1
caelon
MySQL error when doing INSERT from module
  • 2003/12/14 19:47

  • caelon

  • Just popping in

  • Posts: 11

  • Since: 2003/2/21


I've run into a dead end for a module I'm developing and could use another pair of eyes (or a few pair) to help me find what must be an obvious answer.

The code is as follows:
$sql "INSERT INTO ".$xoopsDB->prefix('draft_order')." (draftid, roundnumber, picknumber, userid) VALUES ($draftid$round$claimedpick$uid)";
if ( !
$result $xoopsDB->query($sql) )
{
  
// redirect_header(XOOPS_URL.'/',1,_MD_ERROROCCURED);
  
echo "Error: $sql
"
;
  echo 
$xoopsDB->error." : ".$xoopsDB->errno;
  exit();
}


The two echo lines produce the following output:
ErrorINSERT INTO mockxoops_draft_order (draftidroundnumberpicknumberuseridVALUES (3111)
:


If I copy the sql statement straight into phpMyAdmin, the insert works without a problem and that's where my frustration lies. Obviously the statement is ok, so where else can the error be? I was hoping that using $xoopsDB->error and errno would provide some insight, but I must be calling them incorrectly.

2
wtravel
Re: MySQL error when doing INSERT from module

Hi,

I had the same problem tonight and received a hint to make it work. The problem is that not all query types are allowed with db->query. However, I have seen it in the 'delete submitted link' functionality in the weblinks module so I still have an open question about this as well.

But anyway, you may find the link below usefull for solving your problem.

https://xoops.org/modules/newbb/viewtopic.php?topic_id=14723&forum=7&post_id=60456#forumpost60456

Regards,

Martijn

3
Mithrandir
Re: MySQL error when doing INSERT from module

if the variable containing the ID of the item to delete comes via the GET variable, you cannot modify database data with db->query(). You need to

a) Change to retrieve the ID in some other way - perhaps POST method or

b) use db->queryF() instead

4
caelon
Re: MySQL error when doing INSERT from module
  • 2003/12/14 21:53

  • caelon

  • Just popping in

  • Posts: 11

  • Since: 2003/2/21


Thanks to both of you. It was not obvious to me from the code doc that db->query() behaved that way; just that it had some security features over queryF().

That said, I would like to stay secure within the framework of xoops. I'm passing a URL to a template so that, when clicked on, it uses a GET to pass a parameter. Since this is a link, there's no form, therefore to populate the URL I use:

$url = "http://www.site.com/modules/mod/mod_signup.php?id=".$myrow['id'];

Obviously that's passing a GET. How do I get around that? I'm not at all proficient in cookies, but if that's the only way, so be it.

5
Mithrandir
Re: MySQL error when doing INSERT from module

You can still use the GET parameter, but you should take some extra steps to make sure that the variable is actually a desired value (and not open to SQL injection, that is, ending the query and starting a new one giving access rights or similar to someone else)

depending on the value it should be, you can take various steps like
$newval = intval($id);
if it is an integer value.
There are probably more steps to take, but I'm not a security expert.

6
wtravel
Re: MySQL error when doing INSERT from module

Hi,

To pass $POST variables I always use a form with method=POST. In the form you can include hidden variables, such as the desired id and the commonly used 'op' variable.


include the hidden variables
show the button to execute the code


If you want I can send you an example later. Let me know if you need it.

Regards,

Martijn

Login

Who's Online

274 user(s) are online (216 user(s) are browsing Support Forums)


Members: 0


Guests: 274


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Jun 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits