FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Adding a record to a database
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
Adding a record to a database [message #175100] Mon, 15 August 2011 12:35 Go to next message
Charles is currently offline  Charles
Messages: 13
Registered: February 2011
Karma: 0
Junior Member
I'm trying to add a record to a database, and it's not working
properly.

The general thought is to call a data entry form, fill in the form,
and use the $_POST(array) process to pass the data from the form to a
php script that handles adding the record to the database.

The only trick part of the php script is using a hidden field to pass
the name of the data entry form to a SWITCH statement. I'm trying to
keep the site directory uncluttered and the scripting organized, and I
understand this works.

I'm getting Error 500 as I test the script, so I think I have
something coded incorrectly in the script, or I have something
missing. Other php-based web applications wrok fine, so I suspect I
have php correctly installed.

Here's the coding:

=====================

<?php

/* <!-- This starts the switch statement. The variable passed to
control iteration
is the $_Push(switch) variable set in the first (hidden) field in a
data entry form.
The value contained in the variable is the case predicate

*/


switch ($_Push(switch)) {

/*======================================================*/

case "cab_vehicle_data_entry_add_a_vehicle":



$con = mysql_connect("*********","****","******"); <<These are fine
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("taxicab", $con);

$sql="INSERT INTO
cab_vehicle (cab_vehicle_make, cab_vehicle_model,
cab_vehicle_edition,
cab_vehicle_month, cab_vehicle_year, cab_vehicle_VIN,
cab_vehicle_registration_number,
cab_vehicle_reg_exp_month, cab_vehicle_reg_exp_year,
cab_vehicle_pax_capacity,
cab_vehicle_cubic_feet_cargo, cab_vehicle_cargo_weight)

VALUES


('$_POST[Make]','$_POST[Model]','$_POST[Edition]','$_POST[Month]','$_POST[y ear]',
'$_POST[VIN]','$_POST[Registration]','$_POST[reg_exp_month]','$_POST[reg_ex p_year]',
'$_POST[pax_capacity]','$_POST[cargo_cubic_feet]','$_POST[cargo_weight_lbs] ') ";

if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "1 record added";

mysql_close($con)

break;

/*======================================================*/

/* case "whatever"
Next process subroutine
break;
*/

/*======================================================*/

/* case "whatever"
Next process subroutine
break;
*/

/*======================================================*/

/* case "whatever"
Next process subroutine
break;
*/

/*======================================================*/

/* case "whatever"
Next process subroutine
break;
*/

/*======================================================*/

/* case "whatever"
Next process subroutine
break;
*/

/*======================================================*/

/* case "whatever"
Next process subroutine
break;
*/

/*======================================================*/

/* case "whatever"
Next process subroutine
break;
*/

/*======================================================*/

/* case "whatever"
Next process subroutine
break;
*/


}


?>
Re: Adding a record to a database [message #175102 is a reply to message #175100] Mon, 15 August 2011 12:46 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 8/15/2011 8:35 AM, Charles wrote:
> I'm trying to add a record to a database, and it's not working
> properly.
>
> The general thought is to call a data entry form, fill in the form,
> and use the $_POST(array) process to pass the data from the form to a
> php script that handles adding the record to the database.
>
> The only trick part of the php script is using a hidden field to pass
> the name of the data entry form to a SWITCH statement. I'm trying to
> keep the site directory uncluttered and the scripting organized, and I
> understand this works.
>

It is also very insecure and will can leave your site wide open to hackers.

> I'm getting Error 500 as I test the script, so I think I have
> something coded incorrectly in the script, or I have something
> missing. Other php-based web applications wrok fine, so I suspect I
> have php correctly installed.
>

Enable errors and display them. In your php.ini file for your test
system you should have:

error_reporting=E_ALL // or E_ALL | E_NOTICE
display_errors=on

> Here's the coding:
>
> =====================
>
> <?php
>
> /*<!-- This starts the switch statement. The variable passed to
> control iteration
> is the $_Push(switch) variable set in the first (hidden) field in a
> data entry form.
> The value contained in the variable is the case predicate
>
> */
>
>
> switch ($_Push(switch)) {
>

Where is $_Push(switch) coming from? And BTW it should be 'switch'.

What is in the $_Push array? I suspect it's empty.

> /*======================================================*/
>
> case "cab_vehicle_data_entry_add_a_vehicle":
>
>
>
> $con = mysql_connect("*********","****","******");<<These are fine
> if (!$con)
> {
> die('Could not connect: ' . mysql_error());

Bad practice. Handle the error - don't terminate the script with an
error message.

> }
>
> mysql_select_db("taxicab", $con);
>
> $sql="INSERT INTO
> cab_vehicle (cab_vehicle_make, cab_vehicle_model,
> cab_vehicle_edition,
> cab_vehicle_month, cab_vehicle_year, cab_vehicle_VIN,
> cab_vehicle_registration_number,
> cab_vehicle_reg_exp_month, cab_vehicle_reg_exp_year,
> cab_vehicle_pax_capacity,
> cab_vehicle_cubic_feet_cargo, cab_vehicle_cargo_weight)
>
> VALUES
>
>
> ('$_POST[Make]','$_POST[Model]','$_POST[Edition]','$_POST[Month]','$_POST[y ear]',
> '$_POST[VIN]','$_POST[Registration]','$_POST[reg_exp_month]','$_POST[reg_ex p_year]',
> '$_POST[pax_capacity]','$_POST[cargo_cubic_feet]','$_POST[cargo_weight_lbs] ') ";
>

Google for 'SQL Injection'. Then see how a hacker could easily wipe out
your database.

> if (!mysql_query($sql,$con))
> {
> die('Error: ' . mysql_error());

Same comment as before.

> }
> echo "1 record added";
>
> mysql_close($con)
>
> break;
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
>
> }
>
>
> ?>


So find your problem - then straighten out your code per the other
comments I made above.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Adding a record to a database [message #175104 is a reply to message #175100] Mon, 15 August 2011 13:45 Go to previous messageGo to next message
JohnT is currently offline  JohnT
Messages: 16
Registered: April 2011
Karma: 0
Junior Member
On Mon, 15 Aug 2011 05:35:37 -0700, Charles wrote:

>
>
> ('$_POST[Make]','$_POST[Model]','$_POST[Edition]','$_POST

Start here - you can't put complex variables in a string unless you quote
them like:

('{$_POST[Make]}','{$_POST[Model]}','{$_POST[Edition]}',

However - you should not be putting these directly into the database.
You should first validate in the input, and then quote the strings to
make them database safe:

('".mysql_real_escape_string($_POST[Make])."',

JohnT
Re: Adding a record to a database [message #175108 is a reply to message #175100] Mon, 15 August 2011 18:11 Go to previous messageGo to next message
A.Reader is currently offline  A.Reader
Messages: 15
Registered: December 2010
Karma: 0
Junior Member
On Mon, 15 Aug 2011 05:35:37 -0700 (PDT),
Charles <cchamb2(at)gmail(dot)com> wrote:

> I'm trying to add a record to a database, and it's not working
> properly.
>
> The general thought is to call a data entry form, fill in the form,
> and use the $_POST(array) process to pass the data from the form to a
> php script that handles adding the record to the database.
>
> The only trick part of the php script is using a hidden field to pass
> the name of the data entry form to a SWITCH statement. I'm trying to
> keep the site directory uncluttered and the scripting organized, and I
> understand this works.
>
> I'm getting Error 500 as I test the script, so I think I have
> something coded incorrectly in the script, or I have something
> missing. Other php-based web applications wrok fine, so I suspect I
> have php correctly installed.
>
> Here's the coding:
>
> =====================
>
> <?php
>
> /* <!-- This starts the switch statement. The variable passed to
> control iteration
> is the $_Push(switch) variable set in the first (hidden) field in a
> data entry form.
> The value contained in the variable is the case predicate
>
> */
>
>
> switch ($_Push(switch)) {
>
> /*======================================================*/
>
> case "cab_vehicle_data_entry_add_a_vehicle":
>
>
>
> $con = mysql_connect("*********","****","******"); <<These are fine
> if (!$con)
> {
> die('Could not connect: ' . mysql_error());
> }
>
> mysql_select_db("taxicab", $con);
>
> $sql="INSERT INTO
> cab_vehicle (cab_vehicle_make, cab_vehicle_model,
> cab_vehicle_edition,
> cab_vehicle_month, cab_vehicle_year, cab_vehicle_VIN,
> cab_vehicle_registration_number,
> cab_vehicle_reg_exp_month, cab_vehicle_reg_exp_year,
> cab_vehicle_pax_capacity,
> cab_vehicle_cubic_feet_cargo, cab_vehicle_cargo_weight)
>
> VALUES
>
>
> ('$_POST[Make]','$_POST[Model]','$_POST[Edition]','$_POST[Month]','$_POST[y ear]',
> '$_POST[VIN]','$_POST[Registration]','$_POST[reg_exp_month]','$_POST[reg_ex p_year]',
> '$_POST[pax_capacity]','$_POST[cargo_cubic_feet]','$_POST[cargo_weight_lbs] ') ";
>
> if (!mysql_query($sql,$con))
> {
> die('Error: ' . mysql_error());
> }
> echo "1 record added";
>
> mysql_close($con)
>
> break;
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
> /*======================================================*/
>
> /* case "whatever"
> Next process subroutine
> break;
> */
>
>
> }
>
>
> ?>

I'll pass on some highly-useful advice I got when I was learning
to program, back during the last ice age: make your code look
neat and clean. There's no logical reason for that to make bugs
go away, but in fact it does.

