dsg138
asked on
PHP Insert statment incorrect values
Experts,
I have some code where my users are required to choose a team. There are 32 different buttons,, one for each team.
If the player chose team #5, the value "teamid" would be 5 and the following would be inserted into the DB:
- UserID = 100 //for example
- XMLID = l.mlb.com-t.5
- WeekNum = 1 //if it were week #1
This would be a correct entry. Most entries get successfully inserted.
Occasionally, I get the following added to my DB which is Incorrect and causes issues:
- UserID = 100 //for example
- XMLID = l.mlb.com-t.
- WeekNum = 1 //if it were week #1
If this is added to my DB, it causes an issue since the user thinks their Team 5 went through, but it really didn't.
I'm not sure how this is possible since each of the buttons contains a different teamid.
Is there a way I can modify my code below so that the incorrect values never get inserted into my php database?
Code is below.
Thanks,
-Dan
Again, the above scenario is rare, but it's been happening now about 1% of the time. I'm trying to isolate it and it possibly could be due to a mobile browser. Any suggestions on how I can modify my statement?
I have some code where my users are required to choose a team. There are 32 different buttons,, one for each team.
If the player chose team #5, the value "teamid" would be 5 and the following would be inserted into the DB:
- UserID = 100 //for example
- XMLID = l.mlb.com-t.5
- WeekNum = 1 //if it were week #1
This would be a correct entry. Most entries get successfully inserted.
Occasionally, I get the following added to my DB which is Incorrect and causes issues:
- UserID = 100 //for example
- XMLID = l.mlb.com-t.
- WeekNum = 1 //if it were week #1
If this is added to my DB, it causes an issue since the user thinks their Team 5 went through, but it really didn't.
I'm not sure how this is possible since each of the buttons contains a different teamid.
Is there a way I can modify my code below so that the incorrect values never get inserted into my php database?
Code is below.
Thanks,
-Dan
if( isset($_POST["teamid"]) ){
$finalteam = "l.mlb.com-t." . $_POST["teamid"];
?>
<div class="notification success">
<span></span>
<div class="text">
<p><strong>Success!</strong> Your selection has been saved! </p>
</div>
</div>
<?
$PickID = $a4[XMLID];
$sql = "INSERT INTO RFTW_PICKS SET
UserID = '$MemberID',
XMLID = '$finalteam',
WeekNum = '$PickWeek'"
;
$sql = mysql_query($sql);
}
Again, the above scenario is rare, but it's been happening now about 1% of the time. I'm trying to isolate it and it possibly could be due to a mobile browser. Any suggestions on how I can modify my statement?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys. Great expert advice!
You're most welcome! I'm sure you will learn a whole bunch of really good practices in the article Ray sent you. There is nothing like learning the correct and safest way to do things when you are dealing with databases. Remember one thing, injections are very easy to do inside one of your form controls. It will modify the actual query that php does and can ruin your day. Sanitize ALL data that comes from an external source like a user input in a form and values sent in a GET request. Can't be too careful! Good luck
ASKER
Mark,
I added your validation so that the SQL never runs if teamid is empty.
if( isset($_POST["teamid"]) && !empty($_POST["teamid"]) ){
Ray,
That makes a lot of sense. By not filtering my inputs, I was taking a risk on inserting whatever is generated by my users. Your article makes a great case to rewrite some of my older scripts that use the mysql extensions.
Thanks guys, appreciate the help!