1

My code is suppose to save a year like 1999 to the mysql database but it wont. It will check to see if the user has entered only numbers and is at least 4 numbers long or if nothing has been entered correctly but it wont save the correct year? How can I fix this problem.

Here is the PHP code.

if(isset($_POST['year']) && intval($_POST['year']) && strlen($_POST['year']) == 4) {
    $year = mysqli_real_escape_string($mysqli, $purifier->purify(htmlentities(strip_tags($_POST['year']))));
} else if($_POST['year'] && strlen($_POST['year']) < 4) {
    echo '<p class="error">year is not correct!</p>';
}  else if($_POST['year'] == NULL) {
  // do something
}

Here is where the code will be going.

    if (mysqli_num_rows($dbc) == 0) {
            $mysqli = mysqli_connect("localhost", "root", "", "sitename");
            $dbc = mysqli_query($mysqli,"INSERT INTO users (user_id, year) 
                                         VALUES ('$user_id', '$year')");
    }

    if ($dbc == TRUE) {
            $dbc = mysqli_query($mysqli,"UPDATE users 
                                         SET year = '$year' 
                                         WHERE user_id = '$user_id'");

            echo '<p class="changes-saved">Your changes have been saved!</p>';

    }

    if (!$dbc) {
            print mysqli_error($mysqli);
            return;
    }

Here is the code together.

if (isset($_POST['submit'])) { 

if(isset($_POST['year']) && intval($_POST['year']) && strlen($_POST['year']) == 4) {
    $year = mysqli_real_escape_string($mysqli, $purifier->purify(htmlentities(strip_tags($_POST['year']))));
} else if($_POST['year'] && strlen($_POST['year']) < 4) {
    echo '<p class="error">year is not correct!</p>';
}  else if($_POST['year'] == NULL) {


    if (mysqli_num_rows($dbc) == 0) {
            $mysqli = mysqli_connect("localhost", "root", "", "sitename");
            $dbc = mysqli_query($mysqli,"INSERT INTO users (user_id, year) 
                                         VALUES ('$user_id', '$year')");
    }

    if ($dbc == TRUE) {
            $dbc = mysqli_query($mysqli,"UPDATE users 
                                         SET year = '$year' 
                                         WHERE user_id = '$user_id'");

            echo '<p class="changes-saved">Your changes have been saved!</p>';

    }

    if (!$dbc) {
            print mysqli_error($mysqli);
            return;
    }


    }

}

The problem has to be on this line.

if(isset($_POST['year']) && intval($_POST['year']) && strlen($_POST['year']) == 4) {
$year = mysqli_real_escape_string($mysqli, $purifier->purify(htmlentities(strip_tags($_POST['year']))));
Improve this question
4
  • Ok, so it "won't save the correct year", but what does it do? - print an error? save a wrong value? Commented Apr 9, 2010 at 3:04
  • It just wont save the correct year which it should do. Commented Apr 9, 2010 at 3:05
  • Thanks for updating your question with the DB code but I still don't see how the two code blocks are related to eachother? Do you call the if(mysqli_num_rows($dbc) == 0) right after the first code block? Commented Apr 9, 2010 at 3:22
  • You might want to throw in a bunch of echo statements in your if statements and run your code to see where it is failing/stoping and update us on that to better assist you. Commented Apr 9, 2010 at 3:24

5 Answers 5

Reset to default
1

You only run the query if $_POST["year"] == NULL. Are you sure that's what you want to be doing?

Maybe change the first block to something like:

if(isset($_POST['year']) && intval($_POST['year']) && strlen($_POST['year']) == 4) {
    $year = mysqli_real_escape_string($mysqli, $purifier->purify(htmlentities(strip_tags($_POST['year']))));
} else if($_POST['year'] && strlen($_POST['year']) < 4) {
    echo '<p class="error">year is not correct!</p>';
}  

if (isset($year)) {
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

First off, check what's being sent in $_POST['year'] with an error_log($_POST['year']); or echo $_POST['year']; somewhere above your logic statement.

Second, you don't actually have any queries written in that code, just a $year variable which I'm guessing you're trying to sanitize.

Third, it looks like you have a logic error in your if / else statement chain.

