passing info from a form to update the database

This forum is now closed as part of retiring phpBB2.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

This forum is now closed due to phpBB2.0 being retired.
Post Reply
keithschm
Registered User
Posts: 299
Joined: Sat Oct 02, 2004 7:58 pm

passing info from a form to update the database

Post by keithschm »

I am trying to update 4 fields in a database from a form

I have the form setup in my tpl with 4 text boxes. I have a new table in my database with 5 fields. 1 id field and 4 data fields


I am having problems with my UPDATE statement in my php file.

how does the UPDATE statement setup this is what I have so far

Code: Select all

if( isset($HTTP_POST_VARS['submit']) )
		{
			$sql = "UPDATE " . VOICE_TABLE . " SET
				(server_name, server_port, server_ip, server_pass) VALUES ($server_name, $server_port, $server_ip, $server_pass)
				WHERE server_id = '1'";
			if( !$db->sql_query($sql) )
			{
				message_die(GENERAL_ERROR, "Failed to update general configuration for $config_name", "", __LINE__, __FILE__, $sql);
			}
		}
I am not sure how to pass the info from the form

Swizec
Former Team Member
Posts: 1701
Joined: Mon Mar 10, 2003 9:42 pm
Location: Slovenia
Contact:

Post by Swizec »

Code: Select all

$sql = "UPDATE " . VOICE_TABLE . " SET 
            (server_name, server_port, server_ip, server_pass) VALUES ($server_name, $server_port, $server_ip, $server_pass) 
            WHERE server_id = '1'";
should be like

Code: Select all

$sql = "UPDATE " . VOICE_TABLE . " SET 
server_name = '$server_name',
server_port = '$server_port',
server_ip = '$server_ip',
server_pass =' $server_pass' 
WHERE server_id='1'";

keithschm
Registered User
Posts: 299
Joined: Sat Oct 02, 2004 7:58 pm

Post by keithschm »

Swizec wrote:

Code: Select all

$sql = "UPDATE " . VOICE_TABLE . " SET 
            (server_name, server_port, server_ip, server_pass) VALUES ($server_name, $server_port, $server_ip, $server_pass) 
            WHERE server_id = '1'";
should be like

Code: Select all

$sql = "UPDATE " . VOICE_TABLE . " SET 
server_name = '$server_name',
server_port = '$server_port',
server_ip = '$server_ip',
server_pass =' $server_pass' 
WHERE server_id='1'";



should my vars from the form look like this

Code: Select all

$server_name = ( isset($HTTP_POST_VARS['server_name']) );
$server_port = ( isset($HTTP_POST_VARS['server_port']) );
$server_ip = ( isset($HTTP_POST_VARS['server_ip']) );
$server_pass = ( isset($HTTP_POST_VARS['server_pass']) );
because I get "1" instead in the name filed and nothing in the rest

keithschm
Registered User
Posts: 299
Joined: Sat Oct 02, 2004 7:58 pm

Post by keithschm »

ok I figured it out. anybody want to look at my code and check it and see if I did it right and secure?

Swizec
Former Team Member
Posts: 1701
Joined: Mon Mar 10, 2003 9:42 pm
Location: Slovenia
Contact:

Post by Swizec »

post thy code...

hard to look at it if we don't see it now isn't it...

keithschm
Registered User
Posts: 299
Joined: Sat Oct 02, 2004 7:58 pm

Post by keithschm »

here is the php side

Code: Select all

define('IN_PHPBB', 1);

if( !empty($setmodules) )
{
	$filename = basename(__FILE__);
	$module['Voice Comms']['Management'] = append_sid($filename);

	return;
}

//
// Include required files, get $phpEx and check permissions
//
$phpbb_root_path = "./../";
require($phpbb_root_path . 'extension.inc');
require('./pagestart.' . $phpEx);
include($phpbb_root_path . 'includes/functions_selects.'.$phpEx);



//
//update sever info
//

{


$server_name = ($HTTP_POST_VARS['server_name'] );
$server_port = ($HTTP_POST_VARS['server_port'] );
$server_ip = ($HTTP_POST_VARS['server_ip'] );
$server_pass = ($HTTP_POST_VARS['server_pass'] );

$s_hidden_fields .= '<input type="hidden" name="id" value="' . $server_id . '" />';

if( isset($HTTP_POST_VARS['submit']) )
		{



$sql = "UPDATE " . VOICE_TABLE . " SET
server_name = '$server_name',
server_port = '$server_port',
server_ip = '$server_ip',
server_pass =' $server_pass'
WHERE server_id='1'";

			if( !$db->sql_query($sql) )
			{
				message_die(GENERAL_ERROR, "Failed to update general configuration for Voice Mod", "", __LINE__, __FILE__, $sql);
			}
		}
	}


