[Q]doesn't insert the value to SQL

[avihai1]

look, i got this php code and when i try to insert the ItemIndex value into [Index] in table Item it just inserts 0, though when i printed the query that inserts it it showed me the value 47,48.
anyway you will understand when you see the code:

<?php         // start of inner script
      
      $mssql_conn = mssql_connect('localhost' , 'sa' , '');
      mssql_select_db("kal_db",$mssql_conn); ?>
      <table width="300" align="center" dir="ltr"  style="border:solid 3px;" cellspacing="1"  cellpadding="4">  
       <?php  
      $sql = "SELECT * FROM SiteShop Order by ID desc"; 
      $result = mssql_query($sql,$mssql_conn);  
       ?> 
    <tr> 
    <td  align="left" colspan="2" width="300" > 
    <font style="font-size:22px; font-family:Arial;color:#666666; font-weight:bold;" > 
    Item Shop</font>  
    <font style="font-size:12px; font-family:Arial; color:#666666; font-weight:bold;" > 
    ( There are/is <?php echo mssql_num_rows($result); ?> products)</font> 
    </td>  
    </tr>  
    
    <?php 
     
    while ($row = mssql_fetch_array($result)) { 
    ?> 
    <form method="post" name="buy" id="buy" action="">
      <input type="hidden" value="<?php echo $row['ID'] ?>" name="id" id="id">
      <input type="hidden" value="<?php echo $row['Price'] ?>" name="price" id="price">
      <input type="hidden" vlaue="<?php echo $row['ItemIndex'] ?>" name="iindex" id="iindex">
      <input type="hidden" value="<?php echo $row['Amount'] ?>" name="amount" id="amount">
    <tr> 
      <td bgcolor="#666676" colspan="2" width="300" >Item Name:
      <u><b><font size="2"> <?php echo $row['ItemName'];?></font></b></u></td>  
    </tr>  
    <tr> 
      <td bgcolor="#999999" width="60" >Price:</td>  
      <td  bgcolor="#E4E4E4" width="240"><?php echo $row['Price'];?></td>  
    </tr>  
    <tr> 
      <td bgcolor="#999999" width="60">Amount:</td>  
      <td bgcolor="#E4E4E4" width="240"><?php echo $row['Amount'];?></td>  
    </tr>  
    <tr> 
      <td bgcolor="#999999" width="60">Image:</td>  
      <td bgcolor="#E4E4E4" width="240"><img src="<?php echo $row['Image'];?>" alt="Item Image"></td>  
    </tr>
    <tr>
      <td bgcolor="#999999" width="60">
      <input type="submit" name="buyitem" id="buyitem" value="Buy Item" style="height:15px; width:40px; font-size:8; background-color:black; color:white; border-color:black;"></td>
      <td bgcolor="#E4E4E4" width="240"></td>
    </tr>
    </form> 
    <?php 
    } 
    ?> 
</table>
<?php
if ($_POST['buyitem'])
{
      $mssql_connect = mssql_connect('localhost' , 'sa' , '');
      mssql_select_db("kal_db",$mssql_connect);
      $check_query = mssql_query("SELECT Num FROM Item WHERE PID = 517 AND [Index] = 31");
      $cur_money = mssql_result($check_query,0,Num);
      $price = $_POST['price']; 
      if ($cur_money < $price)
      {
            echo "You Don't have enough money!";
      }
      else
      {
            $rand_num = rand(1,10000000);
            $query = "INSERT INTO Item (PID,IID,[Index],Prefix,Info,Num,MaxEnd,CurEnd,SetGem,XAttack,XMagic,XDefense,XHit,XDodge,Protect,UpgrLevel,UpgrRate)
            VALUES ('517','". $rand_num ."','". $_POST['iindex'] ."','0','0','". $_POST['amount'] ."','0','0','0','0','0','0','0','0','0','0','0')";
            $res = mssql_query($query);
            if ($res)
            {
                  $query1 = "UPDATE Item SET Num = Num - ". $price ." WHERE PID = 517 AND [Index] = 31";
                  $res1 = mssql_query($query1);
                  if ($res1)
                  {
                        echo "The item was bought successfully!";
                  }
                  else 
                  {
                        echo "A problem occured during buying the item";
                  }
            }
      }
}            // end of inner script
?>

and here is a picture of SiteShop table:

To view the content, you need to sign in or register

it inserts amount and everything else only not the Index, any1 see what's the problem?

