Hello All,
I have been working on a couple of mods that may or may not be of value to others, the kind folks of this forum have helped me along and that is greatly appreciated. I have one problem however and need your help again.
I have searched the forum high and low for days (about 5 days now) and after reading the API docs and the developers documentation, and trying to download the Book Mod referred to by DrByte and others (the book mod's link appears to be broken) I still haven't found the information I am looking for.
I'll say up front that I am new to PHP and MySQL, but I am an experienced procedural programmer (on and off since 1983) with former SQL experience (in the old days) and I am just getting the hang of OOP constructs.
Can someone help me or point me to documentation on how to use the built in query system?
Specifically I need to know how to escape strings and "prepare" input. I have found the functions in query_factory and have an idea of how these work but I'm confused because I can't figure out where the dbs are set up (opened or initialized...) and how the query strings are constructed, called and tested... I am lost as to my next step.
Below is a simple update script that I want to make Zen Cart Friendly, all is well until a user enters a character into a field (a string) that requires escaping (such as when they input an apostrophe in the mytest_title field I.E. "Mike's Gizmo") and the user hits submit...
The apostrophe breaks the query and the script fails... I can hand code my own function to clean up strings and numeric vars etc... but I know this isn't the right way to do it for public Zen Cart Use...
Code:
<?php
/**************************************************************************************
* Simple Test myupdate.php
**************************************************************************************/
//Get database credentials
require 'config_mytest.php';
//Load the POST vars
$mytest_id = $_POST['mytest_id'];
$mytest_entry_count = $_POST['mytest_entry_count'];
$mytest_title = $_POST['mytest_title'];
$mytest_image = $_POST['mytest_image'];
$mytest_image_caption = $_POST['mytest_image_caption'];
$mytest_customer = $_POST['mytest_customer'];
$mytest_product_name = $_POST['mytest_product_name'];
$mytest_product_url = $_POST['mytest_product_url'];
$mytest_product_model = $_POST['mytest_product_model'];
$mytest_status = $_POST['mytest_status'];
// connect to the mysql database server.
mysql_connect ($dbhost, $dbusername, $dbuserpass);
//select the database
mysql_select_db($dbname) or die('Cannot select database');
// Build the query.
$query = "UPDATE mytest" .
" SET mytest_entry_count = '".$mytest_entry_count."'," .
" mytest_title = '".$mytest_title."'," .
" mytest_image = '".$mytest_image."'," .
" mytest_image_caption = '".$mytest_image_caption."'," .
" mytest_customer = '".$mytest_customer."'," .
" mytest_product_name = '".$mytest_product_name."'," .
" mytest_product_url = '".$mytest_product_url."'," .
" mytest_product_model = '".$mytest_product_model."'," .
" mytest_status = '".$mytest_status."'" .
" WHERE mytest_id = '".$mytest_id."'";
//Run the query
$result = mysql_query($query) or die(mysql_error());
if ($result === TRUE) {
echo "mytest table updated sucessfully."; }
else {
printf("Could not update table:%s\n", mysql_error());
}
//link variable is equal to the referring page
$link = $_SERVER['HTTP_REFERER'];
//sends a header directly to the browser telling it to redirect the user to the referring page
header("Location: $link");
?>
Please ignore the extraneous code (the echos etc...) that was put in for testing purposes in the above script...
I put forth an honest effort to figure this out on my own, and I simply can't give this mod to the public in it's current state so any help at this point would be greatly appreciated!
Thanks in advance,
Gary777
Bookmarks