Your program should have a structure something like this:

<?php

if ( ! connected( 'taxicabs', 'sometable' ) ) die() ;

if ( valid( $_REQUEST ) )
{
$s = 'INSERT INTO taxicabs.sometable SET ' ;
$s .= 'Make="'.$_REQUEST['Make'].'", ' ;
$s .= 'Model="'.$_REQUEST['Model'].'", ' ;
// the other fields the same way

// note that it's just "Make", "Model", etc not
// "cab_vehicle_make" etc. because if you don't already know
// that you're talking about taxis, not railway locomotives or
// steamboats, you're in more
// trouble than wordy fieldnames can ever fix

if ( ! mysql_query( $s, $dblink ) )
die( 'Could not create the new record '.
' because '.mysql_error() ) ;
}
else die( 'That is not a valid request because '.
$val_errors ) ;

// it needn't be "die()" when something goes wrong,
// it could be some recovery
// routine where you explain what the person should
// do differently and give them another go. Of course, if
// it's that the server choked or got lost, then die() is '
// perfectly appropriate.


// ----------------------------
function connected( $db, $table )
{
global $dblink ;
// the mysql connection stuff, returning true if it works, or
// complain about the problems and return false.
}
// ----------------------------
function valid( $a )
{
global $val_errors = '' ;
// your validation code. If it passes your tests,
// return true. If not, concatenate the complaints into
// $val_errors and return false ;
}

?>
Re: Adding a record to a database [message #175114 is a reply to message #175108] Tue, 16 August 2011 01:02 Go to previous messageGo to next message
sheldonlg is currently offline  sheldonlg
Messages: 166
Registered: September 2010
Karma: 0
Senior Member
On 8/15/2011 2:11 PM, A.Reader wrote:
> On Mon, 15 Aug 2011 05:35:37 -0700 (PDT),
> Charles<cchamb2(at)gmail(dot)com> wrote:
>
>> I'm trying to add a record to a database, and it's not working
>> properly.
>>
>> The general thought is to call a data entry form, fill in the form,
>> and use the $_POST(array) process to pass the data from the form to a
>> php script that handles adding the record to the database.
>>
>> The only trick part of the php script is using a hidden field to pass
>> the name of the data entry form to a SWITCH statement. I'm trying to
>> keep the site directory uncluttered and the scripting organized, and I
>> understand this works.
>>
>> I'm getting Error 500 as I test the script, so I think I have
>> something coded incorrectly in the script, or I have something
>> missing. Other php-based web applications wrok fine, so I suspect I
>> have php correctly installed.
>>
>> Here's the coding:
>>
>> =====================
>>
>> <?php
>>
>> /*<!-- This starts the switch statement. The variable passed to
>> control iteration
>> is the $_Push(switch) variable set in the first (hidden) field in a
>> data entry form.
>> The value contained in the variable is the case predicate
>>
>> */
>>
>>
>> switch ($_Push(switch)) {
>>
>> /*======================================================*/
>>
>> case "cab_vehicle_data_entry_add_a_vehicle":
>>
>>
>>
>> $con = mysql_connect("*********","****","******");<<These are fine
>> if (!$con)
>> {
>> die('Could not connect: ' . mysql_error());
>> }
>>
>> mysql_select_db("taxicab", $con);
>>
>> $sql="INSERT INTO
>> cab_vehicle (cab_vehicle_make, cab_vehicle_model,
>> cab_vehicle_edition,
>> cab_vehicle_month, cab_vehicle_year, cab_vehicle_VIN,
>> cab_vehicle_registration_number,
>> cab_vehicle_reg_exp_month, cab_vehicle_reg_exp_year,
>> cab_vehicle_pax_capacity,
>> cab_vehicle_cubic_feet_cargo, cab_vehicle_cargo_weight)
>>
>> VALUES
>>
>>
>> ('$_POST[Make]','$_POST[Model]','$_POST[Edition]','$_POST[Month]','$_POST[y ear]',
>> '$_POST[VIN]','$_POST[Registration]','$_POST[reg_exp_month]','$_POST[reg_ex p_year]',
>> '$_POST[pax_capacity]','$_POST[cargo_cubic_feet]','$_POST[cargo_weight_lbs] ') ";
>>
>> if (!mysql_query($sql,$con))
>> {
>> die('Error: ' . mysql_error());
>> }
>> echo "1 record added";
>>
>> mysql_close($con)
>>
>> break;
>>
>> /*======================================================*/
>>
>> /* case "whatever"
>> Next process subroutine
>> break;
>> */
>>
>> /*======================================================*/
>>
>> /* case "whatever"
>> Next process subroutine
>> break;
>> */
>>
>> /*======================================================*/
>>
>> /* case "whatever"
>> Next process subroutine
>> break;
>> */
>>
>> /*======================================================*/
>>
>> /* case "whatever"
>> Next process subroutine
>> break;
>> */
>>
>> /*======================================================*/
>>
>> /* case "whatever"
>> Next process subroutine
>> break;
>> */
>>
>> /*======================================================*/
>>
>> /* case "whatever"
>> Next process subroutine
>> break;
>> */
>>
>> /*======================================================*/
>>
>> /* case "whatever"
>> Next process subroutine
>> break;
>> */
>>
>> /*======================================================*/
>>
>> /* case "whatever"
>> Next process subroutine
>> break;
>> */
>>
>>
>> }
>>
>>
>> ?>
>
> I'll pass on some highly-useful advice I got when I was learning
> to program, back during the last ice age: make your code look
> neat and clean. There's no logical reason for that to make bugs
> go away, but in fact it does.
>
> Your program should have a structure something like this:
>
> <?php
>
> if ( ! connected( 'taxicabs', 'sometable' ) ) die() ;
>
> if ( valid( $_REQUEST ) )
> {
> $s = 'INSERT INTO taxicabs.sometable SET ' ;
> $s .= 'Make="'.$_REQUEST['Make'].'", ' ;
> $s .= 'Model="'.$_REQUEST['Model'].'", ' ;
> // the other fields the same way
>
> // note that it's just "Make", "Model", etc not
> // "cab_vehicle_make" etc. because if you don't already know
> // that you're talking about taxis, not railway locomotives or
> // steamboats, you're in more
> // trouble than wordy fieldnames can ever fix
>
> if ( ! mysql_query( $s, $dblink ) )
> die( 'Could not create the new record '.
> ' because '.mysql_error() ) ;
> }
> else die( 'That is not a valid request because '.
> $val_errors ) ;
>
> // it needn't be "die()" when something goes wrong,
> // it could be some recovery
> // routine where you explain what the person should
> // do differently and give them another go. Of course, if
> // it's that the server choked or got lost, then die() is '
> // perfectly appropriate.
>
>
> // ----------------------------
> function connected( $db, $table )
> {
> global $dblink ;
> // the mysql connection stuff, returning true if it works, or
> // complain about the problems and return false.
> }
> // ----------------------------
> function valid( $a )
> {
> global $val_errors = '' ;
> // your validation code. If it passes your tests,
> // return true. If not, concatenate the complaints into
> // $val_errors and return false ;
> }
>
> ?>

Besides all the excellent advice already given to you, didn't you say
that the choice came from the value of a hidden variable? If so, then
you want to switch on the value of the %_POST['name_of_that_variable'].