 

[avihai1]

comeon please help meee

 

[foxx]

     <input type="hidden" vlaue="<?php echo $row['ItemIndex'] ?>" name="iindex" id="iindex">

vlaue?

And this is not a php/sql support forum while we are at it.

 

[avihai1]

zomg foxx thank youuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu

 

[ObuolYs]

avihai1 try to used better editors php which can show you error.
I'm using Dreamweaver 8 for that.

 

[foxx]

Because only pussies uses dreamwiever.

+ this was not a php error k.

 

[General]

Very insecure script.

 

[ObuolYs]

Because only pussies uses dreamwiever.

+ this was not a php error k.

But it showing errors -.-

 

[foxx]

So does browser after you run your script.

 

[avihai1]

bjorn how am i suppose to secure it? and whats not secure?

 

[foxx]

inputs, tda-like way.

$id = $_POST['id'];
$price = $_POST['price'];
$index = $_POST['iindex'];
$amount = $_POST['amount'];

if ($_POST['buyitem'])
{
	$error          = array();
	
    if( !ctype_alnum($id) ) 
    {
        $error['id'] = sprintf(UI_ERROR,'Turd.');
    }
   
    if( !ctype_alnum($price) ) 
    {
        $error['price'] = sprintf(UI_ERROR,'Turd.');
    }
	
	if( !ctype_alnum($iindex) ) 
    {
        $error['iindex'] = sprintf(UI_ERROR,'Turd.');
    }
	
	if( !ctype_alnum($amount) ) 
    {
        $error['amount'] = sprintf(UI_ERROR,'Turd.');
    }
   
    if( empty($error) ) 
    {

		$mssql_connect = mssql_connect('localhost' , 'sa' , '');
		mssql_select_db("kal_db",$mssql_connect);
		$check_query = mssql_query("SELECT Num FROM Item WHERE PID = 517 AND [Index] = 31");
		$cur_money = mssql_result($check_query,0,Num);
		$price = $_POST['price']; 
		if ($cur_money < $price)
		{
			echo "You Don't have enough money!";
		}
		else
		{
		    $rand_num = rand(1,10000000);
		    $query = "INSERT INTO Item (PID,IID,[Index],Prefix,Info,Num,MaxEnd,CurEnd,SetGem,XAttack,XMagic,XDefense,XHit,XDodge,Protect,UpgrLevel,UpgrRate)
		    VALUES ('517','". $rand_num ."','". $_POST['iindex'] ."','0','0','". $_POST['amount'] ."','0','0','0','0','0','0','0','0','0','0','0')";
		    $res = mssql_query($query);
		    if ($res)
		    {
		        $query1 = "UPDATE Item SET Num = Num - ". $price ." WHERE PID = 517 AND [Index] = 31";
		        $res1 = mssql_query($query1);
		        if ($res1)
		            {
		                echo "The item was bought successfully!";
		            }
		            else 
		            {
		                echo "A problem occured during buying the item";
		            }
		    }
		}
	}
}

You could also use ereg or mssql_real_escape_string(does it exist)?

 

[Ace-SG1-]

Because only pussies uses dreamwiever.

+ this was not a php error k.

hey i like my DW CS3 :'( and Notepad...

 

[General]

bjorn how am i suppose to secure it? and whats not secure?

$_POST['amount'] is directly putted into the database.

If anybody would fill in a harmful code you're screwed

Also, choosing a random number for IID is not smart since you will have doubles that way.

 

[Ace-SG1-]

$_POST['amount'] is directly putted into the database.

If anybody would fill in a harmful code you're screwed

Also, choosing a random number for IID is not smart since you will have doubles that way.

lalalala http://forum.ragezone.com/showthread.php?t=300354

but still i wold fix that error too... xD

 

[King Izu]

lalalala http://forum.ragezone.com/showthread.php?t=300354

but still i wold fix that error too... xD

Wrong way of doing it, or rather, just a bad way. The code foxx posted is definitely better.

 

[avihai1]

$_POST['amount'] is directly putted into the database.

If anybody would fill in a harmful code you're screwed

Also, choosing a random number for IID is not smart since you will have doubles that way.

you mean that if someone is changing the hidden to text its not good?
and how can i do auto incerment to IID?
and how can i fix this probs?