1

My variable sqlConditions is only suppose to append when the user inputs text for that field. I put "if(isset($_POST['example']))" to check for this, however this doesn't appear to stop each variable from appending.

For example: if the user only inserts text in the "lastname" field, the $query variable should return:

 UPDATE students SET lastname = whateveruserputin

However, it looks like this:

 UPDATE students SET lastname = test , firstname = , major = , gpa =

How can I fix this!? I would really like to get this code working. Thanks in advance.

Code:

//connect to server

if(isset($_POST['submit']))
{

$id=$_POST['id'];
$lastname=$_POST['lastname'];
$firstname=$_POST['firstname'];
$color=$_POST['color'];
$number=$_POST['number'];

    //need id to be filled and need at least one other content type to change
    if(empty($id) || empty($lastname) and empty($firstname) and empty($color) and empty($number))
{

        echo "<font color='red'>Invalid Submission. You did not enter an ID or did not input an additional form element.  </font><br/>";

}

else // if all the fields are filled (not empty)
{   

$sqlConditions = array();

   if(isset($_POST['lastname'])){
    $lastName = filter_var($_POST['lastname'], FILTER_SANITIZE_STRING);
    $sqlConditions[] = 'lastname = ' . $lastName;
    } else {
    $lastName = '';
    }

if(isset($_POST['firstname'])){
    $firstName = filter_var($_POST['firstname'], FILTER_SANITIZE_STRING);
    $sqlConditions[] = 'firstname = ' . $firstName;
    } else {
    $firstName = '';
    }

    if(isset($_POST['color'])){
    $color = filter_var($_POST['color'], FILTER_SANITIZE_STRING);
    $sqlConditions[] = 'color = ' . $color;
    } else {
    $color = '';
    }

if(isset($_POST['number'])){
    $number = filter_var($_POST['number'], FILTER_SANITIZE_STRING);
    $sqlConditions[] = 'number = ' . $number;
    } else {
    $number= '';
    }
print $sqlConditions;

$query = 'UPDATE students SET ' . join (' , ', $sqlConditions);
print $query;

    insert data to database     
    //$query = mysql_query("UPDATE students SET lastname = '$lastname', firstname = '$firstname', color = '$color', number = '$number'
    //WHERE id = '$id'");
    //if (!query)
    //{
    //die('Error: ' . mysql_error());
    //}


    // Close connection to the database
    mysql_close($con);

}

 }
Improve this question
2
  • 2
    <font color='red'>... that brings me back... Commented Nov 22, 2011 at 21:41
  • 2
    A variable can be set yet contain an empty string. Commented Nov 22, 2011 at 21:48

3 Answers 3

Reset to default
4

isset isn't enough; add a !empty check as well, e.g.:

if(isset($_POST['lastname']) && !empty($_POST['lastname'])

Edit
Also, in order for the comment in your code to be a better reflection of what you want, your if statement should probably be:

//need id to be filled and need at least one other content type to change
if(empty($id) && (empty($lastname) || empty($firstname) || empty($color) || empty($number))

Here's your code with some improvements* and amendments regarding your comment about adding quotes to the strings:

<?php

//connect to server

if(isset($_POST['submit']))
{

$id=$_POST['id'];
$lastname=$_POST['lastname'];
$firstname=$_POST['firstname'];
$color=$_POST['color'];
$number=$_POST['number'];

    //need id to be filled and need at least one other content type to change
    if(empty($id) && (empty($lastname) || empty($firstname) || empty($color) || empty($number))
    {
        echo "<font color='red'>Invalid Submission. You did not enter an ID or did not input an additional form element.  </font><br/>";
    }
    else // if all the fields are filled (not empty)
    {   
        $sqlConditions = array();

        if(isset($lastname) && !empty($lastname)){
            $lastName = filter_var($lastname, FILTER_SANITIZE_STRING);
            $sqlConditions[] = "lastname = '" . $lastname . "'";
        } 
        else 
        {
            $lastName = '';
        }

        if(isset($firstname))
        {
            $firstName = filter_var($firstname, FILTER_SANITIZE_STRING);
            $sqlConditions[] = "firstname = '" . $firstname . "'";
        } 
        else 
        {
            $firstName = '';
        }

        if(isset($color) && !empty($color))
        {
            $color = filter_var($color, FILTER_SANITIZE_STRING);
            $sqlConditions[] = "color = '" . $color . "'";
        } 
        else 
        {
            $color = '';
        }

        if(isset($number))
        {
            $number = filter_var($number, FILTER_SANITIZE_STRING);
            $sqlConditions[] = "number = '" . $number . "'";
        } 
        else 
        {
            $number= '';
        }
        print $sqlConditions;

        $query = 'UPDATE students SET ' . join (' , ', $sqlConditions);
        print $query;

        //insert data to database     
        //$query = mysql_query("UPDATE students SET lastname = '$lastname', firstname = '$firstname', color = '$color', number = '$number'
        //WHERE id = '$id'");
        //if (!query)
        //{
        //die('Error: ' . mysql_error());
        //}

        // Close connection to the database
        mysql_close($con);
    }
}

*Since you already define all your $_POST items to variables, there's no need to keep going back into the collection.

Improve this answer
Sign up to request clarification or add additional context in comments.

12 Comments

+1 However, you could actually just use if (!empty($_POST['lastname'])) as empty automatically suppresses any warnings for variables that aren't set.
Thanks. Do you happen to know how I could add quotes to each item being appended. I need UPDATE students SET lastname = 'whateveruserputin'instead of UPDATE students SET lastname = whateveruserputin
$sqlConditions[] = "lastname = '" . $lastName . "'"; or better: $sqlConditions[] = "lastname = '" . mysql_real_escape_string($lastName) . "'";
You can just do $sqlConditions[] = "lastname = '$lastName'"; to achieve that result. Note use of double quotes.
@Eljakim: FILTER_SANITIZE_STRING deals with making strings safe for use in HTML. It has nothing to do with making it safe for SQL. For example, filter_var("jay's", FILTER_SANITIZE_STRING); produces jay&#39;s
|
1

I suggest you use this coding practices:

$lastName = mysql_real_escape_string($lastName);
$sqlConditions[] = "lastname = '$lastName'";

Will resolve your problem even if the variables are empty... and make a little more secure your code to SQL injection attacks (very recommendable!!!)

Improve this answer

4 Comments

No. This is not proper advice. Avoid addslashes. Always use the database provided mechanism for escaping (in her specific case, mysql_real_escape_string, but really she should be using PDO with parameterized queries).
@webbiedave OK, good point. But the this user seems need a fast help. Otherwise we could encourage her to use a framework (for example)
@NomikOS -- agreed on a framework, but first we must learn to walk and then we run. I think learning the "why"'s first-hand is essential before picking up something that might obscure actual PHP from you.
@stealthyninja I accepted the suggest to use mysql_real_escape_string, that's good point. And I totally agree with you about learn the why's indeed my comment about "fast help" is due to the proposition of use PDO. Of course it would be better but the practice of apply an escaping function is enough for now to put her in the right direction (and introduce her to the SQL injection concept). So we are cool. o/\o
0

In the else fragment you are only checking if the variable is set but the variable is set but maybe is empty.

Isset() checks if a variable has a value including False , 0 , or Empty string but not NULL.

Empty() function checks if the variable has an empty value empty string , 0, NULL ,or False.

Example:

<?php
 $var = 0;

 if (empty($var)) {
  echo 'it is empty since it has value 0 ';
}
if (isset($var)) {
 echo '$var is set though it is empty';
}
?>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.