Hi everyone, I'm trying to test out a CMS whereby I'm submitting a form on a php page which is supposed to update some information in a MySQL database. When I press the submit button I get the following error: Notice: Undefined variable: supplier_id in /Applications/MAMP/htdocs/newsite/admin/edit_garm_attrib.php on line 28 MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 3 Line 28 refers to supplier_id in the following code block: $checkName = "SELECT * FROM suppliers WHERE supplier = '$supplier' AND supplier_id != $supplier_id"; PHP: I've included the code below from edit_garm_attrib.php, which is the file referred to in the error message. I'm also not sure why the error is saying there's a MySQL error at line 3 either - line 3 is the require_once line so I can't figure this out. Just wondered if anyone could shed some light on these errors? <?php // include Database classes require_once('classes/database.php'); if ($_GET && !$_POST) { // get details of record to be edited $db=new Database('localhost','root','password','catalogue',0); $getDets = 'SELECT * FROM '.$_GET['table']; $getDets .= ' WHERE '.$_GET['type'].' = '.$_GET['num']; $result = $db->query($getDets); $row = $result->fetch_assoc(); } elseif ($_POST) { // escape quotes and apostrophes if magic_quotes_gpc off if (!get_magic_quotes_gpc()) { foreach($_POST as $key=>$value) { $temp = addslashes($value); $_POST[$key] = $temp; } } // create Database instance $db=new Database('localhost','root','password','catalogue',0); // if the "Update supplier" button has been clicked if (array_key_exists('updateSupplier', $_POST)) { // code for updating supplier $supplier = $_POST['supplier']; $checkName = "SELECT * FROM suppliers WHERE supplier = '$supplier' AND supplier_id != $supplier_id"; $result = $db->query($checkName); if ($result->num_rows > 0) { $supplierAlert = stripslashes($supplier); $supplierAlert .= ' is already registered in the suppliers table'; } if (!isset($supplierAlert)) { $updateSupplier = "UPDATE suppliers SET supplier = '$supplier' WHERE supplier_id = $supplier_id"; $result = $db->query($updateSupplier); if ($result) { $db->close(); header('Location: listSuppliers.php?supplier='.$supplier); } } } // if the "Update garment type" button has been clicked elseif (array_key_exists('updateGarType', $_POST)) { // code for updating garment type $garment_type = $_POST['garment_type']; $checkName = "SELECT * FROM garment_types WHERE garment_type = '$garment_type' AND garment_type_id != $garment_type_id"; $result = $db->query($checkName); if ($result->num_rows > 0) { $garment_typeAlert = stripslashes($garment_type); $garment_typeAlert .= ' is already registered in the garment types table'; } if (!isset($garment_typeAlert)) { $insertGarment_type = "UPDATE garment_types SET garment_type = '$garment_type' WHERE garment_type_id = $garment_type_id"; $result = $db->query($updateGarment_type); if ($result) { $db->close(); header('Location: listGarmentTypes.php?garment_type='.$garment_type); } } } // if the "Update category" button has been clicked elseif (array_key_exists('updateCategory', $_POST)) { // code for inserting category $category = $_POST['category']; $checkName = "SELECT * FROM categories WHERE category = '$category' AND category_id != $category_id"; $result = $db->query($checkName); if ($result->num_rows > 0) { $categoryAlert = stripslashes($category); $categoryAlert .= ' is already registered in the categories types table'; } if (!isset($categoryAlert)) { $updateCategory = "UPDATE categories SET category = '$category' WHERE category_id = $category_id"; $result = $db->query($updateCategory); if ($result) { $db->close(); header('Location: listCategories.php?category='.$category); } } } // if the "Update colour" button has been clicked elseif (array_key_exists('updateColour', $_POST)) { // code for updating colour $colour = $_POST['colour']; $checkName = "SELECT * FROM colours WHERE colour = '$colour' AND colour_id != $colour_id"; $result = $db->query($checkName); if ($result->num_rows > 0) { $colourAlert = stripslashes($colour); $colourAlert .= ' is already registered in the colours table'; } if (!isset($colourAlert)) { $updateColour = "UPDATE colours SET colour = '$colour' WHERE colour_id = $colour_id"; $result = $db->query($updateColour); if ($result) { $db->close(); header('Location: listColours.php?colour='.$colour); } } } // if the "Update size" button has been clicked elseif (array_key_exists('updateSize', $_POST)) { // code for updating size $size = $_POST['size']; $checkName = "SELECT * FROM sizes WHERE size = '$size' AND size_id != $size_id"; $result = $db->query($checkName); if ($result->num_rows > 0) { $sizeAlert = stripslashes($size); $sizeAlert .= ' is already registered in the sizes table'; } if (!isset($sizeAlert)) { $updateSize = "UPDATE sizes SET size = '$size' WHERE size_id = $size_id"; $result = $db->query($updateSize); if ($result) { $db->close(); header('Location: listSizes.php?size='.$size); } } } // close database connection $db->close(); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/Templates/AdminTemplate.dwt" codeOutsideHTMLIsLocked="false" --> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <!-- InstanceBeginEditable name="doctitle" --> <title>Update garment attributes</title> <!-- InstanceEndEditable --> <link href="../main.css" rel="stylesheet" type="text/css" /> <link href="admin.css" rel="stylesheet" type="text/css" /> <script type="text/javascript" src="../p7pm/p7popmenu.js"></script> <style type="text/css" media="screen"> <!-- @import url("../p7pm/p7pmh2.css"); --> </style> <!--[if lt IE 7]> <link href="../win_ie.css" rel="stylesheet" type="text/css" /> <![endif]--> <style type="text/css"></style> <script language="JavaScript" type="text/JavaScript"> <!-- function Lvl_openWin(u,n,w,h,l,t,c,f) { //v2.2 4LevelWebs var x=((screen.width-w)/2);if(c==1){l=x;t=(screen.height-h)/2;}if(c==2){l=x} f+=',top='+t+',left='+l;LvlWin=window.open(u,n,f);LvlWin.focus(); } //--> </script> <!-- InstanceBeginEditable name="head" --><!-- InstanceEndEditable --> </head> <body onload="P7_initPM(1,2,1,-20,10)"> <div id="topstrip"></div> <div id="navcorp"> <ul id="p7PMnav"> <li><a href="#" class="p7PMtrg" id="height">List garments</a> <ul> <li><a href="#">List suppliers</a></li> <li><a href="#">List categories</a></li> <li><a href="#">List garment types</a></li> <li><a href="#">List colours</a></li> <li><a href="#">List sizes</a></li> </ul> </li> <li><a href="#" class="p7PMtrg" id="height">Add new garment</a> <ul> <li><a href="#">Add new supplier</a></li> <li><a href="#">Add new category</a></li> <li><a href="#" id="unique">Add new garment type</a></li> <li><a href="#">Add new colour</a></li> <li><a href="#">Add new size</a></li> </ul> </li> <li><a href="#" class="p7PMtrg" id="height">Register new user</a> <ul> <li><a href="#">List registered users</a></li> </ul> </li> <li><a href="#" id="height">View Catalogue</a></li> <li><a href="#">Logout</a></li> <!--[if lte IE 6]><style>#p7PMnav a{height:1em;}#p7PMnav li{height:1em;}#p7PMnav ul li{float:left;clear:both;width:100%}</style><![endif]--> <!--[if IE 6]><style>#p7PMnav ul li{clear:none;}</style><![endif]--> </ul> </div> <!-- InstanceBeginEditable name="EditRegion3" --> <div id="background"> <div id="wrapper"> <div id="innerlayer"> <h1>Update garment attributes</h1> <form id="supplierDets" name="supplierDets" method="post" action="<?php $_SERVER['PHP_SELF']; ?>"> <table class="attrUpdate" border="0" cellpadding="0"> <tr> <th class="attrLabel" scope="row">Update supplier </th> <td><input name="supplier" type="text" class="mediumbox" id="supplier" value="<?php if (isset($row['supplier'])) echo $row['supplier']; ?>"/></td> <td><input name="supplier_id" type="hidden" id="supplier_id" value="<?php if (isset($row['supplier_id'])) echo $row['supplier_id']; ?>"/></td> <td><input name="updateSupplier" type="submit" id="updateSupplier" value="Update supplier" /> </td> </tr> </table> </form> <?php if (isset($supplierAlert)) echo '<p id="alert">'.$supplierAlert.'</p>'; ?> <form id="garmentTypeDets" name="garmentTypeDets" method="post" action="<?php $_SERVER['PHP_SELF']; ?