//
// get current server info
//


$sql = "SELECT server_name, server_ip, server_port, server_pass
	FROM " . VOICE_TABLE;
if ( $result = $db->sql_query($sql) )
{
	while( $row = $db->sql_fetchrow($result) )
	{

$server_name = $row['server_name'];
$server_ip = $row['server_ip'];
$server_port = $row['server_port'];
$server_pass = $row['server_pass'];



	}
}
else
{
	message_die(GENERAL_ERROR, 'Could not obtain voice mod data information', '', __LINE__, __FILE__, $sql);
}


$template->assign_vars(array(
			'SERVER_NAME' => $server_name,
			'SERVER_IP' => $server_ip,
			'SERVER_PORT' => $server_port,
			'SERVER_PASS' => $server_pass,
			'S_FORM_ACTION' => append_sid("admin_voice_comms.$phpEx"),
			'S_HIDDEN_FIELDS' => $s_hidden_fields)
		);


$template->set_filenames(array(
	"body" => "admin/admin_voice_comms.tpl")
);



$template->assign_vars(array(
	"L_VC_SHOW_IN" => $lang['VC_SHOW_IN'],
	"L_VC_HEADER" => $lang['VC_HEADER'],
	"L_VC_INDEX" => $lang['VC_INDEX'],
	"L_VC_BOTH" => $lang['VC_BOTH'],
	"L_VC_TITLE" => $lang['VC_Title'],
	"L_VC_EXPLAIN" => $lang['VC_Explain'],
	"L_VC_ADD" => $lang['VC_Add'],
	"L_VC_EDIT" => $lang['VC_Edit'],
	"L_VC_SERVERN" => $lang['VC_Servern'],
	"L_VC_SERVEREXP" => $lang['VC_Serverexp'],
	"L_VC_SERVERIP" => $lang['VC_Serverip'],
	"L_VC_SERVERIPEXP" => $lang['VC_Serveripexp'],
	"L_VC_SERVERPORT" => $lang['VC_Serverport'],
	"L_VC_SERVERPORTEXP" => $lang['VC_Serverportexp'],
	"L_VC_SERVERPASS" => $lang['VC_Serverpass'],
	"L_VC_SERVERPASSEXP" => $lang['VC_Serverpassexp'],
	"L_VC_ADDSERVER" => $lang['VC_Addserver'],
	"L_VC_SERVER" => $lang['VC_Server'],
	"L_VC_SERVER" => $lang['VC_Server'],
	"L_VC_TEST" => $lang['VC_Test'],)
);



$template->pparse("body");
// Page Footer
//
include('./page_footer_admin.'.$phpEx);

?>

Swizec
Former Team Member
Posts: 1701
Joined: Mon Mar 10, 2003 9:42 pm
Location: Slovenia
Contact:

Post by Swizec »

things like

Code: Select all

$server_name = ($HTTP_POST_VARS['server_name'] );
should be

Code: Select all

$server_name = ( isset( $HTTP_POST_VARS['server_name'] ) ) ? str_replace( "'", "\'", $HTTP_POST_VARS['server_name'] : '';
something like that, look around at how phpbb does it normally

afterlife_69
I've Been Banned!
Posts: 630
Joined: Tue Nov 30, 2004 10:35 am

Post by afterlife_69 »

also should have stripslashes() and htmlspecialchars()

Swizec
Former Team Member
Posts: 1701
Joined: Mon Mar 10, 2003 9:42 pm
Location: Slovenia
Contact:

Post by Swizec »

uhm, why stripslashes? they're there to protect from sql injection...

keithschm
Registered User
Posts: 299
Joined: Sat Oct 02, 2004 7:58 pm

Post by keithschm »

thank you for your help and feedback, I really appreacaite it. I have looked all over ppbb, but it is done diffeerently everywhere.

thanks again let me know if you see anything elese

keithschm
Registered User
Posts: 299
Joined: Sat Oct 02, 2004 7:58 pm

Post by keithschm »

when you using
Code:

$server_name = ( isset( $HTTP_POST_VARS['server_name'] ) ) ? str_replace( "'", "\'", $HTTP_POST_VARS['server_name'] : '';


I get a parse error on that line

so I did it like

Code: Select all

$server_name = ( isset( $HTTP_POST_VARS['server_name'] ) ) ? str_replace( "'", "\'", $HTTP_POST_VARS['server_name'] : '$server_name';
and it works is that correct

afterlife_69
I've Been Banned!
Posts: 630
Joined: Tue Nov 30, 2004 10:35 am

Post by afterlife_69 »

Swizec wrote: uhm, why stripslashes? they're there to protect from sql injection...

cleans it up.

i do it like this:

$field = stripslashes(htmlspecialchars($HTTP_POST_VARS['field']));
$field = str_replace(''\', '\\\'', $field);

Post Reply

Return to “[2.0.x] MOD Writers Discussion”