--
Shelly
Re: Adding a record to a database [message #175116 is a reply to message #175114] Tue, 16 August 2011 01:50 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 8/15/2011 9:02 PM, sheldonlg wrote:
> On 8/15/2011 2:11 PM, A.Reader wrote:
>> On Mon, 15 Aug 2011 05:35:37 -0700 (PDT),
>> Charles<cchamb2(at)gmail(dot)com> wrote:
>>
>>> I'm trying to add a record to a database, and it's not working
>>> properly.
>>>
>>> The general thought is to call a data entry form, fill in the form,
>>> and use the $_POST(array) process to pass the data from the form to a
>>> php script that handles adding the record to the database.
>>>
>>> The only trick part of the php script is using a hidden field to pass
>>> the name of the data entry form to a SWITCH statement. I'm trying to
>>> keep the site directory uncluttered and the scripting organized, and I
>>> understand this works.
>>>
>>> I'm getting Error 500 as I test the script, so I think I have
>>> something coded incorrectly in the script, or I have something
>>> missing. Other php-based web applications wrok fine, so I suspect I
>>> have php correctly installed.
>>>
>>> Here's the coding:
>>>
>>> =====================
>>>
>>> <?php
>>>
>>> /*<!-- This starts the switch statement. The variable passed to
>>> control iteration
>>> is the $_Push(switch) variable set in the first (hidden) field in a
>>> data entry form.
>>> The value contained in the variable is the case predicate
>>>
>>> */
>>>
>>>
>>> switch ($_Push(switch)) {
>>>
>>> /*======================================================*/
>>>
>>> case "cab_vehicle_data_entry_add_a_vehicle":
>>>
>>>
>>>
>>> $con = mysql_connect("*********","****","******");<<These are fine
>>> if (!$con)
>>> {
>>> die('Could not connect: ' . mysql_error());
>>> }
>>>
>>> mysql_select_db("taxicab", $con);
>>>
>>> $sql="INSERT INTO
>>> cab_vehicle (cab_vehicle_make, cab_vehicle_model,
>>> cab_vehicle_edition,
>>> cab_vehicle_month, cab_vehicle_year, cab_vehicle_VIN,
>>> cab_vehicle_registration_number,
>>> cab_vehicle_reg_exp_month, cab_vehicle_reg_exp_year,
>>> cab_vehicle_pax_capacity,
>>> cab_vehicle_cubic_feet_cargo, cab_vehicle_cargo_weight)
>>>
>>> VALUES
>>>
>>>
>>> ('$_POST[Make]','$_POST[Model]','$_POST[Edition]','$_POST[Month]','$_POST[y ear]',
>>>
>>> '$_POST[VIN]','$_POST[Registration]','$_POST[reg_exp_month]','$_POST[reg_ex p_year]',
>>>
>>> '$_POST[pax_capacity]','$_POST[cargo_cubic_feet]','$_POST[cargo_weight_lbs] ') ";
>>>
>>>
>>> if (!mysql_query($sql,$con))
>>> {
>>> die('Error: ' . mysql_error());
>>> }
>>> echo "1 record added";
>>>
>>> mysql_close($con)
>>>
>>> break;
>>>
>>> /*======================================================*/
>>>
>>> /* case "whatever"
>>> Next process subroutine
>>> break;
>>> */
>>>
>>> /*======================================================*/
>>>
>>> /* case "whatever"
>>> Next process subroutine
>>> break;
>>> */
>>>
>>> /*======================================================*/
>>>
>>> /* case "whatever"
>>> Next process subroutine
>>> break;
>>> */
>>>
>>> /*======================================================*/
>>>
>>> /* case "whatever"
>>> Next process subroutine
>>> break;
>>> */
>>>
>>> /*======================================================*/
>>>
>>> /* case "whatever"
>>> Next process subroutine
>>> break;
>>> */
>>>
>>> /*======================================================*/
>>>
>>> /* case "whatever"
>>> Next process subroutine
>>> break;
>>> */
>>>
>>> /*======================================================*/
>>>
>>> /* case "whatever"
>>> Next process subroutine
>>> break;
>>> */
>>>
>>> /*======================================================*/
>>>
>>> /* case "whatever"
>>> Next process subroutine
>>> break;
>>> */
>>>
>>>
>>> }
>>>
>>>
>>> ?>
>>
>> I'll pass on some highly-useful advice I got when I was learning
>> to program, back during the last ice age: make your code look
>> neat and clean. There's no logical reason for that to make bugs
>> go away, but in fact it does.
>>
>> Your program should have a structure something like this:
>>
>> <?php
>>
>> if ( ! connected( 'taxicabs', 'sometable' ) ) die() ;
>>
>> if ( valid( $_REQUEST ) )
>> {
>> $s = 'INSERT INTO taxicabs.sometable SET ' ;
>> $s .= 'Make="'.$_REQUEST['Make'].'", ' ;
>> $s .= 'Model="'.$_REQUEST['Model'].'", ' ;
>> // the other fields the same way
>>
>> // note that it's just "Make", "Model", etc not
>> // "cab_vehicle_make" etc. because if you don't already know
>> // that you're talking about taxis, not railway locomotives or
>> // steamboats, you're in more
>> // trouble than wordy fieldnames can ever fix
>>
>> if ( ! mysql_query( $s, $dblink ) )
>> die( 'Could not create the new record '.
>> ' because '.mysql_error() ) ;
>> }
>> else die( 'That is not a valid request because '.
>> $val_errors ) ;
>>
>> // it needn't be "die()" when something goes wrong,
>> // it could be some recovery
>> // routine where you explain what the person should
>> // do differently and give them another go. Of course, if
>> // it's that the server choked or got lost, then die() is '
>> // perfectly appropriate.
>>
>>
>> // ----------------------------
>> function connected( $db, $table )
>> {
>> global $dblink ;
>> // the mysql connection stuff, returning true if it works, or
>> // complain about the problems and return false.
>> }
>> // ----------------------------
>> function valid( $a )
>> {
>> global $val_errors = '' ;
>> // your validation code. If it passes your tests,
>> // return true. If not, concatenate the complaints into
>> // $val_errors and return false ;
>> }
>>
>> ?>
>
> Besides all the excellent advice already given to you, didn't you say
> that the choice came from the value of a hidden variable? If so, then
> you want to switch on the value of the %_POST['name_of_that_variable'].
>

Which is about as insecure as you can get. I hope this isn't how you're
coding for your "Fortune 500" company. If so, I pity them.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Adding a record to a database [message #175118 is a reply to message #175116] Tue, 16 August 2011 08:30 Go to previous messageGo to next message
Charles is currently offline  Charles
Messages: 13
Registered: February 2011
Karma: 0
Junior Member
Is this better?

I still get one error message - Error: You have an error in your SQL
syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near 'Ford'', ''Crown Victoria'',
''Taxicab'', ''SEP'', '2010', ''sadfasdfsadfdsf' at line 21

=====================================

<?php

/***Switch statement that controls processing from
value of $_POST(deform)***************/

switch ( $_POST['deform'] )

{

/***Case statement that acts on value of $_POST(deform)******/

CASE $_POST['deform'] = "cab_vehicle_data_entry_add_a_vehicle":

$con = mysql_connect("localhost","root","edward");

if (!$con)

{

die("Could not connect: " . mysql_error());

}

function check_input($value)
{

if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}

if (!is_numeric($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}

$Make = check_input($_POST['Make']);
$Model = check_input($_POST['Model']);
$Edition = check_input($_POST['Edition']);
$Month = check_input($_POST['Month']);
$Year = check_input($_POST['Year']);
$VIN = check_input($_POST['VIN']);
$Registration = check_input($_POST['Registration']);
$reg_exp_month = check_input($_POST['reg_exp_month']);
$reg_exp_year = check_input($_POST['reg_exp_year']);
$pax_capacity = check_input($_POST['pax_capacity']);
$cargo_cubic_feet = check_input($_POST['cargo_cubic_feet']);
$cargo_weight_lbs = check_input($_POST['cargo_weight_lbs']);

mysql_select_db("taxicab", $con);

$sql="INSERT INTO

cab_vehicle (
cab_vehicle_make,
cab_vehicle_model,
cab_vehicle_edition,
cab_vehicle_month,
cab_vehicle_year,

cab_vehicle_VIN,
cab_vehicle_registration_number,
cab_vehicle_reg_exp_month,
cab_vehicle_reg_exp_year,

cab_vehicle_pax_capacity,
cab_vehicle_cubic_feet_cargo,
cab_vehicle_cargo_weight)

