Re: Problem with updating MySQL table

[Jason Pruim <japruim@xxxxxxxxxx>]

On Aug 27, 2008, at 12:41 PM, Evert Lammerts wrote:

> Everybody seems to agree on escaping :-) And I'm learning! HEREDOC,
> nifty indeed!

Yeah, ever since I found out about HEREDOC I've used it quite  
extensively with some of my projects... Also, when you're in the  
HEREDOC block, if you need to reference a variable just do this:

<?PHP
$var1 = "World";
echo <<<HTML
<p>Hello {$var1}!</p>
HTML;
?>

and voila!
> How about your $_POST variable, is there anything in there?

I think I have it narrowed down to disabling the editing of the  
fields...

If I do NOT disable the editing, then it submits fine, if I DO disable  
it then they don't submit.

I need to find a better to stop accidental editing rather then just  
<input type="text" disable>

> On Wed, Aug 27, 2008 at 6:38 PM, Jason Pruim <japruim@xxxxxxxxxx>  
> wrote:
> > On Aug 27, 2008, at 12:24 PM, Evert Lammerts wrote:
> >
> > > Your index.php looks very strange:
> > >
> > > > <?PHP
> > > >
> > > > <form method="post" action="purlprocess.php">
> > > > ....
> > > > </form>
> > > >
> > > > ?>
> > >
> > > I'm guessing you're echoing this? I never echo from my scripts so I
> > > don't know if this is new functionality, but in my days you echoed
> > > either by <?="...";?> or by <? echo "..."; ?>.
> >
> > It is a index.php page using the HEREDOC syntax... so basically:
> > echo <<<HTML <P>any HTML code goes here
> > HTML;
> >
> > pretty nifty I feel.
> >
> > > Anyway, since you're using the $_POST variable, did you check if it
> > > contains any values? You can do this with var_dump($_POST); Let us
> > > know what the results are.
> > >
> > > Another tip:
> > >
> > > > $FName= $_POST['txtFName'];
> > > > etc
> > >
> > > is terrible practice - if anybody writes an SQL command into one of
> > > your textfields it WILL be executed; this is called SQL injection. A
> > > less terrible scenario, but still one that messes up your page, is  
> > > if
> > > somebody uses quotes. So always use mysql_real_escape_string() on  
> > > your
> > > post variables before using them in a query.
> >
> > mysql_real_escape_string() won't help with my mysqlI connection  
> > though :)
> >
> > I will be wrapping the whole thing in a prepared statement before  
> > going to
> > production with this. At this point this is simply a proof of  
> > concept for
> > the boss.
> > --
> >
> > Jason Pruim
> > Raoset Inc.
> > Technology Manager
> > MQC Specialist
> > 11287 James St
> > Holland, MI 49424
> > www.raoset.com
> > japruim@xxxxxxxxxx

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
11287 James St
Holland, MI 49424
www.raoset.com
japruim@xxxxxxxxxx





--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php