last_name'];
$option_block .= "$lname, $fname";
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Too stupid to UPDATE...
I am trying to write a script to handle event registration. Most of the
people that will be registering are already in the database, but not all,
and those that are may not have current information.
Here is my latest effort, or at least a snippet of it... Can anyone point
out where I went stupid, or if there is a better way of doing this?
THANKS!!!
<<<===--- BEGIN SNIPPET ---===>>>
$db = @mysql_select_db($dbname, $connection) or die("Couldn't Select
Database.");
$link = mysql_connect("$server", "$user", "$pass");
mysql_select_db("$dbname", $link);
$result = mysql_query("SELECT * FROM $table WHERE first_name='$first_name'
AND hs_last_name='$hs_last_name' AND last_name='$last_name'", $link);
$num_rows = mysql_num_rows($result);
if($num_rows) {
$sql = "UPDATE $table SET first_name=\"$first_name\",
last_name=\"$last_name\", hs_last_name=\"$hs_last_name\",
guest_name=\"$guest_name\", street_address1=\"$street_address1\",
street_address2=\"$street_address2\", city=\"$city\", state=\"$state\",
zip=\"$zip\", phone1=\"$phone1\", phone2=\"$phone2\",
email_address=\"$email_address\", number_attending=\"$number_attending\",
payment=\"$payment\", registration_comments=\"$registration_comments\",
date_registered=\"$today\" WHERE first_name=\"$first_name\" AND
last_name=\"&last_name\"";
$result = @mysql_query($sql,$connection) or die("Couldn't Execute Query.");
}
else {
$sql = "INSERT INTO $table
(first_name, last_name, hs_last_name, guest_name, street_address1,
street_address2, city, state, zip, phone1, phone2, email_address,
number_attending, payment, registration_comments, date_registered)
VALUES
(\"$first_name\", \"$last_name\", \"$hs_last_name\", \"$guest_name\",
\"$street_address1\", \"$street_address2\", \"$city\", \"$state\", \"$zip\",
\"$phone1\", \"$phone2\", \"$email_address\", \"$number_attending\",
\"$payment\", \"$registration_comments\", \"$today\")
";
$result = @mysql_query($sql,$connection) or die("Couldn't Execute Query.");
<<<===--- END SNIPPET ---===>>>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