VALUES

('$Make',
'$Model',
'$Edition',
'$Month',
'$Year',
'$VIN',
'$Registration',
'$reg_exp_month',
'$reg_exp_year',
'$pax_capacity',
'$cargo_cubic_feet',
'$cargo_weight_lbs')";

if (!mysql_query($sql,$con))

{

die("Error: " . mysql_error());

}

echo "1 record added";

mysql_close($con);

break;

}

/******End of CASE statement start of next one*************/

?>
Re: Adding a record to a database [message #175120 is a reply to message #175118] Tue, 16 August 2011 09:41 Go to previous messageGo to next message
A.Reader is currently offline  A.Reader
Messages: 15
Registered: December 2010
Karma: 0
Junior Member
On Tue, 16 Aug 2011 01:30:02 -0700 (PDT),
Charles <cchamb2(at)gmail(dot)com> wrote:

> Is this better?
>
> I still get one error message - Error: You have an error in your SQL
> syntax; check the manual that corresponds to your MySQL server version
> for the right syntax to use near 'Ford'', ''Crown Victoria'',
> ''Taxicab'', ''SEP'', '2010', ''sadfasdfsadfdsf' at line 21
>
> =====================================
>
> <?php
>
> /***Switch statement that controls processing from
> value of $_POST(deform)***************/
>
> switch ( $_POST['deform'] )
>
> {
>
> /***Case statement that acts on value of $_POST(deform)******/
>
> CASE $_POST['deform'] = "cab_vehicle_data_entry_add_a_vehicle":
>
> $con = mysql_connect("localhost","root","edward");
>
> if (!$con)
>
> {
>
> die("Could not connect: " . mysql_error());
>
> }
>
> function check_input($value)
> {
>
> if (get_magic_quotes_gpc())
> {
> $value = stripslashes($value);
> }
>
> if (!is_numeric($value))
> {
> $value = "'" . mysql_real_escape_string($value) . "'";
> }
> return $value;
> }
>
> $Make = check_input($_POST['Make']);
> $Model = check_input($_POST['Model']);
> $Edition = check_input($_POST['Edition']);
> $Month = check_input($_POST['Month']);
> $Year = check_input($_POST['Year']);
> $VIN = check_input($_POST['VIN']);
> $Registration = check_input($_POST['Registration']);
> $reg_exp_month = check_input($_POST['reg_exp_month']);
> $reg_exp_year = check_input($_POST['reg_exp_year']);
> $pax_capacity = check_input($_POST['pax_capacity']);
> $cargo_cubic_feet = check_input($_POST['cargo_cubic_feet']);
> $cargo_weight_lbs = check_input($_POST['cargo_weight_lbs']);
>
> mysql_select_db("taxicab", $con);
>
> $sql="INSERT INTO
>
> cab_vehicle (
> cab_vehicle_make,
> cab_vehicle_model,
> cab_vehicle_edition,
> cab_vehicle_month,
> cab_vehicle_year,
>
> cab_vehicle_VIN,
> cab_vehicle_registration_number,
> cab_vehicle_reg_exp_month,
> cab_vehicle_reg_exp_year,
>
> cab_vehicle_pax_capacity,
> cab_vehicle_cubic_feet_cargo,
> cab_vehicle_cargo_weight)
>
> VALUES
>
> ('$Make',
> '$Model',
> '$Edition',
> '$Month',
> '$Year',
> '$VIN',
> '$Registration',
> '$reg_exp_month',
> '$reg_exp_year',
> '$pax_capacity',
> '$cargo_cubic_feet',
> '$cargo_weight_lbs')";
>
> if (!mysql_query($sql,$con))
>
> {
>
> die("Error: " . mysql_error());
>
> }
>
> echo "1 record added";
>
> mysql_close($con);
>
> break;
>
> }
>
> /******End of CASE statement start of next one*************/
>
> ?>

Don't use the INSERT var1,var2,var3,var4,var5 VALUES
val1,val2,val3,val5 style -- it's prone to misalignment errors
when you're doing more than one or two values. As a matter of
good practice, always use the SET var1=val1, var2=val2, var3=val3
form instead. That way there's no mistake about which value is
getting assigned to which var (did you notice the 'error'?)

Further, do all your testing for the record in one lump, not on a
per-field basis. The reason being that unless your validation
routine can see everything at once, the person could enter
something like 'Make="Chevrolet", Model="Crown Vic"' and you
wouldn't be able to catch it.

To find mysql errors such as the one you're getting, change your

die("Error: " . mysql_error());

to

die('Error:<br>'.$sql.'<br>'.mysql_error() ) ;

That way, when you get a mysql error, you're looking at both the
text of the error message and the broken mysql statement, which
you can then examine to see where the problem is.
Re: Adding a record to a database [message #175122 is a reply to message #175118] Tue, 16 August 2011 10:17 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 8/16/2011 4:30 AM, Charles wrote:
> Is this better?
>
> I still get one error message - Error: You have an error in your SQL
> syntax; check the manual that corresponds to your MySQL server version
> for the right syntax to use near 'Ford'', ''Crown Victoria'',
> ''Taxicab'', ''SEP'', '2010', ''sadfasdfsadfdsf' at line 21
>
> =====================================
>
> <?php
>
> /***Switch statement that controls processing from
> value of $_POST(deform)***************/
>
> switch ( $_POST['deform'] )
>
> {
>
> /***Case statement that acts on value of $_POST(deform)******/
>
> CASE $_POST['deform'] = "cab_vehicle_data_entry_add_a_vehicle":
>
> $con = mysql_connect("localhost","root","edward");
>
> if (!$con)
>
> {
>
> die("Could not connect: " . mysql_error());
>
> }
>
> function check_input($value)
> {
>
> if (get_magic_quotes_gpc())
> {
> $value = stripslashes($value);
> }
>
> if (!is_numeric($value))
> {
> $value = "'" . mysql_real_escape_string($value) . "'";
> }
> return $value;
> }
>
> $Make = check_input($_POST['Make']);
> $Model = check_input($_POST['Model']);
> $Edition = check_input($_POST['Edition']);
> $Month = check_input($_POST['Month']);
> $Year = check_input($_POST['Year']);
> $VIN = check_input($_POST['VIN']);
> $Registration = check_input($_POST['Registration']);
> $reg_exp_month = check_input($_POST['reg_exp_month']);
> $reg_exp_year = check_input($_POST['reg_exp_year']);
> $pax_capacity = check_input($_POST['pax_capacity']);
> $cargo_cubic_feet = check_input($_POST['cargo_cubic_feet']);
> $cargo_weight_lbs = check_input($_POST['cargo_weight_lbs']);
>
> mysql_select_db("taxicab", $con);
>
> $sql="INSERT INTO
>
> cab_vehicle (
> cab_vehicle_make,
> cab_vehicle_model,
> cab_vehicle_edition,
> cab_vehicle_month,
> cab_vehicle_year,
>
> cab_vehicle_VIN,
> cab_vehicle_registration_number,
> cab_vehicle_reg_exp_month,
> cab_vehicle_reg_exp_year,
>
> cab_vehicle_pax_capacity,
> cab_vehicle_cubic_feet_cargo,
> cab_vehicle_cargo_weight)
>
> VALUES
>
> ('$Make',
> '$Model',
> '$Edition',
> '$Month',
> '$Year',
> '$VIN',
> '$Registration',
> '$reg_exp_month',
> '$reg_exp_year',
> '$pax_capacity',
> '$cargo_cubic_feet',
> '$cargo_weight_lbs')";
>
> if (!mysql_query($sql,$con))
>
> {
>
> die("Error: " . mysql_error());
>
> }
>
> echo "1 record added";
>
> mysql_close($con);
>
> break;
>
> }
>
> /******End of CASE statement start of next one*************/
>
> ?>
>

You have a MySQL message indicating a MySQL problem, not a PHP problem.
Try comp.databases.mysql - where you'll get GOOD advice.



