Welcome Guest, Not a member yet? Register   Sign In
Update query is altered by safari???
#1

[eluser]bobbob[/eluser]
I have this odd thing where my update query runs ok in firefox, IE, Camino but in safari it adds a field to the update.
error message is :
Error Number: 1054
Unknown column '_' in 'field list'

There is of course no '_' in my form.
the last part of the error is where it happens:
`ip` = '67.140.22.58', `_` = '' WHERE `id` = '18'

MY query:
Code:
$id = $this->session->userdata('uid');
        $this->db->where('id',$id);
        
        $this->db->update('members',$_POST);
When I rewrite it to:
Code:
$newdata = $_POST['preferred'];
$this->db->query("UPDATE members SET preferred = '$newdata' WHERE id = '$id'");
It runs fine.

What baffles me is that safari appears to change the query.
Any ideas much appreciated.
#2

[eluser]Bogdan Tanase[/eluser]
Maybe safari is POST-ing something it shouldn't, it doesn't really matter. You shouldn't insert data from POST directly into the database because it's a major security risk - data from POST can easily be altered.

You should do some validation before inserting in DB.
#3

[eluser]pistolPete[/eluser]
I can't reproduce that issue on my mac using safari 3.2.1.

[quote author="Bogdan Tanase" date="1234446292"]... You should do some validation before inserting in DB.[/quote]

Have a look at the Input Class:
Code:
$newdata = $this->input->post('preferred');
#4

[eluser]TheFuzzy0ne[/eluser]
This is a prime example of why you should not feed your POST array directly into a model method. I would suggest sanitising the users input first.
#5

[eluser]drewbee[/eluser]
If you really must do it this way with the query, do something like this:

Code:
$this->db->query("UPDATE members SET preferred = ? WHERE id = ?",
                 array($this->input->post('newdata'), $id));
#6

[eluser]bobbob[/eluser]
Thanks for your replies.
I had stripped my code to make the post smaller.
Here is the whole controller:

Code:
function preferred()
    {
        $this->load->helper(array('form', 'url'));
        $this->load->library('form_validation');
        $this->form_validation->set_rules('preferred', 'preferred', 'required|trim|xss_clean');
        if ($this->form_validation->run() == FALSE) {
            echo 'Error';
        }else{
        $newdata = $_POST['preferred'];
        
        $id = $this->session->userdata('uid');
        $this->db->where('id',$id);
        
        $this->db->update('members',$_POST);
        //$this->db->query("UPDATE members SET preferred = '$newdata' WHERE id = '$id'");
        
        $this->session->set_userdata('preferred',$newdata);
        
        echo htmlentities($newdata);;
        
        }
    }
The whole picture may help. This is an ajax call.
the form has one field 'preferred'.

The JS script that sends the info to the controller is:
Code:
function updateit(){
     var url = 'index.php/members/preferred';
     var pars = $('preferred_form').serialize(true);
     var target = 'new_preferred';
     var myAjax = new Ajax.Updater(target, url, {method: 'post', parameters: pars});
}
var pageInit = function() {
   Event.observe('preferred_form', 'submit', function(e) {
      updateit();
      e.stop();
      
   });
}

document.observe('dom:loaded', pageInit);

I got the same results with validation included.
Help. Thanks
#7

[eluser]TheFuzzy0ne[/eluser]
You are still passing the $_POST array into the model. If another post variable is passed through, it will break your application.
#8

[eluser]bobbob[/eluser]
Quote:You are still passing the $_POST array into the model. If another post variable is passed through, it will break your application.
I am skipping the model. It is the controller you are seeing and the only variable is the preferred. i agree it looks like an extra something is coming through but from where and why is it unique to safari?
What am I missing?
What do I need to do to the $_POST array?
Thanks again
#9

[eluser]TheFuzzy0ne[/eluser]
This line:
Code:
$this->db->update('members',$_POST)

Should that not be passed $newdata instead?

Code:
function preferred()
    {
        $this->load->helper(array('form', 'url'));
        $this->load->library('form_validation');
        $this->form_validation->set_rules('preferred', 'preferred', 'required|trim|xss_clean');
        if ($this->form_validation->run() == FALSE) {
            echo 'Error';
        }else{
        $newdata = $this->input->post('preferred');
        
        $id = $this->session->userdata('uid');
        $this->db->where('id',$id);
        
        $this->db->update('members',array('preferred' => $newdata));
        //$this->db->query("UPDATE members SET preferred = '$newdata' WHERE id = '$id'");
        
        $this->session->set_userdata('preferred',$newdata);
        
        echo htmlentities($newdata);;
        
        }
    }
#10

[eluser]bobbob[/eluser]
When i do it your way i get this error:

Error Number: 1054
Unknown column 'Email/Phone' in 'field list'
UPDATE `members` SET `Email/Phone` = '' WHERE `id` = '18'

which tells me that the query is is trying to use the value of preferred as the column name.
That happens in all browsers.


The only way to get it to work is this:
Code:
$newdata = $_POST{'preferred'];
$this->db->query("UPDATE members SET preferred = '$newdata' WHERE id = '$id'";

The commented line in my other posts.
I am trying to use the CI Active Record class so I would still like to know the cause




Theme © iAndrew 2016 - Forum software by © MyBB