You appear to have mis-matched tags according to the recent code you posted: missing closing div and closing table tag(s). You are also using the obsolete center tag. These should be corrected but probably do not account for your issue.
I don't believe action="" should be used to re-direct to the same page. In particular, this attribute should not be empty. I use:
__________________
"I'm here to save your life. But if I'm going to do that, I'll need total uninanonynymity." Me Myself & Irene.
Validate your HTML and CSS
is only necessary if posting a file. It's probably not causing any harm but you might as well delete it - assuming you are not actually posting a file.
__________________
"I'm here to save your life. But if I'm going to do that, I'll need total uninanonynymity." Me Myself & Irene.
Validate your HTML and CSS
Thank you for the advice, I have changed the form syntax. The in page styling is just there temporarily. The CSS will be created in detail after I actually get the enter, update, and delete features to finally work But I fear that may never happen, lol
The mismatched tags shouldn't be a problem so long as you have matched form tags (and even then I question if it would be a problem. . .) and valid input types. Its bad form for HTML of course, but that shouldn't cause a problem with what the browsers actually send. Action can be empty; I don't know if that's valid with the html specifications or if they prefer a lack of element attribute. I personally always provide an action as well.
Isset is used to verify a variable exists and is not null. In the case of an offset in post, it is verifying that a value has been provided to it via post method. In all honesty if you want to do it precise you should check that every relevant field is provided (minus the submit).
You still need to clarify what you mean by a refresh. You don't mean by actually pressing the refresh button do you? You need to resubmit it completely from scratch to resubmit it fresh.
Add a print $strSQL; before the sqlsrv_query. Take that and run it directly into a SQL client to verify it works. If it doesn't print, then make sure that the form shows.
If the form is not showing (ie: a white blank page) after submit, then run the code through a PHP lint on the command line with php -l thatfile.php and it will verify no syntax errors. Double check that the url specified is that of the form.
If the form does show, view the source HTML to verify you cannot see the PHP code. If you can, you are not processing PHP (which does not sound to be the case); this can be caused though if you are using the file:// protocol instead of the http:// protocol on a local machine. If that checks out, and you do not see the SQL string, then it is not entering that conditional block. With what you have here, it will upon submission as you have specified a text field called "LOWNUMBER" as being available. All text fields are successful regardless of the value specified, unlike radios and checkboxes for example which are only submitted if checked.
At minimum, you should always see the form regardless of if you have submitted it or not.
Okay, I added the print $strSQL; into the code and when I hit the refresh button, the page shows normally, but this line is present at the top left corner of the page:
INSERT INTO MSAG (StreetName) VALUES ('0x4a414d4945')
When I was speaking of hitting the submit button earlier and it 'refreshing' the page. I was refering to when I hit the submit button, the page 'blinks' and all the form data that I had entered disapears. I hope that made sense.
However, I did not notice this before, but now when I fill out the StreetName field on the form, it will add it to the database, but only if the street name is just a number. (ie, I can enter a record with a streetname of '1' and it will work, however, if i enter 'Broad St' it will not.)
/**
First thing, we create a function that will make your data safe!
**/
function mssql_escape($data) {
if(is_numeric($data))
return $data;
$unpacked = unpack('H*hex', $data);
return '0x' . $unpacked['hex'];
}
if (isset($_POST['LOWNUMBER'])) {
//now we loop through the post data and sanitize it!
foreach ($_POST as $key=>$value) {
$_POST[$key] = mssql_escape($value);
}
//now we build the query!
$strSQL = "INSERT INTO MSAG ";
$strSQL .="(StreetName) ";
$strSQL .="VALUES ";
$strSQL .= "('{$_POST['StreetName']}')";
print $strSQL;
//now we insert it
sqlsrv_query($conn, $strSQL) or die(print_r(sqlsrv_errors(), true));
}
?>
<?php include 'includes/head/head_main.php'; ?>
<div id = "top_content">
<body>
<?php include 'includes/header/header_main.php'; ?>
Are you sure the datatype in the MSAG table for StreetName is a text type? It looks to me that it is (SQLServer should complain about a datatype mismatch if its not and reject).