--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Adding a record to a database [message #175123 is a reply to message #175120] Tue, 16 August 2011 10:23 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 8/16/2011 5:41 AM, A.Reader wrote:
> On Tue, 16 Aug 2011 01:30:02 -0700 (PDT),
> Charles<cchamb2(at)gmail(dot)com> wrote:
>
>> Is this better?
>>
>> I still get one error message - Error: You have an error in your SQL
>> syntax; check the manual that corresponds to your MySQL server version
>> for the right syntax to use near 'Ford'', ''Crown Victoria'',
>> ''Taxicab'', ''SEP'', '2010', ''sadfasdfsadfdsf' at line 21
>>
>> =====================================
>>
>> <?php
>>
>> /***Switch statement that controls processing from
>> value of $_POST(deform)***************/
>>
>> switch ( $_POST['deform'] )
>>
>> {
>>
>> /***Case statement that acts on value of $_POST(deform)******/
>>
>> CASE $_POST['deform'] = "cab_vehicle_data_entry_add_a_vehicle":
>>
>> $con = mysql_connect("localhost","root","edward");
>>
>> if (!$con)
>>
>> {
>>
>> die("Could not connect: " . mysql_error());
>>
>> }
>>
>> function check_input($value)
>> {
>>
>> if (get_magic_quotes_gpc())
>> {
>> $value = stripslashes($value);
>> }
>>
>> if (!is_numeric($value))
>> {
>> $value = "'" . mysql_real_escape_string($value) . "'";
>> }
>> return $value;
>> }
>>
>> $Make = check_input($_POST['Make']);
>> $Model = check_input($_POST['Model']);
>> $Edition = check_input($_POST['Edition']);
>> $Month = check_input($_POST['Month']);
>> $Year = check_input($_POST['Year']);
>> $VIN = check_input($_POST['VIN']);
>> $Registration = check_input($_POST['Registration']);
>> $reg_exp_month = check_input($_POST['reg_exp_month']);
>> $reg_exp_year = check_input($_POST['reg_exp_year']);
>> $pax_capacity = check_input($_POST['pax_capacity']);
>> $cargo_cubic_feet = check_input($_POST['cargo_cubic_feet']);
>> $cargo_weight_lbs = check_input($_POST['cargo_weight_lbs']);
>>
>> mysql_select_db("taxicab", $con);
>>
>> $sql="INSERT INTO
>>
>> cab_vehicle (
>> cab_vehicle_make,
>> cab_vehicle_model,
>> cab_vehicle_edition,
>> cab_vehicle_month,
>> cab_vehicle_year,
>>
>> cab_vehicle_VIN,
>> cab_vehicle_registration_number,
>> cab_vehicle_reg_exp_month,
>> cab_vehicle_reg_exp_year,
>>
>> cab_vehicle_pax_capacity,
>> cab_vehicle_cubic_feet_cargo,
>> cab_vehicle_cargo_weight)
>>
>> VALUES
>>
>> ('$Make',
>> '$Model',
>> '$Edition',
>> '$Month',
>> '$Year',
>> '$VIN',
>> '$Registration',
>> '$reg_exp_month',
>> '$reg_exp_year',
>> '$pax_capacity',
>> '$cargo_cubic_feet',
>> '$cargo_weight_lbs')";
>>
>> if (!mysql_query($sql,$con))
>>
>> {
>>
>> die("Error: " . mysql_error());
>>
>> }
>>
>> echo "1 record added";
>>
>> mysql_close($con);
>>
>> break;
>>
>> }
>>
>> /******End of CASE statement start of next one*************/
>>
>> ?>
>
> Don't use the INSERT var1,var2,var3,var4,var5 VALUES
> val1,val2,val3,val5 style -- it's prone to misalignment errors
> when you're doing more than one or two values. As a matter of
> good practice, always use the SET var1=val1, var2=val2, var3=val3
> form instead. That way there's no mistake about which value is
> getting assigned to which var (did you notice the 'error'?)
>

Terrible advice. He is doing it the correct way, according to the SQL
standard. SET in an INSERT statement is non-standard and AFAIK only
supported by MySQL (and then only when not running in STRICT mode).

> Further, do all your testing for the record in one lump, not on a
> per-field basis. The reason being that unless your validation
> routine can see everything at once, the person could enter
> something like 'Make="Chevrolet", Model="Crown Vic"' and you
> wouldn't be able to catch it.
>

There is nothing wrong with such a search. It will just not return any
rows. Trying to validate all possible combinations like this will add
unnecessary complexity to the code.

The purpose of validation at this level is not to ensure that
combinations are valid - but that the field itself is the correct type
and possibly a reasonable value.

> To find mysql errors such as the one you're getting, change your
>
> die("Error: " . mysql_error());
>
> to
>
> die('Error:<br>'.$sql.'<br>'.mysql_error() ) ;
>
> That way, when you get a mysql error, you're looking at both the
> text of the error message and the broken mysql statement, which
> you can then examine to see where the problem is.

Better yet - get rid of the die() all together and handle the error
gracefully. Then ask about the SQL problem in the appropriate newsgroup.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Adding a record to a database [message #175124 is a reply to message #175123] Tue, 16 August 2011 13:11 Go to previous messageGo to next message
A.Reader is currently offline  A.Reader
Messages: 15
Registered: December 2010
Karma: 0
Junior Member
On Tue, 16 Aug 2011 06:23:06 -0400,
Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:

> On 8/16/2011 5:41 AM, A.Reader wrote:
>> On Tue, 16 Aug 2011 01:30:02 -0700 (PDT),
>> Charles<cchamb2(at)gmail(dot)com> wrote:
>>
>>> Is this better?
>>>
>>> I still get one error message - Error: You have an error in your SQL
>>> syntax; check the manual that corresponds to your MySQL server version
>>> for the right syntax to use near 'Ford'', ''Crown Victoria'',
>>> ''Taxicab'', ''SEP'', '2010', ''sadfasdfsadfdsf' at line 21
>>>
>>> =====================================
>>>
>>> <?php
>>>
>>> /***Switch statement that controls processing from
>>> value of $_POST(deform)***************/
>>>
>>> switch ( $_POST['deform'] )
>>>
>>> {
>>>
>>> /***Case statement that acts on value of $_POST(deform)******/
>>>
>>> CASE $_POST['deform'] = "cab_vehicle_data_entry_add_a_vehicle":
>>>
>>> $con = mysql_connect("localhost","root","edward");
>>>
>>> if (!$con)
>>>
>>> {
>>>
>>> die("Could not connect: " . mysql_error());
>>>
>>> }
>>>
>>> function check_input($value)
>>> {
>>>
>>> if (get_magic_quotes_gpc())
>>> {
>>> $value = stripslashes($value);
>>> }
>>>
>>> if (!is_numeric($value))
>>> {
>>> $value = "'" . mysql_real_escape_string($value) . "'";
>>> }
>>> return $value;
>>> }
>>>
>>> $Make = check_input($_POST['Make']);
>>> $Model = check_input($_POST['Model']);
>>> $Edition = check_input($_POST['Edition']);
>>> $Month = check_input($_POST['Month']);
>>> $Year = check_input($_POST['Year']);
>>> $VIN = check_input($_POST['VIN']);
>>> $Registration = check_input($_POST['Registration']);
>>> $reg_exp_month = check_input($_POST['reg_exp_month']);
>>> $reg_exp_year = check_input($_POST['reg_exp_year']);
>>> $pax_capacity = check_input($_POST['pax_capacity']);
>>> $cargo_cubic_feet = check_input($_POST['cargo_cubic_feet']);
>>> $cargo_weight_lbs = check_input($_POST['cargo_weight_lbs']);
>>>
>>> mysql_select_db("taxicab", $con);
>>>
>>> $sql="INSERT INTO
>>>
>>> cab_vehicle (
>>> cab_vehicle_make,
>>> cab_vehicle_model,
>>> cab_vehicle_edition,
>>> cab_vehicle_month,
>>> cab_vehicle_year,
>>>
>>> cab_vehicle_VIN,
>>> cab_vehicle_registration_number,
>>> cab_vehicle_reg_exp_month,
>>> cab_vehicle_reg_exp_year,
>>>
>>> cab_vehicle_pax_capacity,
>>> cab_vehicle_cubic_feet_cargo,
>>> cab_vehicle_cargo_weight)
>>>
>>> VALUES
>>>
>>> ('$Make',
>>> '$Model',
>>> '$Edition',
>>> '$Month',
>>> '$Year',
>>> '$VIN',
>>> '$Registration',
>>> '$reg_exp_month',
>>> '$reg_exp_year',
>>> '$pax_capacity',
>>> '$cargo_cubic_feet',
>>> '$cargo_weight_lbs')";
>>>
>>> if (!mysql_query($sql,$con))
>>>
>>> {
>>>
>>> die("Error: " . mysql_error());
>>>
>>> }
>>>
>>> echo "1 record added";
>>>
>>> mysql_close($con);
>>>
>>> break;
>>>
>>> }
>>>
>>> /******End of CASE statement start of next one*************/
>>>
>>> ?>
>>
>> Don't use the INSERT var1,var2,var3,var4,var5 VALUES
>> val1,val2,val3,val5 style -- it's prone to misalignment errors
>> when you're doing more than one or two values. As a matter of
>> good practice, always use the SET var1=val1, var2=val2, var3=val3
>> form instead. That way there's no mistake about which value is
>> getting assigned to which var (did you notice the 'error'?)
>>
>
> Terrible advice. He is doing it the correct way, according to the SQL
> standard. SET in an INSERT statement is non-standard and AFAIK only
> supported by MySQL (and then only when not running in STRICT mode).

