Right, first things first.


I do not have a clue about PHP or MySQL...


I'm trying to add a steam username to a database for a clan website. Xfire is already sorted but I can't get steam to add. Relevant stuff is below.


code edited out


The trouble is, I can submit the information but when I refresh the page or view the roster it's just disappeared, it seems it's not actually getting added.

I'm 99% certain there's something I've just not done (I haven't changed anything within the databases at all, I had a look but couldn't even find out how to edit them). The only things I've edited are the two docs above and the two documents that display the info (roster and profile).

Anyone point me in the right direction?

Thanks

First thing I tend to do when diagnosing problems like this is to:

remove the redirects
echo out the SQL queries
manually try running them in phpmyadmin

Often this highlights the fact that a certain query isn't running, or that there is an SQL error that PHP might be hiding (not that I can spot one from glancing at your code!)

Well it seems that it's not just the steam fields that aren't submitting, with the steam stuff added, nothing on the form submits... :confused:

All it's trying to do differently (I think) is fetch the profile_info database and store the details to it.

Well it seems that it's not just the steam fields that aren't submitting, with the steam stuff added, nothing on the form submits... :confused:

All it's trying to do differently (I think) is fetch the profile_info database and store the details to it.

That'd happen with an SQL error I believe, instead of just doing the bits that work, MySQL spits it all out.

Yeah, that's what I suspected.

I think this thread needs some DoubleTop. :D

You'll need to do more validating and filtering of those variables you're throwing into SQL insert statements. If one of them contains a quote your SQL will be invalid; worse you're right open to SQL injection attacks.

What I mean by that is that if someone enters their 'rig' for example as:


'; SOME NASTY SQL COMMAND HERE;

They will be able to run their own SQL commands against your database.

As to why it's breaking, again that's probably down to the SQL giving errors, maybe because of quoting. Change your script to echo it and see exactly what the SQL being attempted is, and try running it directly against SQL (phpmyadmin or whatever).

Yeah, that's what I suspected.

I think this thread needs some DoubleTop. :D

Perhaps ;)

Also, looking at your code it may be worth you having a quick read through this:
http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

Can never be too safe! :)

Andyn beat me to it :D

It's not my code.

Also,

Right, first things first.

I do not have a clue about PHP or MySQL...


I'll have a look through the validation in a bit. :)

foreach($_POST as $key => $value)
{
$_POST['key'] = mysql_real_escape_string($value);
}
that will go some distance in preventing the sql injection, you perhaps need to look at some form of validation on the $_GET['id'] as well depending on how the script works, or I could set everyone to ARIARULES by altering the url params.

As to why it isn't working, the advice above is good. Look at putting in something like this that makes things nicer.

$sql = "UPDATE player_profiles SET forumid='$forumid', location='$location', favouritegames='$favgame', rig='$rig', other='$other', imageurl='$imageurl', xfire='$xfire', steam='$steam', rank='$rank', bginfo='$bginfo' WHERE rosterid='$uid'";
//if in debug mode .....
echo $sql;
$result = mysql_query($sql);
//now validate the $result
if(mysql_affected_rows() <> 1) {
echo mysql_error();
}

there are other ways of validating an update sql statement, but this tends to work and it'll give you a clue to why it's not working. It could be the datatype for the column steam in your database is not a string?

DT.

All sorted now, chucked die(mysql_error()); in after the query and debugged from there.

Thanks for the help and I'll have a look at the validation soon. :)