Posted by Hilarion on 10/26/05 18:38

Hi

What is the type of "nr_jrg" field in the database? What is
the data you store there? "19/05" looks like part of date
or simply some text. If it should be stored "as is", then
the field in DB should be a character type (VARCHAR probably).

> I have been stupid.
> I was struggling with an update query on a text field. When i
> updated '19/05' the update was performed and the result was 3.80.

It has probably nothing to do with the variable type, but
with not using single quotes in UPDATE query. Your query
looked like this:

UPDATE titels SET nr_jrg = 19/05 WHERE tid = 1234

In SQL syntax this means setting "nr_jrg" field to the expression
value, and the expression value is "3.8" (a number).


> So i decided to set the variable with
> settype( $nummer, string ) ;

It was allready a string because all $_POST, $_GET and $_COOKIE
values are strings.


> Now, the result was 1.

I do not know how did you do that.


> Then i tried not to enter the division sign but the hash sign
> instead (19#5). That worked to well! I got the message back that all
> 399 records had been changed!

This means that you did not use single quotes and got something
like this:

UPDATE titels SET nr_jrg = 19#05 WHERE tid = 1234

Hash sign meant (for your DBMS engine) that you are placing
a comment in your SQL statement, so what was actually executed
was:

UPDATE titels SET nr_jrg = 19

which updated all records to 19.


> But I am still wondering what happened?

You did not use single quotes. Type of "nr_jrg" field in the
database has also a big influence on the results.


> Could you please shed some light on the code?
> ------------
> ...
> $sql= "SELECT tid, titel, nr_jrg FROM titels WHERE tid>480 ORDER BY
> tid DESC" ;
> if ( isset( $_POST['id'] ) && isset( $_POST['nummer'] ) ) {
> $id = $_POST['id'] ; $nummer = $_POST['nummer'] ;
> settype( $nummer, string ) ;
> print $_POST['nummer']. "- - " . $_POST['id']. "--<br> " ;
> //n.b.: de apostrophes om '$nummer' heen, anders is het geen tekst

When posting code change comments to English or cut them out.


> $upd = "UPDATE titels SET nr_jrg = '$nummer' WHERE tid = $id " ;

You should echo the $upd here and check how does it look like.


> [snip]

If you have "magic_quotes_gpc" turned off or you are not using MySQL
(or another database using same way of escaping special chars in
strings), then your script can be used to perform ALL possible
SQL injection attacks. If you are using MySQL (as above) and
have "magic_quotes_gpc" turned on, then still a skillful attacker
can use it. You should turn "magic_quotes_gpc" off and use
"mysql_real_escape_string" function on all text parameters
passed to SQL query (not forgeting to put them in single quotes)
and some other validation/conversion for other types of data (eg.
use >>$id = intval( $_POST['id'] )<< to make sure that it will not
be used against your database).


Hilarion

[Back to original message]