Why would he need -or want- to eliminate MySQL-specific
extensions, unless he's planning to port the code? What would
the practical payoff be?

>
>> Further, do all your testing for the record in one lump, not on a
>> per-field basis. The reason being that unless your validation
>> routine can see everything at once, the person could enter
>> something like 'Make="Chevrolet", Model="Crown Vic"' and you
>> wouldn't be able to catch it.
>>
>
> There is nothing wrong with such a search. It will just not return any
> rows. Trying to validate all possible combinations like this will add
> unnecessary complexity to the code.
>
> The purpose of validation at this level is not to ensure that
> combinations are valid - but that the field itself is the correct type
> and possibly a reasonable value.

Aren't we talking about validation at INSERT time, not SELECT
time? I thought we were, but I might be confused.

>
>> To find mysql errors such as the one you're getting, change your
>>
>> die("Error: " . mysql_error());
>>
>> to
>>
>> die('Error:<br>'.$sql.'<br>'.mysql_error() ) ;
>>
>> That way, when you get a mysql error, you're looking at both the
>> text of the error message and the broken mysql statement, which
>> you can then examine to see where the problem is.
>
> Better yet - get rid of the die() all together and handle the error
> gracefully. Then ask about the SQL problem in the appropriate newsgroup.

We're talking about the debugging phase here, aren't we? There
shouldn't _be_ any sql errors left by rollout.

And, from the error msg, the error doesn't represent an "SQL
problem" as such but rather a plain syntax error. My suggestion
was aimed at helping him improve his PHP code such that he could
then find the error. That seems to be within the remit of this
group.
Re: Adding a record to a database [message #175125 is a reply to message #175124] Tue, 16 August 2011 13:51 Go to previous messageGo to next message
Tim Streater is currently offline  Tim Streater
Messages: 328
Registered: September 2010
Karma: 0
Senior Member
In article <ttnk47593ucb0h3crdh61kemnbuc88q5mr(at)4ax(dot)com>,
A.Reader <anonymously(at)example(dot)com> wrote:

> On Tue, 16 Aug 2011 06:23:06 -0400,
> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:

>> Better yet - get rid of the die() all together and handle the error
>> gracefully. Then ask about the SQL problem in the appropriate newsgroup.
>
> We're talking about the debugging phase here, aren't we? There
> shouldn't _be_ any sql errors left by rollout.
>
> And, from the error msg, the error doesn't represent an "SQL
> problem" as such but rather a plain syntax error. My suggestion
> was aimed at helping him improve his PHP code such that he could
> then find the error. That seems to be within the remit of this
> group.

You're overlooking bugs in the implementations that you rely on, and
obscure bugs of your own. I get occasional SQLite errors that I believe
to be SQLite bugs, but I'm not 100% sure if that's true. I have my own
wrapper on SQLite calls that uses try/catch, and logs errors to a
logfile, with as much info as possible. This sort of approach should be
designed in as soon as possible in the app.

Just imagining that "there won't be any mysql (or whatever) errors by
rollout" is naive.

--
Tim

"That excessive bail ought not to be required, nor excessive fines imposed,
nor cruel and unusual punishments inflicted" -- Bill of Rights 1689
Re: Adding a record to a database [message #175126 is a reply to message #175125] Tue, 16 August 2011 14:42 Go to previous messageGo to next message
A.Reader is currently offline  A.Reader
Messages: 15
Registered: December 2010
Karma: 0
Junior Member
On Tue, 16 Aug 2011 14:51:27 +0100,
Tim Streater <timstreater(at)greenbee(dot)net> wrote:

> In article <ttnk47593ucb0h3crdh61kemnbuc88q5mr(at)4ax(dot)com>,
> A.Reader <anonymously(at)example(dot)com> wrote:
>
>> On Tue, 16 Aug 2011 06:23:06 -0400,
>> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>
>>> Better yet - get rid of the die() all together and handle the error
>>> gracefully. Then ask about the SQL problem in the appropriate newsgroup.
>>
>> We're talking about the debugging phase here, aren't we? There
>> shouldn't _be_ any sql errors left by rollout.
>>
>> And, from the error msg, the error doesn't represent an "SQL
>> problem" as such but rather a plain syntax error. My suggestion
>> was aimed at helping him improve his PHP code such that he could
>> then find the error. That seems to be within the remit of this
>> group.
>
> You're overlooking bugs in the implementations that you rely on, and
> obscure bugs of your own. I get occasional SQLite errors that I believe
> to be SQLite bugs, but I'm not 100% sure if that's true. I have my own
> wrapper on SQLite calls that uses try/catch, and logs errors to a
> logfile, with as much info as possible. This sort of approach should be
> designed in as soon as possible in the app.
>
> Just imagining that "there won't be any mysql (or whatever) errors by
> rollout" is naive.

We might be talking about two different things.

Nearly everything I've ever written has been console-bound, or
has been some utility that's going to be run as a batch job maybe
10 times at the most.

So I write in a very simple-minded, plodding way, and that seems
to protect me from those glitchy-type bugs that cause the mental
problems and premature aging. The bugs that show up, show up
early and tend to be pretty clearly Mine or Theirs.

But I agree with you (and Jerry) that production code should be
prepared to handle residual errors, and preferably in a classier
way than by just clutching its throat and going spark out.

I'd argue, though, that our friend Charles, here, is well before
needing to think about production issues. He's still trying to
get basic db-app code to do something besides halt and fall over.
For that stage of things, I find die() to be a usefully quick way
to deliver debug info.
Re: Adding a record to a database [message #175130 is a reply to message #175126] Tue, 16 August 2011 15:58 Go to previous messageGo to next message
Tim Streater is currently offline  Tim Streater
Messages: 328
Registered: September 2010
Karma: 0
Senior Member
In article <rqtk47h8v3elpft288le3nfkqt1cjuu572(at)4ax(dot)com>,
A.Reader <anonymously(at)example(dot)com> wrote:

> On Tue, 16 Aug 2011 14:51:27 +0100,
> Tim Streater <timstreater(at)greenbee(dot)net> wrote:
>
>> In article <ttnk47593ucb0h3crdh61kemnbuc88q5mr(at)4ax(dot)com>,
>> A.Reader <anonymously(at)example(dot)com> wrote:
>>
>>> On Tue, 16 Aug 2011 06:23:06 -0400,
>>> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>>
>>>> Better yet - get rid of the die() all together and handle the error
>>>> gracefully. Then ask about the SQL problem in the appropriate newsgroup.
>>>
>>> We're talking about the debugging phase here, aren't we? There
>>> shouldn't _be_ any sql errors left by rollout.
>>>
>>> And, from the error msg, the error doesn't represent an "SQL
>>> problem" as such but rather a plain syntax error. My suggestion
>>> was aimed at helping him improve his PHP code such that he could
>>> then find the error. That seems to be within the remit of this
>>> group.
>>
>> You're overlooking bugs in the implementations that you rely on, and
>> obscure bugs of your own. I get occasional SQLite errors that I believe
>> to be SQLite bugs, but I'm not 100% sure if that's true. I have my own
>> wrapper on SQLite calls that uses try/catch, and logs errors to a
>> logfile, with as much info as possible. This sort of approach should be
>> designed in as soon as possible in the app.
>>
>> Just imagining that "there won't be any mysql (or whatever) errors by
>> rollout" is naive.
>
> We might be talking about two different things.

Quite possibly.

