Problem with concatenation (.) 1

[Trusts]

Hi all,

I have a line of code:

$sql="Update Orders Set Quantity=" . $_POST[quantity . $i] ." Where CartNumber=" . $_SESSION['cartnum'] . " And ProductID='" . $_POST[Product . $i] . "'";


When processed the last "'" does not appear, as if the last concatenation operator (the last dot) is being ignored. For example I get this:

Update Orders Set Quantity=3 Where CartNumber=48 And ProductID='trumpet

In other words I am not getting that last apostrophe to appear, which is necessary to make a valid SQL Update statement (since ProductID is a text based field)

Any ideas why this is happening?

Thanks,
KB

 

[thedaver]

First, if you are not sanitizing incoming text from a POST, you are asking for security troubles like SQL injection.

I also would not expect "$_POST[Product . $i] ." to yield a meaningful result.

the [Product . $i] is kind of meaningless.

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[jpadie]

for what it's worth, i recommend spacing out your sql constructs to help diagnose issues.

and as thedaver infers - unless you have declared Product as a constant then the element notation you are using may not always give you what you expect (although php will guess correctly sometimes).

having said that i can see nothing in your code as posted that would cause the last single quote not to appear. are you sure you're not assuming the error from a mysql error report (saying something like "you have an error in your sql somewhere near ..." - if so mysql does not report the entire query string, just a set number of chars from where it thinks the error occurred. you could just be unlucky with the last char. the only way to tell for sure what gets to mysql is by echoing the sql query before or after submitting it.

i.e.

$result = mysql_query ($sql);
if ($result !== false) {
  echo "Mysql Error. <br/>Description : ".mysql_error()."<br/>submitted sql: $sql"; 
} 

the following works on my system (with stubbed inputs)
[code]
<?

$sql=	"
		Update 
			Orders 
		Set 
			Quantity='" . clean($_POST["quantity".$i]) ."' 
		Where 
			CartNumber='" . $_SESSION['cartnum'] . "' 
			And 
			ProductID='" . clean($_POST["Product".$i])  . "'
		";

function clean ($var){
	if (@mysql_real_escape_string("test") !== false) {
		$f = "mysql_real_escape_string";
	} else {
		$f = "mysql_escape_string";
	}
	return $f(trim($var));
}

?>

 

[Trusts]

Thanks for the responses....

thedaver - The [Product . $i] works great. The previous page contains a table with input boxes in each row (within <TD> tags). Each box, on each row, is named as Product1, Product2, Product3, etc.

Another piece of data that is sent over from the form is the number of rows in the table (it changes depending on actions prior in the application).

I didn't show the For loop in the above example, but it is something like For ($i=1, $i<$_POST[rowcount], $i++) - therefore the $i helps to recreate the entry box names from the form within a loop so the Insert statements occur dynamically. That part works fine - try it sometime.


jpadie - I did echo back the $sql string and sure enough it shows up with the last apostrophe. That is how I found out what was wrong. Yeah, it's weird, it should show up.

I'm kinda new at php, although have been coding ASP/ASP.net for more years than I can remember. So I am just attempting to apply my way of doing thing in ASP to work in php. Thanks for the example of the clean function. I will give it a try. Also I see you put quantity and Product inside quotes. I thought I tried that with negative results, but I used single quotes. I will try it with double quotes - thanks!

 

[jpadie]

it's ok to use single quotes around the text but the variable will not be expanded within them.

so

$_POST["quantity".$i]; //works
$_POST['quantity'.$i]; //works
$_POST["quantity$i"]; //works
$_POST['quantity$i']; //DOES NOT work