...

View Full Version : Striplashes to database



thoford75
12-07-2010, 06:06 PM
Hi all. Very quick question (I hope!)

I'm trying to post some values to my database onsubmit.

The field names in the db are correct and the first two values sumbit (the id and product number)

Here is the complete php code. Really appreciate any help as this is driving me crazy!!




<?php session_start();

if (isset($_SESSION['again'])) {
$again = $_SESSION['again'];
unset($_SESSION['again']);
}

// Include the MySQL Connect file.
include('admin/components/mysql_connect.inc');
// Include a function to build the URL.
include('components/build-url.php');
// Include the code to build the query.
include('components/build-query.php');


// Ensure there's an ID and validate it
if (!isset($_GET['carpet']) || !is_numeric($_GET['carpet'])) {
header('Location: /results.php');
exit;
}
else {
$id = $_GET['carpet'];

$query = "SELECT products.*, ranges.*, manufacturers.*, piles.* FROM products, ranges, manufacturers, piles WHERE products.range_id=ranges.range_id AND ranges.manufacturer_id=manufacturers.manufacturer_id AND ranges.pile_id=piles.pile_id AND products.product_id=" . mysql_real_escape_string($id);
$result = mysql_query($query);

if (mysql_num_rows($result) != 1) {
header('Location: /results.php');
exit;
}
else {
$row = mysql_fetch_assoc($result);

$product_image = $row['product_image'];
$product_name = $row['product_name'];
$range_name = $row['range_name'];
$product_description = $row['product_description'];
$range_on_sale = $row['range_on_sale'];
$range_resell_price = $row['range_resell_price'];
$range_sale_discount = $row['range_sale_discount'];
$manufacturer_name = $row['manufacturer_name'];
$range_backing = $row['range_backing'];
$range_width = $row['range_width'];
$pile_name = $row['pile_name'];
$range_warranty = $row['range_warranty'];
$range_british_wool = $row['range_british_wool'];
$room_id = $row['room_id'];
$range_id = $row['range_id'];



$query2 = "SELECT * FROM fitting WHERE fitting_id=1";
$result2 = mysql_query($query2);
$row2 = mysql_fetch_assoc($result2);

$fitting_price = $row2['fitting_price'];
}

}


if ($_GET['unknown']) {

// Ensure there's an ID and validate it
if (!isset($_GET['carpet']) || !is_numeric($_GET['carpet'])) {
header('Location: /results.php');
exit;
}

if ($range_on_sale == 'Y') {
$basket_carpet_price = number_format($range_resell_price/100*(100-$range_sale_discount), 2);
}
else {
$basket_carpet_price = $range_resell_price;
}

$query = sprintf("INSERT INTO basket (product_id, basket_name, session_id, ) VALUES ('$id', '%s', '%s')",
mysql_real_escape_string(stripslashes(strip_tags($_POST['roomsize']))),
mysql_real_escape_string(session_id()));



$result = mysql_query($query);

$_SESSION['url'] = $_SERVER['REQUEST_URI'];
$_SESSION['just_added'] = $_GET['carpet'];
$_SESSION['room_name'] = 'Unnamed Room';
$_SESSION['unknown'] = 'Y';

header('Location: /basket.php');

}

?>



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="stylesheet" href="css/lightbox.css" type="text/css" media="screen" />


</head>
<body>
<form action="" method="post" name="confirm_form">


<select name="roomsize" size="1">
<option value="Living Room" <?php if ($_POST['roomsize'] == 'Living Room') { echo 'selected="selected"'; } ?>>Living Room</option>
<option value="Bedroom 1" <?php if ($_POST['roomsize'] == 'Bedroom 1') { echo 'selected="selected"'; } ?>>Bedroom 1</option>
<option value="Bedroom 2" <?php if ($_POST['roomsize'] == 'Bedroom 2') { echo 'selected="selected"'; } ?>>Bedroom 2</option>
</select>

</form>

<?php


if ($_SESSION['unknown']) {
echo '<a href="1702.php?carpet=' . $id . '&amp;unknown=y" target="_parent"><img src="/images/basketlink.jpg" border="0" alt="ADD >" title="ADD >" /></a>';
}
else {
echo '<a href="1702.php?carpet=' . $id . '&amp;unknown=y" target="_parent"><img src="/images/basketlink.jpg" border="0" alt="ADD >" title="ADD >" /></a>';
}
?>


</body>
</html>

abduraooft
12-08-2010, 07:49 AM
Change
$result = mysql_query($query); to

$result = mysql_query($query) or die($query."<br>Error:". mysql_error()); to check whether the query is getting populated well.

thoford75
12-08-2010, 09:57 AM
Thanks for reply. The error showed me I had a trailing comma at the end of my $query. This did not fix the entry problem however.

product_id goes into db
session_id goes into db

basket_name does not go into db

I think the problem must lie within the:



