updating SQL Server using php script
Updating sql server using php is am using the following code and am getting an error <?php require_once('mssqldbcon.php'); ?> <?php if(isset($_POST['status'])) { $policyNumber=($_POST['policy']); $bso_id=($_SESSION['myid']); $bso_status=($_POST['status']); $reason=($_POST['reason']); $mgr_status=($_POST['mgr_status']); $query = "update new_policies set bso_id = $bso_id, bso_status =$bso_status, Decision_bso=$reason, bso_date = GETDATE() where Policy_Number = $policyNumber"; echo $query; $result = mssql_query($query); $info = "<div class=\"message\">Proposals Submitted Successful</div>"; } else{ $info = " Submisson error"; } ?> -- This is the error I get It is our light, not our darkness, that frightens us. Theme*Warning*: mssql_query() [function.mssql-query]: message: Line 1: Incorrect syntax near ','. (severity 15) in * C:\xampp\htdocs\newbusiness\checkConfirm.php* on line *37* *Warning*: mssql_query() [function.mssql-query]: Query failed in * C:\xampp\htdocs\newbusiness\checkConfirm.php* on line *37* I will much appreciate help or idea Calvin Omari Systems Developer/Designer http://www.facebook.com/barongo
Jaribu this one <?php /* Connection string which i assume */ if($conn === false) { exit("<pre>" . print_r(sqlsrv_errors(), true) . "</pre>"); } if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'add-entry') { $your variable a= $_REQUEST['formvalue a']; $your variable b= $_REQUEST['formvalue b']; $your variable c= $_REQUEST['formvalue c']; $sql = "INSERT INTO entries (a, b, c) VALUES (?, ?, ?)"; $stmt = sqlsrv_query($conn, $sql, array($your variablea, $your variableb, $your variablec)); if ($stmt === false) { echo "<p>An error has occured.</p>"; } else { echo "<p>New entry created.</p>"; } sqlsrv_free_stmt($stmt); } ?> <h2>title</h2> <form action="" method="post"> <div> <?php $sql = "SELECT * FROM (database).(table)"; $stmt = sqlsrv_query($conn, $sql); if ($stmt === false) { print_r(sqlsrv_errors()); } ?> <label>Project:</label> <select name="project"> <?php while($row = sqlsrv_fetch_array($stmt)) { echo "<option value=\"$row[id]\">$row[name]</option>"; } sqlsrv_free_stmt($stmt); ?> </select> </div> <div><label>a:</label> <input type="text" name="a" /></div> <div><label>b:</label> <input type="text" name="b" /></div> <div><input type="submit" value="Save" /></div> <input type="hidden" name="action" value="add-entry" /> </form> <?php sqlsrv_close($conn); ?> </body> </html>
i weep for that kinda code On Thu, Aug 5, 2010 at 12:17 PM, Benjamin <anangwe@gmail.com> wrote:
Jaribu this one
<?php /* Connection string which i assume */ if($conn === false) { exit("<pre>" . print_r(sqlsrv_errors(), true) . "</pre>"); } if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'add-entry') { $your variable a= $_REQUEST['formvalue a']; $your variable b= $_REQUEST['formvalue b']; $your variable c= $_REQUEST['formvalue c'];
$sql = "INSERT INTO entries (a, b, c) VALUES (?, ?, ?)"; $stmt = sqlsrv_query($conn, $sql, array($your variablea, $your variableb, $your variablec));
if ($stmt === false) { echo "<p>An error has occured.</p>"; } else { echo "<p>New entry created.</p>"; } sqlsrv_free_stmt($stmt); } ?> <h2>title</h2> <form action="" method="post"> <div> <?php $sql = "SELECT * FROM (database).(table)"; $stmt = sqlsrv_query($conn, $sql);
if ($stmt === false) { print_r(sqlsrv_errors()); } ?> <label>Project:</label> <select name="project"> <?php while($row = sqlsrv_fetch_array($stmt)) { echo "<option value=\"$row[id]\">$row[name]</option>"; } sqlsrv_free_stmt($stmt); ?> </select> </div> <div><label>a:</label> <input type="text" name="a" /></div> <div><label>b:</label> <input type="text" name="b" /></div> <div><input type="submit" value="Save" /></div> <input type="hidden" name="action" value="add-entry" /> </form> <?php sqlsrv_close($conn); ?> </body> </html>
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
@Peter and @Chris be easy on the gentleman. He probably already applied a filter and sanitized the $_POST array .. and pasted only the relevant snippet of code. On 5 August 2010 09:24, Chris Mwirigi <mwirigic@gmail.com> wrote:
i weep for that kinda code
On Thu, Aug 5, 2010 at 12:17 PM, Benjamin <anangwe@gmail.com> wrote:
Jaribu this one
<?php /* Connection string which i assume */ if($conn === false) { exit("<pre>" . print_r(sqlsrv_errors(), true) . "</pre>"); } if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'add-entry') { $your variable a= $_REQUEST['formvalue a']; $your variable b= $_REQUEST['formvalue b']; $your variable c= $_REQUEST['formvalue c'];
$sql = "INSERT INTO entries (a, b, c) VALUES (?, ?, ?)"; $stmt = sqlsrv_query($conn, $sql, array($your variablea, $your variableb, $your variablec));
if ($stmt === false) { echo "<p>An error has occured.</p>"; } else { echo "<p>New entry created.</p>"; } sqlsrv_free_stmt($stmt); } ?> <h2>title</h2> <form action="" method="post"> <div> <?php $sql = "SELECT * FROM (database).(table)"; $stmt = sqlsrv_query($conn, $sql);
if ($stmt === false) { print_r(sqlsrv_errors()); } ?> <label>Project:</label> <select name="project"> <?php while($row = sqlsrv_fetch_array($stmt)) { echo "<option value=\"$row[id]\">$row[name]</option>"; } sqlsrv_free_stmt($stmt); ?> </select> </div> <div><label>a:</label> <input type="text" name="a" /></div> <div><label>b:</label> <input type="text" name="b" /></div> <div><input type="submit" value="Save" /></div> <input type="hidden" name="action" value="add-entry" /> </form> <?php sqlsrv_close($conn); ?> </body> </html>
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f...
------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
On Thu, Aug 5, 2010 at 2:47 PM, Ndungi Kyalo <ndungi@gmail.com> wrote:
@Peter and @Chris be easy on the gentleman. He probably already applied a filter and sanitized the $_POST array .. and pasted only the relevant snippet of code.
Ok, my bad, sorry Calvin if my comments were out of place. :-)
@calvin.. have you considered using an ORM to insulate yourself against the vendor specific implementations of database interaction? A good start would be http://techportal.ibuildings.com/2010/01/11/learning-php-5-3-by-writing-your... or you can use existing ones like Doctrine http://www.doctrine-project.org or Propel http://www.propelorm.org/ more info available on http://www.google.co.ke/search?q=php%2Borm&ie=utf-8&oe=utf-8&aq=t&rls=com.ub... On Thu, Aug 5, 2010 at 3:01 PM, Peter Karunyu <pkarunyu@gmail.com> wrote:
On Thu, Aug 5, 2010 at 2:47 PM, Ndungi Kyalo <ndungi@gmail.com> wrote:
@Peter and @Chris be easy on the gentleman. He probably already applied a filter and sanitized the $_POST array .. and pasted only the relevant snippet of code.
Ok, my bad, sorry Calvin if my comments were out of place. :-)
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Very nice suggestion I have encountered @Kiti am trying that out my employer insists i use mssql server while am perfect in mysql @Peter no hard feelings On Thu, Aug 5, 2010 at 9:58 PM, Kiti Chigiri <kiti.chigiri@gmail.com> wrote:
@calvin.. have you considered using an ORM to insulate yourself against the vendor specific implementations of database interaction? A good start would be http://techportal.ibuildings.com/2010/01/11/learning-php-5-3-by-writing-your...
or you can use existing ones like Doctrine http://www.doctrine-project.org or Propel http://www.propelorm.org/
more info available on
http://www.google.co.ke/search?q=php%2Borm&ie=utf-8&oe=utf-8&aq=t&rls=com.ub...
On Thu, Aug 5, 2010 at 3:01 PM, Peter Karunyu <pkarunyu@gmail.com> wrote:
On Thu, Aug 5, 2010 at 2:47 PM, Ndungi Kyalo <ndungi@gmail.com> wrote:
@Peter and @Chris be easy on the gentleman. He probably already applied
a
filter and sanitized the $_POST array .. and pasted only the relevant snippet of code.
Ok, my bad, sorry Calvin if my comments were out of place. :-)
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f...
------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Our greatest fear is not that we are inadequate, but that we are powerful beyond measure. It is our light, not our darkness, that frightens us. Calvin Omari Systems Developer/Designer http://www.facebook.com/barongo
Well, the error is in the query of course, hebu paste here what echo $query; gives you. Then, on a totally unrelated matter, i hope your application is not on the internet coz its vulnerable to SQL Injection. You are using the form variables $_POST['status'], $_POST['reason'] and $_POST['policy'] directly in the query without any visible form of sanitizing, thats a bad bad idea, extremely bad idea! At the very least, use the PHP function striptags() and htmlentities(). Check these two articles for more detailed background information: http://blogs.msdn.com/b/raulga/archive/2007/01/04/dynamic-sql-sql-injection.... http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet On Thu, Aug 5, 2010 at 12:07 PM, Calvin Omari <calvinebarongo@gmail.com>wrote:
Updating sql server using php is am using the following code and am getting an error
<?php require_once('mssqldbcon.php'); ?> <?php if(isset($_POST['status'])) { $policyNumber=($_POST['policy']); $bso_id=($_SESSION['myid']); $bso_status=($_POST['status']); $reason=($_POST['reason']); $mgr_status=($_POST['mgr_status']);
$query = "update new_policies set bso_id = $bso_id, bso_status =$bso_status, Decision_bso=$reason, bso_date = GETDATE() where Policy_Number = $policyNumber";
echo $query;
$result = mssql_query($query); $info = "<div class=\"message\">Proposals Submitted Successful</div>";
} else{ $info = " Submisson error"; } ?>
--
This is the error I get It is our light, not our darkness, that frightens us.
*Warning*: mssql_query() [function.mssql-query]: message: Line 1: Incorrect syntax near ','. (severity 15) in * C:\xampp\htdocs\newbusiness\checkConfirm.php* on line *37*
*Warning*: mssql_query() [function.mssql-query]: Query failed in * C:\xampp\htdocs\newbusiness\checkConfirm.php* on line *37*
I will much appreciate help or idea
Calvin Omari Systems Developer/Designer http://www.facebook.com/barongo
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
Thanks Benjamin's idea did the trick, thanks all of you Close of thread On Thu, Aug 5, 2010 at 12:20 PM, Peter Karunyu <pkarunyu@gmail.com> wrote:
Well, the error is in the query of course, hebu paste here what echo $query; gives you.
Then, on a totally unrelated matter, i hope your application is not on the internet coz its vulnerable to SQL Injection. You are using the form variables $_POST['status'], $_POST['reason'] and $_POST['policy'] directly in the query without any visible form of sanitizing, thats a bad bad idea, extremely bad idea!
At the very least, use the PHP function striptags() and htmlentities(). Check these two articles for more detailed background information:
http://blogs.msdn.com/b/raulga/archive/2007/01/04/dynamic-sql-sql-injection.... http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
On Thu, Aug 5, 2010 at 12:07 PM, Calvin Omari <calvinebarongo@gmail.com>wrote:
Updating sql server using php is am using the following code and am getting an error
<?php require_once('mssqldbcon.php'); ?> <?php if(isset($_POST['status'])) { $policyNumber=($_POST['policy']); $bso_id=($_SESSION['myid']); $bso_status=($_POST['status']); $reason=($_POST['reason']); $mgr_status=($_POST['mgr_status']);
$query = "update new_policies set bso_id = $bso_id, bso_status =$bso_status, Decision_bso=$reason, bso_date = GETDATE() where Policy_Number = $policyNumber";
echo $query;
$result = mssql_query($query); $info = "<div class=\"message\">Proposals Submitted Successful</div>";
} else{ $info = " Submisson error"; } ?>
--
This is the error I get It is our light, not our darkness, that frightens us.
*Warning*: mssql_query() [function.mssql-query]: message: Line 1: Incorrect syntax near ','. (severity 15) in * C:\xampp\htdocs\newbusiness\checkConfirm.php* on line *37*
*Warning*: mssql_query() [function.mssql-query]: Query failed in * C:\xampp\htdocs\newbusiness\checkConfirm.php* on line *37*
I will much appreciate help or idea
Calvin Omari Systems Developer/Designer http://www.facebook.com/barongo
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1f... ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Our greatest fear is not that we are inadequate, but that we are powerful beyond measure. It is our light, not our darkness, that frightens us. Calvin Omari Systems Developer/Designer http://www.facebook.com/barongo
participants (6)
-
Benjamin -
Calvin Omari -
Chris Mwirigi -
Kiti Chigiri -
Ndungi Kyalo -
Peter Karunyu