Comment out this line and try again: $_POST[$key] = mssql_escape($value);.
That worked that time. I commented out that line and I was able to enter a text street name. does this mean that the data entry script is working correctly, sir?
If so, to enter all the other fields as well, I would just need to make more of these correct?
$strSQL .= "('{$_POST['LOWNUMBER']}')";
$strSQL .= "('{$_POST['HIGHNUMBER']}')";
$strSQL .= "('{$_POST['COMMUNITY']}')";
My newness is really shinning here, but, I see your example I am really not familiar with this implode funtion at all:
PHP Code:
$a = array()// your array of key => values
$sFields = implode('], [', array_keys($a));
$sReplacement = rtrim(str_repeat('?, ', count($a)), ', ');
$sQry = "INSERT INTO [MSAG] ([$sFields]) VALUES ($sReplacement)";
if ($stmt = sqlsrv_query($conn, $sQry, $a))
{
print 'done.';
}
2 questions, where would I place the field names in this, and would that replace this whole block?:
PHP Code:
/**
First thing, we create a function that will make your data safe!
**/
function mssql_escape($data) {
if(is_numeric($data))
return $data;
$unpacked = unpack('H*hex', $data);
return '0x' . $unpacked['hex'];
}
if (isset($_POST['LOWNUMBER'])) {
//now we loop through the post data and sanitize it!
foreach ($_POST as $key=>$value) {
//$_POST[$key] = mssql_escape($value);
}
//now we build the query!
$strSQL = "INSERT INTO MSAG ";
$strSQL .="(StreetName) ";
$strSQL .="VALUES ";
$strSQL .= "('{$_POST['StreetName']}')";
print $strSQL;
//now we insert it
sqlsrv_query($conn, $strSQL) or die(print_r(sqlsrv_errors(), true));
}
Last edited by willscarlet; 12-17-2012 at 09:54 PM..
You don't need to specify the fields. The implode's job is to create them for you.
It is terribly insecure though. What would be better would be to give it a quick dataset to compare against for what you do allow (keyname wise). This assumes the keyname matches the fieldname provided in the form.
PHP Code:
$aAllowed = array('StreetPrefix', 'StreetName', 'StreetSuffix', '...'); // all the allowed items. function removeUnknowns(&$item, $key, array $aAllowed) { if (!in_array($key, $aAllowed)) { $item = ""; } }
You seem to have included the following from my code sample:
PHP Code:
onsubmit="return validate(this);"
This is only relevant, of course, if you have a JS function named validate() already.
__________________
"I'm here to save your life. But if I'm going to do that, I'll need total uninanonynymity." Me Myself & Irene.
Validate your HTML and CSS
Okay, I changed the code around abit as you suggested, sir. however now it no longer lets me enter information into the database. maybe I havea syntax error that you would be able to easily spot? no errors are being thrown. Also, I have asked before but was unclear on what to do, but the LOWNUMBER that I have in the isset _POST, should i be replacing that with something else?
/**
First thing, we create a function that will make your data safe!
**/
function mssql_escape($data) {
if(is_numeric($data))
return $data;
$unpacked = unpack('H*hex', $data);
return '0x' . $unpacked['hex'];
}
if (isset($_POST['LOWNUMBER'])) {
$aAllowed = array( 'StreetPrefix',
'StreetName',
'StreetSuffix',
'StreetPostDir',
'COMMUNITY',
'LOWNUMBER',
'HighNumber',
'EOB',
'ESN',
'TELCO',
'PostOffice',
'ZONE',
'MAP',
'DateEntered',
'DateUpdated',
'Comments'
); // all the allowed items.
function removeUnknowns(&$item, $key, array $aAllowed)
{
if (!in_array($key, $aAllowed))
{
$item = "";
}
}
Before you post, read our: 
But I fear that may never happen, lol