> Nearly everything I've ever written has been console-bound, or
> has been some utility that's going to be run as a batch job maybe
> 10 times at the most.
>
> So I write in a very simple-minded, plodding way, and that seems
> to protect me from those glitchy-type bugs that cause the mental
> problems and premature aging. The bugs that show up, show up
> early and tend to be pretty clearly Mine or Theirs.
>
> But I agree with you (and Jerry) that production code should be
> prepared to handle residual errors, and preferably in a classier
> way than by just clutching its throat and going spark out.
>
> I'd argue, though, that our friend Charles, here, is well before
> needing to think about production issues. He's still trying to
> get basic db-app code to do something besides halt and fall over.
> For that stage of things, I find die() to be a usefully quick way
> to deliver debug info.

He (and a lot of other folk who show up here with trivial problems) need
to learn to do a bit of basic debugging and use the echo statement a bit
to find out what's going on.

--
Tim

"That excessive bail ought not to be required, nor excessive fines imposed,
nor cruel and unusual punishments inflicted" -- Bill of Rights 1689
Re: Adding a record to a database [message #175140 is a reply to message #175116] Tue, 16 August 2011 20:13 Go to previous messageGo to next message
sheldonlg is currently offline  sheldonlg
Messages: 166
Registered: September 2010
Karma: 0
Senior Member
On 8/15/2011 9:50 PM, Jerry Stuckle wrote:
> On 8/15/2011 9:02 PM, sheldonlg wrote:
>> On 8/15/2011 2:11 PM, A.Reader wrote:
>>> On Mon, 15 Aug 2011 05:35:37 -0700 (PDT),
>>> Charles<cchamb2(at)gmail(dot)com> wrote:
>>>
>>>> I'm trying to add a record to a database, and it's not working
>>>> properly.
>>>>
>>>> The general thought is to call a data entry form, fill in the form,
>>>> and use the $_POST(array) process to pass the data from the form to a
>>>> php script that handles adding the record to the database.
>>>>
>>>> The only trick part of the php script is using a hidden field to pass
>>>> the name of the data entry form to a SWITCH statement. I'm trying to
>>>> keep the site directory uncluttered and the scripting organized, and I
>>>> understand this works.
>>>>
>>>> I'm getting Error 500 as I test the script, so I think I have
>>>> something coded incorrectly in the script, or I have something
>>>> missing. Other php-based web applications wrok fine, so I suspect I
>>>> have php correctly installed.
>>>>
>>>> Here's the coding:
>>>>
>>>> =====================
>>>>
>>>> <?php
>>>>
>>>> /*<!-- This starts the switch statement. The variable passed to
>>>> control iteration
>>>> is the $_Push(switch) variable set in the first (hidden) field in a
>>>> data entry form.
>>>> The value contained in the variable is the case predicate
>>>>
>>>> */
>>>>
>>>>
>>>> switch ($_Push(switch)) {
>>>>
>>>> /*======================================================*/
>>>>
>>>> case "cab_vehicle_data_entry_add_a_vehicle":
>>>>
>>>>
>>>>
>>>> $con = mysql_connect("*********","****","******");<<These are fine
>>>> if (!$con)
>>>> {
>>>> die('Could not connect: ' . mysql_error());
>>>> }
>>>>
>>>> mysql_select_db("taxicab", $con);
>>>>
>>>> $sql="INSERT INTO
>>>> cab_vehicle (cab_vehicle_make, cab_vehicle_model,
>>>> cab_vehicle_edition,
>>>> cab_vehicle_month, cab_vehicle_year, cab_vehicle_VIN,
>>>> cab_vehicle_registration_number,
>>>> cab_vehicle_reg_exp_month, cab_vehicle_reg_exp_year,
>>>> cab_vehicle_pax_capacity,
>>>> cab_vehicle_cubic_feet_cargo, cab_vehicle_cargo_weight)
>>>>
>>>> VALUES
>>>>
>>>>
>>>> ('$_POST[Make]','$_POST[Model]','$_POST[Edition]','$_POST[Month]','$_POST[y ear]',
>>>>
>>>>
>>>> '$_POST[VIN]','$_POST[Registration]','$_POST[reg_exp_month]','$_POST[reg_ex p_year]',
>>>>
>>>>
>>>> '$_POST[pax_capacity]','$_POST[cargo_cubic_feet]','$_POST[cargo_weight_lbs] ') ";
>>>>
>>>>
>>>>
>>>> if (!mysql_query($sql,$con))
>>>> {
>>>> die('Error: ' . mysql_error());
>>>> }
>>>> echo "1 record added";
>>>>
>>>> mysql_close($con)
>>>>
>>>> break;
>>>>
>>>> /*======================================================*/
>>>>
>>>> /* case "whatever"
>>>> Next process subroutine
>>>> break;
>>>> */
>>>>
>>>> /*======================================================*/
>>>>
>>>> /* case "whatever"
>>>> Next process subroutine
>>>> break;
>>>> */
>>>>
>>>> /*======================================================*/
>>>>
>>>> /* case "whatever"
>>>> Next process subroutine
>>>> break;
>>>> */
>>>>
>>>> /*======================================================*/
>>>>
>>>> /* case "whatever"
>>>> Next process subroutine
>>>> break;
>>>> */
>>>>
>>>> /*======================================================*/
>>>>
>>>> /* case "whatever"
>>>> Next process subroutine
>>>> break;
>>>> */
>>>>
>>>> /*======================================================*/
>>>>
>>>> /* case "whatever"
>>>> Next process subroutine
>>>> break;
>>>> */
>>>>
>>>> /*======================================================*/
>>>>
>>>> /* case "whatever"
>>>> Next process subroutine
>>>> break;
>>>> */
>>>>
>>>> /*======================================================*/
>>>>
>>>> /* case "whatever"
>>>> Next process subroutine
>>>> break;
>>>> */
>>>>
>>>>
>>>> }
>>>>
>>>>
>>>> ?>
>>>
>>> I'll pass on some highly-useful advice I got when I was learning
>>> to program, back during the last ice age: make your code look
>>> neat and clean. There's no logical reason for that to make bugs
>>> go away, but in fact it does.
>>>
>>> Your program should have a structure something like this:
>>>
>>> <?php
>>>
>>> if ( ! connected( 'taxicabs', 'sometable' ) ) die() ;
>>>
>>> if ( valid( $_REQUEST ) )
>>> {
>>> $s = 'INSERT INTO taxicabs.sometable SET ' ;
>>> $s .= 'Make="'.$_REQUEST['Make'].'", ' ;
>>> $s .= 'Model="'.$_REQUEST['Model'].'", ' ;
>>> // the other fields the same way
>>>
>>> // note that it's just "Make", "Model", etc not
>>> // "cab_vehicle_make" etc. because if you don't already know
>>> // that you're talking about taxis, not railway locomotives or
>>> // steamboats, you're in more
>>> // trouble than wordy fieldnames can ever fix
>>>
>>> if ( ! mysql_query( $s, $dblink ) )
>>> die( 'Could not create the new record '.
>>> ' because '.mysql_error() ) ;
>>> }
>>> else die( 'That is not a valid request because '.
>>> $val_errors ) ;
>>>
>>> // it needn't be "die()" when something goes wrong,
>>> // it could be some recovery
>>> // routine where you explain what the person should
>>> // do differently and give them another go. Of course, if
>>> // it's that the server choked or got lost, then die() is '
>>> // perfectly appropriate.
>>>
>>>
>>> // ----------------------------
>>> function connected( $db, $table )
>>> {
>>> global $dblink ;
>>> // the mysql connection stuff, returning true if it works, or
>>> // complain about the problems and return false.
>>> }
>>> // ----------------------------
>>> function valid( $a )
>>> {
>>> global $val_errors = '' ;
>>> // your validation code. If it passes your tests,
>>> // return true. If not, concatenate the complaints into
>>> // $val_errors and return false ;
>>> }
>>>
>>> ?>
>>
>> Besides all the excellent advice already given to you, didn't you say
>> that the choice came from the value of a hidden variable? If so, then
>> you want to switch on the value of the %_POST['name_of_that_variable'].
>>
>
> Which is about as insecure as you can get. I hope this isn't how you're
> coding for your "Fortune 500" company. If so, I pity them.

What part of "Besides all the excellent advice already given to you"
didn't you understand? I was only addressing that it is $_POST, not push.

As to the other part, no, I don't. However, even if I did, it wouldn't
be much of a big deal as all that coding is for an intranet behind a
very secure firewall.

