|
|
Posted by shimmyshack on 03/09/07 16:39
On 8 Mar, 17:31, "eholz1" <ewh...@gmail.com> wrote:
> Hello PHP,
>
> I am having a problem. I know the area of the problem, but not how to
> solve it.
> It has to do with a php page with a form on it, and I am trying to
> perform an insert query into
> my mysql database.
>
> I know that when I "submit" (post) the form, everything goes blank,
> and the insert query is not run.
> Basically here is my story. Initially I had a page with all in-line
> code, that uses includes for connection to the db, and a error
> processing page. I also have another include page that has some
> functions in it, one of which is for resizing images. That function,
> cleverly named resizeImage returns a down-sized height and width,
> which get loaded into the database table, along with info on the image
> itself (name, location,etc).
>
> this page has php code which reads a directory, finds jpeg images,
> does a resizeImage for each image (in a for loop), and then performs
> the insert query for each image. I would run the whole thing just by
> loading the page (no form tags on this page). Everything works fine,
> I call the resizeImage function from the fileloader.php page, the
> function is in a page called size_image.php (I use a require for
> this).
>
> I decided that I would like to add some flexibility to this page and
> create a form where I could enter a parameter (an integer), and click
> a button, which would then run this same insert query, and the
> resizeImage function, and then tell me if I inserted the records.
>
> I am using a if(isset($_REQUEST['update'])) type construct to respond
> to the button click (named 'update').
> and use the POST action and $_SERVER[PHP_SELF] as the form.
>
> When I click the button, most of the page runs, and then all goes
> blank in the browser, and the records are not inserted into the
> database. I am guessing that something in the post blitzes my
> variables, etc, so the query never runs, etc.
>
> Below is some of the code in the page - I have an input box for the
> parameter, and a button to run the function. I would appreciate any
> suggestions.
>
> Thanks,
also try not to get hacked:
make life easy on yourself, escape all values that go into the
database, to avoid SQL injection.
EVERY VALUE SHOULD HAVE CORRECT TYPE
$name[1] -> string
$filesize -> int?
$height -> int?
$p -> string
EVERY STRING (or even int) NEEDS TO BE ESCAPED USING
mysql_real_escape() or better mysql_real_escape_string(
$insertSQL = sprintf(
"INSERT INTO `images3` " .
"(`name`, `folder`, `type`, `filesize`, `orig_width`, " .
"`orig_height`, `resize_width`, `resize_height`, `p`)" .
"VALUES( '%s', '%s', '%s', '%d', '%d', '%d' , '%d', '%d', '%s')",
mysql_real_escape_string($name[1]),
mysql_real_escape_string($path),
mysql_real_escape_string($filetype),
mysql_real_escape_string($filesize),
mysql_real_escape_string($width),
mysql_real_escape_string($height),
mysql_real_escape_string($n_width[0]),
mysql_real_escape_string($n_width[1]),
mysql_real_escape_string($p)
);
this gets boring, so why not have your vars in an array and use
array_walk to escape the values
Also you should enforce bounds checking on all your vars, before entry
into the database, is your database only allowing 32 chars for a
$name[1], then use
$name[1] = substr($name[1],0,32);
etc...
stay neat and tidy and you will be able to see clearly.
Navigation:
[Reply to this message]
|