0

I have a legacy system that has switched to running PHP 5.3. An issue that has appeared is with the code designed to edit dynamically produced values in a table. The editinvoice array has no value. Any ideas?

//Line Item x:<input type="text" name="editinvoice[lineitem_text_x]">
//Value x:<input type="text"    name="editinvoice[lineitem_amount_x]">

//edit values in the invoice table
$sqldata = array();
foreach   ($_POST['editinvoice'] AS $k => $v)
{
    $sqldata[] = "$k = '$v'";
}
$sql = "UPDATE db.invoices SET ".implode(',', $sqldata)." WHERE (booking_id = '$booking_id') LIMIT 1";
mysql_query($sql);

I'm aware mysql is depreciated, however, no resources to rewrite the system and it's on an intranet so no SQL injection worries.

Improve this question
7
  • 1
    try to dump $sqldata and $sql. what values they has? Try to directly run your output of echo $sql in the mysql. What is it says? Commented Nov 3, 2014 at 16:49
  • At first glance I don't see any compatibility issues. Maybe you didn't enable the mysql extension? Commented Nov 3, 2014 at 16:49
  • 1
    I'm going to bet that (a) the problem is that in PHP 5.3 magic_quotes_gpc is turned off, and (b) you have a huge SQL injection hole that should be your main concern. Commented Nov 3, 2014 at 16:50
  • 1
    this code runs on everypage to get around depreciation of magic_quotes. foreach($_POST as $key => $val){ $_POST[$key] = addslashes($val); } Commented Nov 3, 2014 at 16:56
  • 1
    @lolka_bolka - value for ["editinvoice"]=> NULL Commented Nov 3, 2014 at 17:34

1 Answer 1

Reset to default
2

Your code implies that you expect $_POST['editinvoice'] to be an array. But you said that you added somewhere as a substitution for magic_quotes_gpc a

foreach($_POST as $key => $val){
    $_POST[$key] = addslashes($val);
}

So guess what happened there with the array $_POST['editinvoice']?

<?php

$expected = array("foo" => "bar");
$_POST["editinvoice"] = addslashes($expected);
assert ($expected == $_POST["editinvoice"]); // it's NULL

Warning: addslashes() expects parameter 1 to be string…
PHP Warning: assert(): Assertion failed

You might find such a warning in your error log as well.

Your code relies on magic_quotes_gpc=on. So turn it on again and remove that broken workaround. You can still figure out a workaround when you update to >=PHP-5.4.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.