[PHP] RE: [PHP-DB] PHP Database Problems

2012-05-02 Thread Gavin Chalkley 
Ethan,

Some coding you are using would be helpful (as far as i am aware attachments
are not support on the mailing list's)

Gav

-Original Message-
From: Ethan Rosenberg [mailto:eth...@earthlink.net] 
Sent: 02 May 2012 19:54
To: php-db-lists.php.net; php-general@lists.php.net
Subject: [PHP-DB] PHP  Database Problems

  have a database

mysql describe Intake3;
++-+--+-+-+---+
| Field  | Type| Null | Key | Default | Extra |
++-+--+-+-+---+
| Site   | varchar(6)  | NO   | PRI | |   |
| MedRec | int(6)  | NO   | PRI | NULL|   |
| Fname  | varchar(15) | YES  | | NULL|   |
| Lname  | varchar(30) | YES  | | NULL|   |
| Phone  | varchar(30) | YES  | | NULL|   |
| Height | int(4)  | YES  | | NULL|   |
| Sex| char(7) | YES  | | NULL|   |
| Hx | text| YES  | | NULL|   |
++-+--+-+-+---+
8 rows in set (0.00 sec)

mysql describe Visit3;
++--+--+-+-++
| Field  | Type | Null | Key | Default | Extra  |
++--+--+-+-++
| Indx   | int(4)   | NO   | PRI | NULL| auto_increment |
| Site   | varchar(6)   | YES  | | NULL||
| MedRec | int(6)   | YES  | | NULL||
| Notes  | text | YES  | | NULL||
| Weight | int(4)   | YES  | | NULL||
| BMI| decimal(3,1) | YES  | | NULL||
| Date   | date | YES  | | NULL||
++--+--+-+-++

and a program to enter and extract data.

I can easily extract data from the database. However, if I try to enter
data, it goes into the incorrect record.  Following are some screenshots.
The program is attached.  [pardon the comical names.  This is a test, and
any resemblance to true names is not intentional]

Let us say that I wish to deal with Medical Record 1:


This it data from Intake3:
Site Medical Record First Name Last Name Phone Height Sex History AA 1
David Dummy 845 365-1456 66 Male c/o obesity. Various treatments w/o success

This is data from Visit3:
Index Site Medical Record Notes Weight BMI Date
2322 AA 1 Second Visit. 170 27.4 2010-01-20
2326 AA 1 Third visit. Small progress, but pt is very happy. 165
26.6 2010-02-01


I then request to enter additional data:

Site Medical Record First Name Last Name Phone Height Sex History
AA 10003 Stupid Fool 325 563-4178 65 Male Has been convinced by his 
friends that he is obese. Normal BMI = 23.
Index Site Medical Record Notes Weight BMI Date

Notice that it is entered into record 10003

The data is First Try

Index Site Medical Record Notes Weight BMI Date
2590 AA 10003 First Try 189 31.4 02 May 2012

Help and advice, please.

Thanks.

Ethan



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: [PHP-DB] PHP Database Problems -- Code Snippets

2012-05-02 Thread Christopher Jones 


I noticed the use of SQL concatenation like:


$allowed_fields = array
   (  'Site' =$_POST['Site'], 'MedRec' = $_POST['MedRec'], 'Fname' = 
$_POST['Fname'], 'Lname' = $_POST['Lname'] ,
   'Phone' = $_POST['Phone'] , 'Sex' = $_POST['Sex']  , 'Height' = 
$_POST['Height']  );

if(empty($allowed_fields))
{
echo ouch;
}

$query = select * from Intake3 where 1 ;

foreach ( $allowed_fields as $key = $val )
{
if ( (($val != '')) )

{
$query .=  AND ($key = '$val') ;
}
$result1 = mysqli_query($cxn, $query);
}


and like


$query2 = select * from Visit3 where 1 AND (Site = 'AA') AND (MedRec = 
$_GLOBALS[mdr]);


This is a SQL Injection security risk.  There is a lot of material
on the web about this, e.g
https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet

I cannot strongly enough suggest you rewrite the app to mitigate
against this issue.

Also, set error_reporting = E_ALL  E_STRICT in your php.ini file to
help you identify some of your other code issues.

Chris

--
christopher.jo...@oracle.com
http://twitter.com/#!/ghrd

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php