Posted by eholz1 on 03/12/07 20:46

On Mar 9, 8:39 am, "shimmyshack" <matt.fa...@gmail.com> wrote:
> On 8 Mar, 17:31, "eholz1" <ewh...@gmail.com> wrote:
>
>
>
> > Hello PHP,
>
> > I am having a problem. I know the area of the problem, but not how to
> > solve it.
> > It has to do with a php page with a form on it, and I am trying to
> > perform an insert query into
> > my mysql database.
>
> > I know that when I "submit" (post) the form, everything goes blank,
> > and the insert query is not run.
> > Basically here is my story. Initially I had a page with all in-line
> > code, that uses includes for connection to the db, and a error
> > processing page. I also have another include page that has some
> > functions in it, one of which is for resizing images. That function,
> > cleverly named resizeImage returns a down-sized height and width,
> > which get loaded into the database table, along with info on the image
> > itself (name, location,etc).
>
> > this page has php code which reads a directory, finds jpeg images,
> > does a resizeImage for each image (in a for loop), and then performs
> > the insert query for each image. I would run the whole thing just by
> > loading the page (no form tags on this page). Everything works fine,
> > I call the resizeImage function from the fileloader.php page, the
> > function is in a page called size_image.php (I use a require for
> > this).
>
> > I decided that I would like to add some flexibility to this page and
> > create a form where I could enter a parameter (an integer), and click
> > a button, which would then run this same insert query, and the
> > resizeImage function, and then tell me if I inserted the records.
>
> > I am using a if(isset($_REQUEST['update'])) type construct to respond
> > to the button click (named 'update').
> > and use the POST action and $_SERVER[PHP_SELF] as the form.
>
> > When I click the button, most of the page runs, and then all goes
> > blank in the browser, and the records are not inserted into the
> > database. I am guessing that something in the post blitzes my
> > variables, etc, so the query never runs, etc.
>
> > Below is some of the code in the page - I have an input box for the
> > parameter, and a button to run the function. I would appreciate any
> > suggestions.
>
> > Thanks,
>
> also try not to get hacked:
> make life easy on yourself, escape all values that go into the
> database, to avoid SQL injection.
>
> EVERY VALUE SHOULD HAVE CORRECT TYPE
> $name[1] -> string
> $filesize -> int?
> $height -> int?
> $p -> string
>
> EVERY STRING (or even int) NEEDS TO BE ESCAPED USING
> mysql_real_escape() or better mysql_real_escape_string(
>
> $insertSQL = sprintf(
> "INSERT INTO `images3` " .
> "(`name`, `folder`, `type`, `filesize`, `orig_width`, " .
> "`orig_height`, `resize_width`, `resize_height`, `p`)" .
> "VALUES( '%s', '%s', '%s', '%d', '%d', '%d' , '%d', '%d', '%s')",
> mysql_real_escape_string($name[1]),
> mysql_real_escape_string($path),
> mysql_real_escape_string($filetype),
> mysql_real_escape_string($filesize),
> mysql_real_escape_string($width),
> mysql_real_escape_string($height),
> mysql_real_escape_string($n_width[0]),
> mysql_real_escape_string($n_width[1]),
> mysql_real_escape_string($p)
> );
>
> this gets boring, so why not have your vars in an array and use
> array_walk to escape the values
>
> Also you should enforce bounds checking on all your vars, before entry
> into the database, is your database only allowing 32 chars for a
> $name[1], then use
> $name[1] = substr($name[1],0,32);
> etc...
>
> stay neat and tidy and you will be able to see clearly.

Thanks for the tip - as always, there is much more for me to learn and
use!

eholz1

[Back to original message]