Jump to content
Larry Ullman's Book Forums


  • Posts

  • Joined

  • Last visited

  • Days Won


Posts posted by Larry

  1. Hey! First, just to be clear, you'd be going to the login.php page, not login.inc.php (which is an included file). In any case, to pull this off there are two options (off the top of my head):

    • Use PHP to pass along the destination page. This would mean changing the login link so it adds ?dest=checkout to the URL (for the checkout page; for any other page you'd set this value accordingly). Then you'd update the login page so that on a successful login it redirects to that page. 
    • Use JavaScript to do a redirect to one page back in the history. 

    The PHP route is better in my opinion, but requires a bit more programming effort. 

  2. In your two code examples you have different assigned values for if the business name is empty. First you assign it to the PHP NULL and in the script you assign it to the PHP true. Then you use this value in the MySQL NULLIF() function. In either case you use the value in quotes, which might work, but probably isn't in your case. 

    When you're testing this query directly you say it works, but I imagine at that time you're using a query with NULLIF('', ''), which is probably not the same as whatever PHP is doing. My suspicion is the PHP-generated values don't resolve to an equal comparison in the MySQL query. Specifically I would guess that the PHP NULL or true would get converted to 0 or 1 when put into a string and quoted.

    You can confirm this by printing out the query dynamically generated by the PHP script. 

  3. Sure, sure! So, simply put, if there's a problematic character in a value that could break syntax of the SQL query when you go to run it. For example, say a person's last name is O'Brien, then this query:

    INSERT INTO people (last_name) VALUES ('$last_name')


    INSERT INTO people (last_name) VALUES ('O'Brien')

    That query won't run in the database because of a syntax error.

    To prevent this problem, PHP developed this thing called Magic Quotes, which automatically escaped problematic characters. But the mysqli_real_escape_string() function actually does a better job of that, as it'll have database-specific results. So what this escape_data() function did was run data through mysqli_real_escape_string(). However, if Magic Quotes was on, that'd result in a value being overly escaped, so that's what the IF clause was addressing. 

  4. Ah, okay, thanks for the additional context. You should be able to update the code by just removing these three lines:

        if(get_magic_quotes_gpc()) {
            $data = stripslashes($data);

    To be clear about that StackOverflow post, you don't need to sanitize input if you're using prepared statements. Since you're not using prepared statements here, failing to use mysqli_real_escape_string() will cause your query to break. 

  5. Hey! Good questions here! 

    For question 1, there are two facets. First, the database needs to store the product+size+price combination, which is already supported. (I forget if the admin interface allows you to set different prices for different sizes or not.) Second, on the client-side (in the browser), you'll need to use JavaScript to make the magic happen. You'd use an event handler to watch for size changes and then update the price HTML accordingly. I think I'd be inclined to have the PHP script pull all the sizes and prices first, and store these in a JavaScript object. Then, when the size changes, the JavaScript uses that object to update the HTML.

    For question 2, with the current database structure you'd add a colors table and then a color column to the database, so you create a new SKU for each color. 

    Hope that helps but let me know if you have additional questions. 

  6. You've already done all the hard work. Kudos! You have the values you need, as an associative array. All you need to do now is pop those values into an INSERT query, something like

    $arr = json_decode($json, true);
    if (!empty($arr['isbn'])) { // Basic validation that data was returned...
      INSERT INTO books (ISBN, title) VALUES ('{$arr['isbn']}', '{$arr['title']}');

    Although it'd be best if you use prepared statements or somehow sanitized the values before using them in the query.

  7. If you're concerned about a fake ID scenario AND such a query not affecting any rows is cause to stop execution of the code, you could run a SELECT query using the ID first to validate that it's real before running the UPDATE.

    That being said, doing all that seems to me like adding extra overhead to "solve" a problem that's not really a problem. The UPDATE query, like on a password change, should use the primary key, which is immutable, and therefore not user-provided. It's unclear how a fake ID would get into the mix.  

  8. There are two issues here. One is that there's an error going on in the script. The second is the error handling isn't working properly. For the latter, you don't mention what version of PHP you're using, but I expect the warning in the box applies: https://www.php.net/manual/en/function.set-error-handler.php

    Remove the last parameter from the my_error_handler() definition, as well as the use of that $e_vars variable within it. 

    Once you fix that, you should properly see the actual error that's happening on the page.

  • Create New...