[thelist] Null entry in form

Santilal Parbhu santilal at scorpioneng.co.nz
Wed Apr 25 20:19:52 CDT 2007 

Thanks Phil

Your advice worked perfectly.  I received a few other useful tips from other
and I will look at implementing those suggestions in a later upgrade.

Your comments about security vulnerabilities are welcomed.  I have been
trying to find out more about security issues.  Can you explain briefly what
a "SQL injection" actually is and how it makes or your site vulnerable?  If
it is too complex to explain here can you refer to another resource where I
can find out about these things.

Once again thanks.  You saved my bacon.

Santilal

-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org]On Behalf Of Phil Turmel
Sent: Thursday, 26 April 2007 12:16 a.m.
To: thelist at lists.evolt.org
Subject: Re: [thelist] Null entry in form


Santilal Parbhu wrote:
> Hi
[snip /]
>
> My problem is that when I run the script to update the results into the
> database, the database record changes from Null to a value of 0.  This
> should occur for non-null entries but not for Null entries.  I need a null
> entry to remain Null.  Can anyone see where my code is in error?  I think
> that the UPDATE is not being skipped and the NULL is being updated to 0.
>
Empty text fields in web forms usually submit as zero-length strings.
They won't be NULL.  In cases where a text field in a web form is always
supposed to be numeric (or empty), I use is_numeric() as my condition on
the original POST variable.

> I have tried using Print statements as breakpoints in the code, but they
> didn't print.  This tens to suggest that the code is not running, but it
> must be, because the database is being updated.  Hope someone can help.
>
You put the 'print' instruction in the 'else' portion of the
if-then-else, and it didn't print.  So the 'then' portion must have
executed.

[snip /]

Your script is also vulnerable to SQL injection, both in the scores and
in the $id.  You should not use the POST variables themselves as the
source of match IDs to loop through.  If they're always the same, use a
constant array.  Otherwise, query the database for the list of valid
IDs.  And the scores need to be run through intval() to be sure they're
clean. Try something like this:

$matches = array('id1', 'id2', 'id3', 'id4');
foreach ($matches as $id) {
   if (is_numeric($HTTP_POST_VARS['score1'][$id]) &&
       is_numeric($HTTP_POST_VARS['score2'][$id])) {
     $score1 = intval($HTTP_POST_VARS['score1'][$id]);
     $score2 = intval($HTTP_POST_VARS['score2'][$id]);
     $query = "UPDATE $compdraw SET score1=('$score1'),
score2=('$score2') WHERE row_id = '$id'  AND grade='$grd'";
     if (FALSE === mysql_query($query)) {
       print '<div id="draw">';
       die ('<p>Could not update the data because: <b>' . mysql_error() .
         "</b>. The query was $query.</p>");
     }
   }
}

HTH,

Phil

--

* * Please support the community that supports you.  * *
http://evolt.org/help_support_evolt/

For unsubscribe and other options, including the Tip Harvester
and archives of thelist go to: http://lists.evolt.org
Workers of the Web, evolt !

More information about the thelist mailing list