--
Shelly
Re: Adding a record to a database [message #175145 is a reply to message #175124] Tue, 16 August 2011 21:21 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 8/16/2011 9:11 AM, A.Reader wrote:
> On Tue, 16 Aug 2011 06:23:06 -0400,
> Jerry Stuckle<jstucklex(at)attglobal(dot)net> wrote:
>
>> On 8/16/2011 5:41 AM, A.Reader wrote:
>>> On Tue, 16 Aug 2011 01:30:02 -0700 (PDT),
>>> Charles<cchamb2(at)gmail(dot)com> wrote:
>>>
>>>> Is this better?
>>>>
>>>> I still get one error message - Error: You have an error in your SQL
>>>> syntax; check the manual that corresponds to your MySQL server version
>>>> for the right syntax to use near 'Ford'', ''Crown Victoria'',
>>>> ''Taxicab'', ''SEP'', '2010', ''sadfasdfsadfdsf' at line 21
>>>>
>>>> =====================================
>>>>
>>>> <?php
>>>>
>>>> /***Switch statement that controls processing from
>>>> value of $_POST(deform)***************/
>>>>
>>>> switch ( $_POST['deform'] )
>>>>
>>>> {
>>>>
>>>> /***Case statement that acts on value of $_POST(deform)******/
>>>>
>>>> CASE $_POST['deform'] = "cab_vehicle_data_entry_add_a_vehicle":
>>>>
>>>> $con = mysql_connect("localhost","root","edward");
>>>>
>>>> if (!$con)
>>>>
>>>> {
>>>>
>>>> die("Could not connect: " . mysql_error());
>>>>
>>>> }
>>>>
>>>> function check_input($value)
>>>> {
>>>>
>>>> if (get_magic_quotes_gpc())
>>>> {
>>>> $value = stripslashes($value);
>>>> }
>>>>
>>>> if (!is_numeric($value))
>>>> {
>>>> $value = "'" . mysql_real_escape_string($value) . "'";
>>>> }
>>>> return $value;
>>>> }
>>>>
>>>> $Make = check_input($_POST['Make']);
>>>> $Model = check_input($_POST['Model']);
>>>> $Edition = check_input($_POST['Edition']);
>>>> $Month = check_input($_POST['Month']);
>>>> $Year = check_input($_POST['Year']);
>>>> $VIN = check_input($_POST['VIN']);
>>>> $Registration = check_input($_POST['Registration']);
>>>> $reg_exp_month = check_input($_POST['reg_exp_month']);
>>>> $reg_exp_year = check_input($_POST['reg_exp_year']);
>>>> $pax_capacity = check_input($_POST['pax_capacity']);
>>>> $cargo_cubic_feet = check_input($_POST['cargo_cubic_feet']);
>>>> $cargo_weight_lbs = check_input($_POST['cargo_weight_lbs']);
>>>>
>>>> mysql_select_db("taxicab", $con);
>>>>
>>>> $sql="INSERT INTO
>>>>
>>>> cab_vehicle (
>>>> cab_vehicle_make,
>>>> cab_vehicle_model,
>>>> cab_vehicle_edition,
>>>> cab_vehicle_month,
>>>> cab_vehicle_year,
>>>>
>>>> cab_vehicle_VIN,
>>>> cab_vehicle_registration_number,
>>>> cab_vehicle_reg_exp_month,
>>>> cab_vehicle_reg_exp_year,
>>>>
>>>> cab_vehicle_pax_capacity,
>>>> cab_vehicle_cubic_feet_cargo,
>>>> cab_vehicle_cargo_weight)
>>>>
>>>> VALUES
>>>>
>>>> ('$Make',
>>>> '$Model',
>>>> '$Edition',
>>>> '$Month',
>>>> '$Year',
>>>> '$VIN',
>>>> '$Registration',
>>>> '$reg_exp_month',
>>>> '$reg_exp_year',
>>>> '$pax_capacity',
>>>> '$cargo_cubic_feet',
>>>> '$cargo_weight_lbs')";
>>>>
>>>> if (!mysql_query($sql,$con))
>>>>
>>>> {
>>>>
>>>> die("Error: " . mysql_error());
>>>>
>>>> }
>>>>
>>>> echo "1 record added";
>>>>
>>>> mysql_close($con);
>>>>
>>>> break;
>>>>
>>>> }
>>>>
>>>> /******End of CASE statement start of next one*************/
>>>>
>>>> ?>
>>>
>>> Don't use the INSERT var1,var2,var3,var4,var5 VALUES
>>> val1,val2,val3,val5 style -- it's prone to misalignment errors
>>> when you're doing more than one or two values. As a matter of
>>> good practice, always use the SET var1=val1, var2=val2, var3=val3
>>> form instead. That way there's no mistake about which value is
>>> getting assigned to which var (did you notice the 'error'?)
>>>
>>
>> Terrible advice. He is doing it the correct way, according to the SQL
>> standard. SET in an INSERT statement is non-standard and AFAIK only
>> supported by MySQL (and then only when not running in STRICT mode).
>
> Why would he need -or want- to eliminate MySQL-specific
> extensions, unless he's planning to port the code? What would
> the practical payoff be?
>

Well, for one thing, if he gets on a MySQL server which enforces STRICT
SQL standards.

And it's always a good idea to get in the habit of using
standards-compliant code. You never know when someone may want you to
port it to another database - or even if you want to start learning
another database.

There is no problem with using standards-compliant code here. It is
very easy to keep things straight if you format your code properly.

>>
>>> Further, do all your testing for the record in one lump, not on a
>>> per-field basis. The reason being that unless your validation
>>> routine can see everything at once, the person could enter
>>> something like 'Make="Chevrolet", Model="Crown Vic"' and you
>>> wouldn't be able to catch it.
>>>
>>
>> There is nothing wrong with such a search. It will just not return any
>> rows. Trying to validate all possible combinations like this will add
>> unnecessary complexity to the code.
>>
>> The purpose of validation at this level is not to ensure that
>> combinations are valid - but that the field itself is the correct type
>> and possibly a reasonable value.
>
> Aren't we talking about validation at INSERT time, not SELECT
> time? I thought we were, but I might be confused.
>

Yes, we are.

>>
>>> To find mysql errors such as the one you're getting, change your
>>>
>>> die("Error: " . mysql_error());
>>>
>>> to
>>>
>>> die('Error:<br>'.$sql.'<br>'.mysql_error() ) ;
>>>
>>> That way, when you get a mysql error, you're looking at both the
>>> text of the error message and the broken mysql statement, which
>>> you can then examine to see where the problem is.
>>
>> Better yet - get rid of the die() all together and handle the error
>> gracefully. Then ask about the SQL problem in the appropriate newsgroup.
>
> We're talking about the debugging phase here, aren't we? There
> shouldn't _be_ any sql errors left by rollout.
>

And when you have to go back and change the code to get rid of all the
die() statements, you add another possibility for errors being
introduced - or even forget to do it.

Better to not do it in the first place.

> And, from the error msg, the error doesn't represent an "SQL
> problem" as such but rather a plain syntax error. My suggestion
> was aimed at helping him improve his PHP code such that he could
> then find the error. That seems to be within the remit of this
> group.
>

Please show me where in the PHP manual it documents SQL errors - or even
the syntax of a SQL statement.

The final solution may be in PHP code - but the ERROR is SQL - and
should be followed up that way.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Adding a record to a database [message #175146 is a reply to message #175140] Tue, 16 August 2011 21:24 Go to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 8/16/2011 4:13 PM, sheldonlg wrote:
> On 8/15/2011 9:50 PM, Jerry Stuckle wrote:
<snip>
>> Which is about as insecure as you can get. I hope this isn't how you're
>> coding for your "Fortune 500" company. If so, I pity them.
>
> What part of "Besides all the excellent advice already given to you"
> didn't you understand? I was only addressing that it is $_POST, not push.
>
> As to the other part, no, I don't. However, even if I did, it wouldn't
> be much of a big deal as all that coding is for an intranet behind a
> very secure firewall.
>

And you NEVER have any problems behind a "very secure firewall"? Let me
clue you, Sheldon - the most common hacks still come from internal
sources - disgruntled employees, etc. - behind your "secure firewall".
You just don't hear about them because the companies don't broadcast why
they fired someone (unless it's a very big hack). And ANY security
professional will tell you to NEVER depend on just one layer of security
- always build multiple layers into the system.

Just because it's behind "a very secure firewall" is NOT a reason to
ignore standard security practices!

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: PHP 4 vs 5 timings
Next Topic: Re: ftp with win-filenames with chr#32 ?
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Dec 01 11:06:38 GMT 2024

Total time taken to generate the page: 0.02548 seconds