>"> <table class="attrUpdate" border="0" cellpadding="0"> <tr> <th class="attrLabel" scope="row">Insert new garment type</th> <td><input name="garment_type_id" type="hidden" id="garment_type_id" value="<?php if (isset($row['garment_type_id'])) echo $row['garment_type_id']; ?>"/></td> <td><input name="updateGarType" type="submit" id="updateGarType" value="Update garment type" /></td> </tr> </table> </form> <?php if (isset($garment_typeAlert)) echo '<p id="alert">'.$garment_typeAlert.'</p>'; ?> <form id="categoryDets" name="categoryDets" method="post" action="<?php $_SERVER['PHP_SELF']; ?>"> <table class="attrUpdate" border="0" cellpadding="0"> <tr> <th class="attrLabel" scope="row">Insert new category </th> <td><input name="category_id" type="hidden" id="category_id" value="<?php if (isset($row['category_id'])) echo $row['category_id']; ?>" /></td> <td><input name="updateCategory" type="submit" id="updateCategory" value="Update category" /></td> </tr> </table> </form> <?php if (isset($categoryAlert)) echo '<p id="alert">'.$categoryAlert.'</p>'; ?> <form id="colourDets" name="colourDets" method="post" action="<?php $_SERVER['PHP_SELF']; ?>"> <table class="attrUpdate" border="0" cellpadding="0"> <tr> <th class="attrLabel" scope="row">Insert new colour </th> <td><input name="colour_id" type="hidden" id="colour_id" value="<?php if (isset($row['colour_id'])) echo $row['colour_id']; ?>" /></td> <td><input name="updateColour" type="submit" id="updateColour" value="Update colour" /></td> </tr> </table> </form> <?php if (isset($colourAlert)) echo '<p id="alert">'.$colourAlert.'</p>'; ?> <form id="sizeDets" name="sizeDets" method="post" action="<?php $_SERVER['PHP_SELF']; ?>"> <table class="attrUpdate" border="0" cellpadding="0"> <tr> <th class="attrLabel" scope="row">Insert new size </th> <td><input name="size_id" type="hidden" id="size_id" value="<?php if (isset($row['size_id'])) echo $row['size_id']; ?>" /></td> <td><input name="updateSize" type="submit" id="updateSize" value="Update size" /></td> </tr> </table> </form> <?php if (isset($sizeAlert)) echo '<p id="alert">'.$sizeAlert.'</p>'; ?> </div> </div> </div> <!-- InstanceEndEditable --><img src="../Images/transparent.gif" width="1" height="1"/> <div id="footer">© Copyright 2007. All rights reserved. </div> </body> <!-- InstanceEnd --></html> PHP:
Thanks for the reply, Sorry not sure what you mean - doesn't the error say there's a problem with supplier_id, not 'supplier'. I'm really just learning here - actually trying to adapt code from a book. Where would I look to find out if the $_POST['supplier'] value was empty - in the edit_garm_attrib.php file or another file?
supplier_id is not assigned anywhere that's why it's throwing the error. Looking at the code you do $supplier = $_POST['supplier']; PHP: Maybe you meant $supplier_id = $_POST['supplier']; PHP: ?
$supplier and $supplier_id are 2 different variables. There's a field in your HTML form called supplier_id, so you it's probably meant to be: $supplier_id = $_POST['supplier_id']; PHP: Other than that, your code is horribly insecure. At least in the GET method at the top.
Thanks so much for that. I needed to add a whole other piece of code as suggested: $supplier_id = $_POST['supplier_id'];
At least use: $supplier_id = (int) $_POST['supplier_id']; That way, if that field is empty, there will be no SQL error. It also solves one of the security issues... BTW, who wrote this?
Thanks for that - what does the (int) part of the code do? You're worrying me a bit when you say there's security issues - what are these? I'm adapting some code I read in a book called "PHP5 for flash".
Force the value to be an integer. So if someone wants to tamper with the value, it will just end up setting the value to 0. Also, if it is not there, then $_POST['supplier_id'] is able to be empty and if it is, there will be a SQL error complaining because of a missing value in the SQL. For example, with the code: 'SELECT * FROM '.$_GET['table']; PHP: $_GET['table'] isn't validated, it is just accepting whatever is in the URL. It opens the script up to SQL injection, look up info on google if you want.