[thelist] Null entry in form

Phil Turmel pturmel-webdev at turmel.org
Wed Apr 25 07:16:23 CDT 2007


Santilal Parbhu wrote:
> Hi
[snip /]
> 
> My problem is that when I run the script to update the results into the
> database, the database record changes from Null to a value of 0.  This
> should occur for non-null entries but not for Null entries.  I need a null
> entry to remain Null.  Can anyone see where my code is in error?  I think
> that the UPDATE is not being skipped and the NULL is being updated to 0.
> 
Empty text fields in web forms usually submit as zero-length strings.
They won't be NULL.  In cases where a text field in a web form is always
supposed to be numeric (or empty), I use is_numeric() as my condition on
the original POST variable.

> I have tried using Print statements as breakpoints in the code, but they
> didn't print.  This tens to suggest that the code is not running, but it
> must be, because the database is being updated.  Hope someone can help.
> 
You put the 'print' instruction in the 'else' portion of the
if-then-else, and it didn't print.  So the 'then' portion must have
executed.

[snip /]

Your script is also vulnerable to SQL injection, both in the scores and
in the $id.  You should not use the POST variables themselves as the
source of match IDs to loop through.  If they're always the same, use a
constant array.  Otherwise, query the database for the list of valid
IDs.  And the scores need to be run through intval() to be sure they're
clean. Try something like this:

$matches = array('id1', 'id2', 'id3', 'id4');
foreach ($matches as $id) {
   if (is_numeric($HTTP_POST_VARS['score1'][$id]) &&
       is_numeric($HTTP_POST_VARS['score2'][$id])) {
     $score1 = intval($HTTP_POST_VARS['score1'][$id]);
     $score2 = intval($HTTP_POST_VARS['score2'][$id]);
     $query = "UPDATE $compdraw SET score1=('$score1'),
score2=('$score2') WHERE row_id = '$id'  AND grade='$grd'";
     if (FALSE === mysql_query($query)) {
       print '<div id="draw">';
       die ('<p>Could not update the data because: <b>' . mysql_error() .
         "</b>. The query was $query.</p>");
     }
   }
}

HTH,

Phil




More information about the thelist mailing list