Re: Mysqli issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 11 Sep 2008, at 16:29, Wolf wrote:

---- Jason Pruim <japruim@xxxxxxxxxx> wrote:

No political undertones in this one I promise! :)

Attempting to setup a prepared statement in php that will update a
record in a mysql database using mysqli

Here is the relevant code:
	$stmt = mysqli_stmt_init($link);
mysqli_stmt_prepare($stmt, "UPDATE purl.schreur (FName, LName, email, 
phone, record, subscribed, date, IPAddress, Business, Address1, City,
State, Zip, Coffee, Meeting, areaPlans) VALUES
(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)");
		
	mysqli_stmt_bind_param($stmt, 'ssssssssssssssssss',
$_POST['txtFName'], $_POST['txtLName'], $_POST['txtEmail'],
$_POST['txtPhone'], $_POST['txturl'], $_POST['record'],
$_POST['subscribed'],$date, $_SERVER['REMOTE_ADDR'],
$_POST['txtBusiness'], $_POST['txtAddress1'], $_POST['txtCity'],
$_POST['txtState'], $_POST['txtZip'], $_POST['rdoCoffee'],
$_POST['rdoTime'], $_POST['areaPlans']) ;//or die(mysqli_error ($link)); 
	echo "<BR>Dump of stmt:<BR>";
	
	mysqli_stmt_execute($stmt) or die(mysqli_error($link));

Here is my error message:

You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '(FName, LName, email, phone, record, subscribed, date,
IPAddress, Business, Addr' at line 1

Now I may just be being dense but I can't figure out the problem...
Migraines are not helping right now though....

Can anyone see my stupid mistake? :)


OK, you asked for it...

You aren't checking your stuff before dumping it.  None of it...
So, you should be taking the post variables and slapping them into a checker. 

Then, your statement should be more along the lines of:
mysqli_stmt_bind_param($stmt, 'ssssssssssssssssss','$txtFName','$txtLName','$txtEmail','$txtPhone',' $txturl','$record','$subscribed',$date, '$REMOTE_ADDR','$txtBusiness','$txtAddress1','$txtCity','$txtState','$ txtZip','$rdoCoffee','$rdoTime','$areaPlans') ;
I think you're the one who's asking for it... I don't really think Jason wants to insert '$txtFName' as the name. I'm just guessing, but it's a fair bet. If you're going to offer advice to someone be sure to check your message thoroughly before sending it!!
To address your actual point, there's no particular reason why that input should be being checked at all. Maybe Jason wants to use exactly what the user is entering. Nothing wrong with that so long as it's properly escaped when being displayed. 

-Stut

--
http://stut.net/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux