Database actions

This forum is now closed as part of retiring phpBB2.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

This forum is now closed due to phpBB2.0 being retired.
Post Reply
Jojoponn139
Registered User
Posts: 36
Joined: Mon Aug 07, 2006 11:16 am

Database actions

Post by Jojoponn139 » Mon Feb 05, 2007 2:42 pm

Hi,

I write a short script to show a message in the overall-header.
Now I've got a problem with editing the message.

I read the message with this function:

Code: Select all

$sql = "SELECT *
			FROM " . WELLCOME_MESSAGE . "
			WHERE id = 1";
		$result = $db->sql_query($sql);
That works! -When I want to change the message I used this code

Code: Select all

$sql = "UPDATE " . WELLCOME_MESSAGE . " 
					SET message = " . $text . " 
					WHERE id = 1";
	$db->sql_query($sql);
But it doesn't change the message.

When I tried it with this construcion:

Code: Select all

$sql = "DELETE 
					FROM " . WELLCOME_MESSAGE . " 
					WHERE id = 1";
	$db->sql_query($sql);
	$sql = "INSERT INTO " . WELLCOME_MESSAGE . " (id, message) 
					VALUES (1, " . $text . ")";
	$db->sql_query($sql);
The message is deleted but it don't puts the new message into database.

User avatar
T0ny
Registered User
Posts: 1383
Joined: Sun Jan 29, 2006 8:42 pm
Location: Lancashire
Name: Tony

Post by T0ny » Mon Feb 05, 2007 3:05 pm

Try using

Code: Select all

$sql = "UPDATE " . WELLCOME_MESSAGE . "
               SET message = '" . $text . "'
               WHERE id = 1";
and

Code: Select all

$sql = "INSERT INTO " . WELLCOME_MESSAGE . " (id, message)
               VALUES (1, '" . $text . "')"; 
Note the single quotes added around the $text

Jojoponn139
Registered User
Posts: 36
Joined: Mon Aug 07, 2006 11:16 am

Post by Jojoponn139 » Mon Feb 05, 2007 3:41 pm

Oh ------- Thanks now it works!

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Post by drathbun » Mon Feb 05, 2007 4:18 pm

If you had looked at some of the phpBB code you might have noticed an extra step that you left out. If you had put it in, it would have helped. ;-)

Code: Select all

$sql = 'SELECT foo FROM bar';

if (!($result = $db->sql_query($sql)))
{
    message_die(GENERAL_ERROR, 'Unable to execute SQL', '', __LINE__, __FILE__, $sql);
}
You skipped the error checking step. If you had put that into your code, it would have let you know that the SQL was failing, even if it didn't tell you why.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

Joe Belmaati
Registered User
Posts: 2110
Joined: Sun Sep 28, 2003 7:35 pm
Location: Denmark

Post by Joe Belmaati » Mon Feb 05, 2007 6:54 pm

..and also, make sure to secure $text. The standard phpBB way of doing that is

Code: Select all

$text = str_replace("\'", "''", $text);
If $text is coming straight from a POST_VAR your database is wide open to SQL injection attacks.
Image

Jojoponn139
Registered User
Posts: 36
Joined: Mon Aug 07, 2006 11:16 am

Post by Jojoponn139 » Wed Feb 07, 2007 9:25 am

Code: Select all

$sql = 'SELECT foo FROM bar'; 

if (!($result = $db->sql_query($sql))) 
{ 
    message_die(GENERAL_ERROR, 'Unable to execute SQL', '', __LINE__, __FILE__, $sql); 
}


Yes but there wasn't any error. I tried many ways and at first there was the error checking-step. But there wasn't any error.
- hmmm .... now it works.... - I'll add the checking-step .....

..and also, make sure to secure $text. The standard phpBB way of doing that is

Code: Select all

$text = str_replace("\'", "''", $text);
If $text is coming straight from a POST_VAR your database is wide open to SQL injection attacks.


- Yes the string is already secured when puting into the database. I wrote a seperate function to validate the string because there have to be several str_replaces....

-Thanks for help!

Post Reply

Return to “[2.0.x] MOD Writers Discussion”