<select name="roomsize" size="1">
<option value="Living Room" <?php if ($_POST['roomsize'] == 'Living Room') { echo 'selected="selected"'; } ?>>Living Room</option>
<option value="Bedroom 1" <?php if ($_POST['roomsize'] == 'Bedroom 1') { echo 'selected="selected"'; } ?>>Bedroom 1</option>
<option value="Bedroom 2" <?php if ($_POST['roomsize'] == 'Bedroom 2') { echo 'selected="selected"'; } ?>>Bedroom 2</option>
</select>


or in the mysql_real_escape_string(stripslashes(strip_tags($_POST['roomsize']))),

Help!?

abduraooft
12-08-2010, 10:31 AM
Help!? Please show the output of what I've suggested.

thoford75
12-08-2010, 10:36 AM
The output is that page redirects to the basket page which is correct. With the comma in I get:


INSERT INTO basket (product_id, basket_name, session_id, ) VALUES ('666', '', '8fc21078ab0e220873436d6b90712691')


I can see by looking in the mysql database what has been inserted.

Database screenshot:
http://stanmore.voguegroupprojects.com/db.png

abduraooft
12-08-2010, 10:40 AM
Oh..sorry, that won't show anything if there's no error. What do you get for


echo '<pre>';
print_r($_POST);
echo '</pre>';

echo $query;

there?

thoford75
12-08-2010, 10:43 AM
Array
(
)
INSERT INTO basket (product_id, basket_name, session_id) VALUES ('666', '', '8fc21078ab0e220873436d6b90712691')

abduraooft
12-08-2010, 10:45 AM
Array
(
) Means, your $_POST array is empty! Have you specified the method="post" attribute to your form?

thoford75
12-08-2010, 10:50 AM
Yes.



<form action="" method="post" name="confirm_form">


<select name="roomsize" size="1">
<option value="Living Room" <?php if ($_POST['roomsize'] == 'Living Room') { echo 'selected="selected"'; } ?>>Living Room</option>
<option value="Bedroom 1" <?php if ($_POST['roomsize'] == 'Bedroom 1') { echo 'selected="selected"'; } ?>>Bedroom 1</option>
<option value="Bedroom 2" <?php if ($_POST['roomsize'] == 'Bedroom 2') { echo 'selected="selected"'; } ?>>Bedroom 2</option>
</select>

</form>


Not sure if the form is submitting correctly though.

thoford75
12-08-2010, 11:31 AM
Not sure if the form is submitting correctly though.

Ill expand on this.

The submit button in the form is:



echo '<a href="1702.php?carpet=' . $id . '&amp;unknown=y" target="_parent"><img src="/images/basketlink.jpg" border="0" alt="ADD >" title="ADD >" /></a>';


At the top of the page the script to process this is:



if ($_GET['unknown']) {

// Ensure there's an ID and validate it
if (!isset($_GET['carpet']) || !is_numeric($_GET['carpet'])) {
header('Location: /results.php');
exit;
}



$query = sprintf("INSERT INTO basket (product_id, basket_name, session_id) VALUES ('$id', '%s', '%s')",
mysql_real_escape_string(stripslashes(strip_tags($_POST['roomsize']))),
mysql_real_escape_string(session_id()));



$result = mysql_query($query) or die($query."<br>Error:". mysql_error());

$_SESSION['url'] = $_SERVER['REQUEST_URI'];
$_SESSION['just_added'] = $_GET['carpet'];
$_SESSION['room_name'] = 'Unnamed Room';
$_SESSION['unknown'] = 'Y';

header('Location: /basket.php');

}


I wonder if i need to create a 'bridged' page to process this submit before the headers redirect to basket.php....?

abduraooft
12-08-2010, 12:49 PM
Ill expand on this.

The submit button in the form is:
There's the catch! An anchor can't behave like a "submit" button. You'd either need to use an input-submit / button-submit element Or an input-image, like

<input type="image" src="/images/basketlink.jpg" border="0" alt="ADD" value="ADD" >

thoford75
12-08-2010, 01:05 PM
Excellent! That fixed it! Changed my code to:



<form action="1702.php?carpet=<?php echo $id; ?>&amp;unknown=y" target="_parent" method="post">


<select name="roomsize" size="1">
<option value="Living Room" <?php if ($_POST['roomsize'] == 'Living Room') { echo 'selected="selected"'; } ?>>Living Room</option>
<option value="Bedroom 1" <?php if ($_POST['roomsize'] == 'Bedroom 1') { echo 'selected="selected"'; } ?>>Bedroom 1</option>
<option value="Bedroom 2" <?php if ($_POST['roomsize'] == 'Bedroom 2') { echo 'selected="selected"'; } ?>>Bedroom 2</option>
</select>
<input name="" type="submit" />
</form>


Shame an anchor can't behave like the submit button but there's always another way. Thanks again!

abduraooft
12-08-2010, 04:12 PM
Shame an anchor can't behave like the submit button but there's always another way. Thanks again!
anchor has its own purpose ans is doing well that :)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum