0

I am working my assignment and i can't get my update to work with my database. Here is my form that holds the data.

<form name="edit" method="post" action="process/editRecord.php">

    <p class="indent">
      <label for="projectName">Edit Project Name</label>
      <input type="text" name="projectName" id="projectName" value="<?php echo $projectName; ?>">
    </p>

    <p class="indent">
      <label for="projectSoftware">Edit Project Software</label>
      <input type="text" name="projectSoftware" id="projectSoftware" value="<?php echo $projectSoftware; ?>" >
    </p>


    <p class="indent">
      <label for="projectDescription">Edit Project Description</label>
      <textarea name="projectDescription" id="projectDescription" cols="150" rows="10" ><?php echo $projectDescription; ?></textarea>
    </p>

    <p class="indent">
      <label for="projectImage">Edit Project Image</label>
      <input type="text" name="projectImage" id="projectImage" value="<?php echo $projectImage; ?>" >
    </p>

    <p class="indent">
      <label for="projectInformation">Edit Project Information</label>
      <textarea name="projectInformation" id="projectInformation" cols="400" rows="10" ><?php echo $projectInformation; ?></textarea>
    </p>

    <p>
      <input type="submit" name="button" id="button" value="Update">
    </p>

</form>

And then is the process.

<?php
ini_set('display_errors', 1);
require('../../includes/conn.inc.php');
require('../../includes/functions.inc.php');
// sanitize user variables
$sprojectName = safeString($_POST['projectName']);
$sprojectSoftware = safeString($_POST['projectSoftware']);
$sprojectDescription = safeString($_POST['projectDescription']);
$sprojectImage = safeString($_POST['projectImage']);
$sprojectInformation = safeString($_POST['projectInformation']);
$sprojectID = safeInt($_POST['projectID']);
// prepare SQL
$stmt = $mysqli->prepare("UPDATE projects SET projectName =?, projectSoftware =?, projectDescription=?, projectImage =?, projectInformation =? WHERE projectID = ?");
$stmt->bind_param('sssssi', $sprojectName, $sprojectSoftware, $sprojectDescription, $sprojectImage, $sprojectInformation, $sprojectID);
$stmt->execute();
$stmt->close();

header("Location: ../../php/projects.php");
// redirect browser
exit; // make sure no other code executed
?>

I get no errors when using this and it doesn't update my database but goes back to relevant projects page.

James Jones
  • 3,850
  • 5
  • 25
  • 44
Jacob Boardman
  • 1
  • 2
    what the heck is that `safeString()` function? just use prepared statements alone. you can't see any error message because most likely you haven't turned it on with the fact that you're not checking whether the statement actually executed – Kevin Feb 22 '16 at 02:03
  • the safeString is sanataizing it so you can't sql inject it, and what prepared statemants – Jacob Boardman Feb 22 '16 at 02:05
  • This prepared statement: `$mysqli->prepare(...`, see [PHP: MySQLi > Quick start guide > Prepared Statements](http://docs.php.net/manual/en/mysqli.quickstart.prepared-statements.php) – VolkerK Feb 22 '16 at 02:07
  • '$stmt = $mysqli->prepare("UPDATE projects SET projectName =?, projectSoftware =?, projectDescription=?, projectImage =?, projectInformation =? WHERE projectID = ?");' so whats this line doing then if not preparing it – Jacob Boardman Feb 22 '16 at 02:09
  • Ok, let's try it the other way round: is `safeString`removing characters? Or is it simply calling some encoding function like e.g. mysqli::real_escape_string? Or ...? – VolkerK Feb 22 '16 at 02:13
  • This is what it is doing `function safeString($str) { return filter_var($str, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW); }` – Jacob Boardman Feb 22 '16 at 02:15
  • You're using a prepared statement + parameters anyway, _this_ is what actually prevents this kind of sql injections in your case. The `safeString` function is superfluous (for preventing sql inections) at best. – VolkerK Feb 22 '16 at 02:21
  • Okay thanks for the feedback, but _still_ no idea why it doesn't upadate the database ?!? – Jacob Boardman Feb 22 '16 at 02:25
  • 1
    `$_POST['projectID']` its not in the form –  Feb 22 '16 at 02:35
  • @Dagon *Thats it* thank god i would have never though of that beacus ei amd working with a fellow student and his doesn't use and id so we never saw the problem – Jacob Boardman Feb 22 '16 at 02:41

1 Answers1

0

This solved the issue

$_POST['projectID'] its not in the form – Dagon

Jacob Boardman
  • 1
  • 1
    In that case you should probably not only set display_error=On but also raise the [error_reporting](http://docs.php.net/manual/de/errorfunc.configuration.php#ini.error-reporting) level (both preferably not within the script but e.g. in the php.ini, since in a production environemt sending the complete error message to the client [should be avoided](https://www.owasp.org/index.php/Information_Leakage)); `safeInt($_POST['projectID'])` should have resulted in an "undefined index" message. – VolkerK Feb 22 '16 at 02:51