[RESOLVED] Check Form Submitted and Update Database

artnow

Hi all

I want to update a database record after the user has clicked the submit button on a form. I can't seem to figure out what I'm doing wrong. The $UID variable is pulled from the URL ... confirm.php3?UID=123456

<?php 
if(isset($_POST['submit']))
{ 

mysql_pconnect("$dbhost", "$dbuser", "$dbpass") || die("Couldn't connect to MySQL");
mysql_select_db("$dbname") || die("Couldn't open db: $dbname. Error if any was: ".mysql_error() );

$sql2 = "UPDATE `hounddb`.`mymailcukbulletin` SET `Validated` = '55' WHERE `mymailcukbulletin`.`UID` = '$UID'";
$res=mysql_query($sql2) or die ("Error: ". mysql_error(). " with query ". $sql2); 

}
else {
}
}

 ?>

bradgrafelman

artnow wrote:
The $UID variable is pulled from the URL

And where is that done? From the code you've shown us, $UID is just an undefined variable you're attempting to use.

artnow

Isn't the variable defined by the URL of the page? As in confirm.php3?UID=1234 meaning that the variable $UID is 1234. I can echo $UID on the confirm.php3?UID=1234 page and it does show "1234". But when I click submit, it doesn't update the database.

bradgrafelman

Adding parameters to the query string shouldn't automatically define PHP variables; if it does, then you've got the dreaded register_globals directive enabled and should see to it that it gets disabled immediately (see [man]security.gobals[/man] to learn why).

Such variables should instead be accessed via the $_GET superglobal array; see [man]variables.external[/man] to learn more about how to access external data.

artnow wrote:
But when I click submit, it doesn't update the database.

Click submit on which page? If there's a form on the "confirm.php3" page (why the "php3" suffix??), then how are you passing the UID from that page to the code you've shown us above?

Also, try echo'ing out the SQL query and visually inspecting it to see if it looks correct. Try executing the query manually (e.g. in phpMyAdmin or the MySQL CLI) to see if it works.

artnow

Not sure if register_globals is on or off but I've read that I can turn register_globals off via .htaccess though I really don't know what would happen to my web site as a result.

The "confirm.php3" page has the form plus two php scripts - the troublesome update script and and another script earlier in code that accesses the database. That script defines all the other variables using mysql_fetch_array and $variablename = $myrow['varialblename'];

I've tried echo'ing the SQL query but I can't seem to do it. I think it is because the update script is dependent on the submit button being clicked and I haven't figured out how and where to echo it.

Bonesnap

artnow;10989730 wrote:
I've tried echo'ing the SQL query but I can't seem to do it. I think it is because the update script is dependent on the submit button being clicked and I haven't figured out how and where to echo it.

Do this:

$sql2 = "UPDATE `hounddb`.`mymailcukbulletin` SET `Validated` = '55' WHERE `mymailcukbulletin`.`UID` = '$UID'";
echo $sql2;
//$res=mysql_query($sql2) or die ("Error: ". mysql_error(). " with query ". $sql2);

This will prevent the query from running and print it out. Once you've confirmed it's correct, remove the echo statement and the comment (but not the actual code, of course).

artnow

I tried again to echo $sql2 and still nothing, it doesn't echo anything. It seems that anything after the "if" and before the "else" doesn't work.

I put the $sql statement in after the "else" and it echoed correctly though it updates the database even when the page is refreshed. Could it be that since the Submit button and the update script are on the same page that it doesn't work?

johanafm

Did you click the submit button?

artnow

Not sure if you're teasing me LOL, but a valid question none the less. Yes, I've clicked the Submit button. I wonder if the problem lies in the fact that the form action is a third party script that I have no access to.

artnow

Finally figured it out. Instead of checking whether the Submit button was clicked I changed the script a little and used GET to handle the UID on subsequent pages, after being returned to my site by the third party's Form Action script.

So after the form is submitted the third party Form Action handles the form, then that script returns to one of my pages. On my page I added the following:

 <input type="hidden" name="UID" value="<?php echo $_GET[UID]; ?>">
        <?php   

include ("connect.php3");
mysql_pconnect("$dbhost", "$dbuser", "$dbpass") || die("Couldn't connect to MySQL");
mysql_select_db("$dbname") || die("Couldn't open db: $dbname. Error if any was: ".mysql_error() );

if (isset($UID['UID'])) {
$sql2 = "UPDATE `hounddb`.`mymailcukbulletin` SET `Validated` = '55' WHERE `mymailcukbulletin`.`UID` = '$UID'"; 
$res=mysql_query($sql2) or die ("Error: ". mysql_error(). " with query ". $sql2); 

} 
else { 
} 

?>

I hope that is clear to anyone following along and looking for a solution.

johanafm

artnow;10989769 wrote:
Not sure if you're teasing me

Not at all. It's just that if the same script handles both displaying the form and handling form submit, the output statement wouldn't show until the submit was clicked.

But you should probably add some code to handle improved security. If all you check is that $_GET['UID'] is set, then anyone could make such a request and have the code execute.

One improvement would be to add an additional post token, unique for each request, which is also sent to the third party server on form submit. When they send their request to your server, you would check that this token and the UID match. And at the very least, you should check that the request originates from whatever IP the remote server has.

But the best approach would probably be to handle form submits on your own server, use cUrl to send the request to the remote server and have them send a response to your server rather than a separate request.