How to Properly Send The Following Data to MySQL Database?

I’m having trouble retrieving the data from the following form and sending it to a database. I’m attempting to retrieve the time and the inputted text with PHP and send it to a database:

<form method="post"> <input name="status_time" type="hidden" value="<?php echo time() ?>" /> <p>What is on your mind?</p> <textarea name="status_content"></textarea> <p> <input type="submit" value="Update Status" /> </p> </center> </form>

And this is the public function to retrieve the time and content submitted:

 public function add_status($user_id, $postdata) {
 global $db;

 $table = 's_users';
			
 $status_time = isset($postdata['status_time']) ? $postdata['status_time'] : null;
 $status_content = isset($postdata['status_content']) ? $postdata['status_content'] : null;
 if(!empty($status_content) && !empty($status_time)) {
 $query = "UPDATE $table (Status_Change_Time, Status_Content) VALUES ('$status_time', '$status_content')";

 return $db->insert($query);
 }

This form is for updating your status as a user. I’m also not sure how I would be able to retrieve the user’s that’s updating his/her status information, so I could select where I can update the status in my database.

Are you certain that query is the right syntax?

I don’t know what $db->insert() is doing, but the query looks like a cross between an UPDATE and an INSERT
http://dev.mysql.com/doc/refman/5.7/en/update.html
http://dev.mysql.com/doc/refman/5.7/en/insert.html

Yeah, this is my friend’s code, and he uses a huge class and tries to like shove a bunch of public functions into it for each page. I’m going to try to completely change it.

That is the wrong syntax for an update statement. If you want a hybrid between insert/update in MySQL use an insert with on duplicate key update clause.

When you say you’re having trouble, what actually is the problem? Is it getting the data from the form correctly but not storing it, or not getting the data from the form?

You can clearly see that the query is malformed.

Yes, unless $db->insert() is doing some kind of magic with it, I can’t see how it could work.

oh… yeah I didn’t even notice that.

odd sending an insert method a query string. Wouldn’t it make more sense to pass an array and build the insert/update SQL in the method. That is how other abstraction layers do it like the one in Drupal. A good example of why people who don’t know what they are doing should using tried and true libs like doctrine or some other well known abstraction layer. That insert method just looks like a none-standard, brittle, convoluted mess…

Unless the validation is being done elsewhere he’s also a sitting duck for both SQL Injection Attacks (user submitted data not even escaped!) and for getting a load of garbage sent to the database (no validation of the user submitted data). Why do I get the feeling that he might still use the old (and now removed from PHP 7) mysql_* extension?

I’d say the odds are highly likely.

I just assumed that as the function is working with $postdata rather than $_POST, that any validation had been done prior to the information being passed into the function. Of course, it’s equally possible that the $_POST array is passed in without any checking.

And I agree the query looks malformed, but we don’t know what ->insert() does with it. And we still don’t know what the problem is.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.