Try this.

if (isset($_POST['submit'])) 
{ 

if(isset($_POST['year']) && intval($_POST['year']) && strlen($_POST['year']) == 4) {
    $year = mysqli_real_escape_string($mysqli, $purifier->purify(htmlentities(strip_tags($_POST['year']))));
} else if($_POST['year'] && strlen($_POST['year']) < 4) {
    echo '<p class="error">year is not correct!</p>';
}  else if($_POST['year'] == NULL) {

} else {
    if (mysqli_num_rows($dbc) == 0) {
            $mysqli = mysqli_connect("localhost", "root", "", "sitename");
            $dbc = mysqli_query($mysqli,"INSERT INTO users (user_id, year) 
                                         VALUES ('$user_id', '$year')");
    }

    if ($dbc == TRUE) {
            $dbc = mysqli_query($mysqli,"UPDATE users 
                                         SET year = '$year' 
                                         WHERE user_id = '$user_id'");

            echo '<p class="changes-saved">Your changes have been saved!</p>';

    }

    if (!$dbc) {
            print mysqli_error($mysqli);
            return;
    }


    }

}
Improve this answer

4 Comments

this didn't even work so I used print_r it only shows the value.
this didn't not work ahhhhhhhhhhhhhhhhhhhhhhh :o, thanks though.
Start debugging then. Add error_log's to various lines and work out where it's not doing what you intend it to do.
I'm not sure what you mean by "didn't work." What does the log say?
0

You seem to be passing into $year your escaped string value of year from your form element but you don't seem to be doing anything with it (at least that is all you show)?

Where is the code to put it into the database?

Something like:

$mysqli->query("insert into table (ColumnName) values ('$year')";

EDIT AFTER UPDATING YOUR CODE SAMPLE:

You are running the code to the DB ONLY IF your year is null. Change your code as shown by David/Josh. :-)

Improve this answer

Comments

0

I think David has it right. Try changing the entire code you provided above to:

if (isset($_POST['submit'])) 
{ 
    if(isset($_POST['year']) && intval($_POST['year']) && strlen($_POST['year']) == 4) {
        $year = mysqli_real_escape_string($mysqli, $purifier->purify(htmlentities(strip_tags($_POST['year']))));
    } else if($_POST['year'] && strlen($_POST['year']) < 4) {
        echo '<p class="error">year is not correct!</p>';
    } else {
        // echo 'Year is blank' or whatever you like here
    }

    // if $_POST['year'] was entered correctly, $year will now
    // have an assigned value and the mysql query will exit
    if (isset($year)) {
        if (mysqli_num_rows($dbc) == 0) {
                $mysqli = mysqli_connect("localhost", "root", "", "sitename");
                $dbc = mysqli_query($mysqli,"INSERT INTO users (user_id, year) 
                                             VALUES ('$user_id', '$year')");
                // uncomment below to see the query
                // echo "INSERT INTO users (user_id, year) VALUES ('$user_id', '$year')";
        }
        // I'd suggest changing this if ($dbc) { to:
        else {
                $dbc = mysqli_query($mysqli,"UPDATE users 
                                             SET year = '$year' 
                                             WHERE user_id = '$user_id'");
                // uncomment below to see the query
                // echo "UPDATE users SET year = '$year' WHERE user_id = '$user_id'";
                echo '<p class="changes-saved">Your changes have been saved!</p>';
        }
        if (!$dbc) {
                print mysqli_error($mysqli);
                return;
        }


        }
    }
}

Also, considering that both of your original queries were inside of seperate if blocks, rather than an if-else statement, it's possible somehow that neither query was even being executed. The code above changes it to an if-else statement, so at least one of the queries will execute. I believe that was the intent of the original code regardless.

If it still isn't working, uncomment the lines to echo the queries and see what's actually being sent to the database.

Improve this answer

Comments

0

You sure are working overly hard to sanitize your data:

if(isset($_POST['year']) && intval($_POST['year']) && strlen($_POST['year']) == 4) {

Fine. It's good to see if the value is actually present in the submitted data, and if there's some kind of numeric value in the field, but...

$year = mysqli_real_escape_string($mysqli, $purifier->purify(htmlentities(strip_tags($_POST['year']))));

If the effect of all that is to ensure that there's nothing non-numeric in there, then why not simply do something like:

$year = null;
if (isset($_POST['year'])) {
    $year = preg_replace('/\D/', '', $_POST['year']) // replace anything non-numeric with nothing
    if ($year < 1000) {
        $year = null;
    )
}

This gets rid of any attempted html or sql or javascript injection, ensure you've got pure numeric data, and also ensures that you've got at least a 4 digit year, as well as being y10k, y100k, etc... compliant.

After the $year's been sanitized, then you can stick it into the database like this:

if (!isnull($year)) {
    $sql = <<<EOF
INSERT INTO users (user_id, year) 
VALUES ($user_id, $year)
ON DUPLICATE KEY UPDATE
    year=VALUES(year);
EOF;
    $stmt = mysqli_query($sql) or die("Query error: " . mysqli_error()):
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.