Posted by Jim Michaels on 02/24/06 01:20

"UKuser" <spidercc21@yahoo.co.uk> wrote in message
news:1140206022.118491.266180@f14g2000cwb.googlegroups.com...
> This code is still not working. I have adjusted it so the table
> displays however, what I'm after is that when you update any number of
> fields, and click update, the whole table gets updated.
>
> Also, what is the smallest code to add to avoid SQL/XSS injectiony
> stuff?

just google SQL Injection. here's one.
http://en.wikipedia.org/wiki/SQL_injection
this depends on that type in input string you've got. If the user is
putting in HTML and you know that, then of course you are going to have to
use maybe the first one here. the -- maybe a bad hair-trigger.
if (preg_match("/'\s*;/", $string) || preg_match("/--/",$string)) {
//lockout user or do something
}
or just ignore them:
$string=mysql_real_escape_string(str_replace(";","",$string));

mysql_escape_string and its like do not handle semicolons, so that's the
reason for str_replace.

if you really want to avoid it, use mysqli functions and mysqli_prepare()
and use variable binding.

>
> Thanks
>
> <HTML>
> <TITLE>test 4</title>
> <form method='post' action='test4.php'>
> <?php
> function check_mysql()
> {
> if (mysql_errno() > 0)
> {
> die("<BR> MySQL error " . mysql_errno() . ": " .mysql_error());
> }
> }
>
> $db = mysql_connect("coconia.net", "nana46_nana46", "hello");
> if (!$db)
> {
> die("Failed to open connection to MySQL server.");
> }
>
> mysql_select_db("nana46_nana46");
> check_mysql();
>
> $requete = "SELECT id,lowerval,upperval,result FROM fig_lookup";
> $resulta = mysql_query($requete) or die (mysql_error());
>
> echo '<table border="2" cellpadding="0" cellspacing="0" width="100%">';
>
> $edit = "<img src='edit.gif' border='0' alt='Edit record'>";
>
> echo "<table border='2'>";
> echo "<td>id</td>";
> echo "<td>Lowerval</td>";
> echo "<td>Upperval</td>";
> echo "<td>Result</td></tr>";
>
> if($_POST["mode"] == "Update")
> {
> for ($i=0; $i<count($_POST[id]); $i++)
> {
> $post1 = $_POST[f2][$i];
> $post2 = $_POST[f3][$i];
> $post3 = $_POST[f4][$i];
> $post0 = $_POST[f1][$i];
> mysql_query ("UPDATE fig_lookup SET
> lowerval='$post1',upperval='$post2',result='$post3' WHERE id=$post0 ");
>
> }
> }
>
> while ($l = mysql_fetch_array($resulta, MYSQL_ASSOC))
> { ?>
> <tr>
> <td><input type="text" name="f1[]" value="<?= $l["id"]?>"></td>
> <td><input type="text" name="f2[]" value="<?= $l["lowerval"]?>"></td>
> <td><input type="text" name="f3[]" value="<?= $l["upperval"]?>"></td>
> <td><input type="text" name="f4[]" value="<?=
> $l["result"]?>"></td></tr>
> <?
> }
> echo "</tr></table>";
> echo "$post1";
> ?>
> <input type='submit' name='mode' value='Update'>
>
> </form>
> </HTML>
>
> http://nana46.coconia.net/test4.php
>

• Next in forum: Re: Update all fields
• Prev in forum: Re: create dbs from another ip???
• Thread view: Re: Still struggling.....

[Reply to this message]