Tell me more ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 1 down vote favorite

I'm in a bit of a crunch and can't seem to figure out what is going on with my mysql queries.

I have one query at the beginning of the page that is a DELETE:

$sql  = "DELETE FROM CART_CARD WHERE cartID=".$_SESSION['cartID'].";";

and another at the end of the page that is an INSERT:

$sql="INSERT INTO CART_CARD (cartID, cardID, cardTo, cardFrom, cardEmail, cardImage, cardNote) VALUES(".$_SESSION["cartID"].",".$_POST["cardID".$cardNum].",'".$tmp_to."','".$tmp_from."','".$_POST["email".$cardNum]."','".$_POST["image".$cardNum]."','".$tmp_note."');";

Now both queries work fine on there own but when I have them both uncommented the second query either is not inserting or the DELETE query is running after the insert.

I know there is UPDATE but don't think that is what I need because the idea is there could be 10 items in this table with that ID, and want to clear them all out and only add 1, 2, 3 new ones depending on the situation.

To me it seems like the DELETE is running after the UPDATE (even though the delete is before the insert on the page) since I'm not getting any errors. Is this possible?

The full code is:

<?php 

include("functions/gcsession.php");
?>

<?php 
    $sql  = "DELETE FROM CART_CARD WHERE cartID=".$_SESSION['cartID'].";";
    //echo $sql."<br>";
    mysql_query($sql) or die(mysql_error()); 
    $viaMail = "[email protected]"; 
    get_header();
    echo $_SESSION["cartID"];
?>

<!-- Start Page Content -->
<div class="main_content">

<table align="center" border="0" cellpadding="0" cellspacing="0" width="900">
<!-- fwtable fwsrc="index.png" fwbase="index.jpg" fwstyle="Dreamweaver" fwdocid = "127155253" fwnested="0" -->

  <tr>
   <td colspan="6"  valign="top">
    <!--start code here ---------->
      <noscript><div align="center" style="color:#FF0000;">Please enable JavaScript to view this website correctly.</div><br />
</noscript>

      <?php $validateEmail = true;
        for($i=1;$i<=$_POST["cardNum"];$i++){
            $cardNum = $i;
            $emailTo = "";
            if($_POST["email".$cardNum]=="" && ($_POST["emailTo".$cardNum]==$viaMail))
               $emailTo = $viaMail;
            else
               $emailTo = $_POST["email".$cardNum];
            if($emailTo=="")   
                $validateEmail = $validateEmail && false;
            else
                $validateEmail = $validateEmail && true;
            if($emailTo==$viaMail){

                $tmp_to = $_POST["to".$cardNum];
                $tmp_from = $_POST["from".$cardNum];
                $tmp_note = $_POST["note".$cardNum];
                $tmp_sname = $_POST["senderName".$cardNum];
                $tmp_sadr1 = $_POST["senderAddr1".$cardNum];
                $tmp_sadr2 = $_POST["senderAddr2".$cardNum];
                $tmp_scity = $_POST["senderCity".$cardNum];

                $tmp_rname = $_POST["recpName".$cardNum];
                $tmp_radr1 = $_POST["recpAddr1".$cardNum];
                $tmp_radr2 = $_POST["recpAddr2".$cardNum];
                $tmp_rcity = $_POST["recpCity".$cardNum];

                $sql="INSERT INTO CART_CARD (cartID, cardID, cardTo, cardFrom, cardEmail, cardImage, cardNote,senderName,senderAddr1,senderAddr2,senderCity,senderState,senderZip,
                recpName,recpAddr1,recpAddr2,recpCity,recpState,recpZip) VALUES(";
                $sql .= $_SESSION["cartID"].",".$_POST["cardID".$cardNum].",'".$tmp_to."','".$tmp_from."','".$emailTo."','".$_POST["image".$cardNum]."','".$tmp_note."','".$tmp_sname."','".$tmp_sadr1."','".$tmp_sadr2."','".$tmp_scity."','".$_POST["senderState".$cardNum]."','".$_POST["senderZip".$cardNum]."','".$tmp_rname."','".$tmp_radr1."','".$tmp_radr2."','".$tmp_rcity."','".$_POST["recpState".$cardNum]."','".$_POST["recpZip".$cardNum]."')";

                error_log("[".date("j-M-Y G:i:s")."] viaMail CART_CARD sql=".$sql."\n", 3, "log-chkout-".date("Y-m").".txt");
            }else{                         
                $tmp_to = mysql_real_escape_string($_POST["to".$cardNum]);
                $tmp_from =mysql_real_escape_string( $_POST["from".$cardNum]);
                $tmp_note = mysql_real_escape_string($_POST["note".$cardNum]);

                $sql="INSERT INTO CART_CARD (cartID, cardID, cardTo, cardFrom, cardEmail, cardImage, cardNote) VALUES(".$_SESSION["cartID"].",".$_POST["cardID".$cardNum].",'".$tmp_to."','".$tmp_from."','".$_POST["email".$cardNum]."','".$_POST["image".$cardNum]."','".$tmp_note."');";
                error_log("[".date("j-M-Y G:i:s")."] email CART_CARD sql=".$sql."\n", 3, "log-chkout-".date("Y-m").".txt");
            }           

            $insertSQL = mysql_query($sql) or die(mysql_error());

    }// end for i
?>

               <div align="center" class="style8"><br> 
                 <!-------end code here-------->
<?php if($validateEmail){ ?>
                 One moment please...<br>
If you experience a delay, please click &nbsp; 
                  <input type="submit" name="button" id="button" value="Proceed to Check Out">
<?php }else{ ?>
                 The recipient email is blank.<br>
Please ensure you enable JavaScript on your browser and try again. &nbsp; 
                  <input type="button" name="redo" id="button" onClick="location.href='/gift-certificates/" value="Start Over">

<?php } ?>                 
                          </div>
    </form>   </td>

  </tr>

</table>
</div>
<script type="text/JavaScript">
<!--
<?php if($validateEmail){ ?>
    //document.redirect.submit();
<?php }else{ ?>
    alert('The recipient email is blank. Please ensure you enable JavaScript on your browser and try again.');
    location.href='<?php echo $siteURL?>/gift-certificates/';
<?php } ?>
//-->
</script>
<?php get_footer();?>
share|improve this question
1  
can you post additional code? – hek2mgl Dec 19 '12 at 1:49
1  
there's also error reporting that will tell you if a query is failing and why. Have you tried any error debugging? – Kai Qing Dec 19 '12 at 1:49
7  
Your code is vulnerable to SQL injection attack. You really should be using prepared statements, into which you pass your variables as parameters that do not get evaluated for SQL. If you don't know what I'm talking about, or how to fix it, read the story of Bobby Tables. – eggyal Dec 19 '12 at 1:52
Can you post the value of $sql for the INSERT statement? – eggyal Dec 19 '12 at 1:52
1  
I strongly suspect you've got an unescaped ' inside one of your strings, which is resulting in erroneous SQL syntax (and therefore the INSERT statement is failing). As @KaiQing noted, this might have been immediately obvious with error reporting; it would also be solved by parameterising your variables in a prepared statement, as suggested above to mitigate the risk of SQL injection attacks. – eggyal Dec 19 '12 at 1:57
show 3 more comments

closed as too localized by stigok, valex, Explosion Pills, kiamlaluno, Vin Dec 19 '12 at 6:18

This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.If this question can be reworded to fit the rules in the help center, please edit the question.

up vote 0 down vote

The SQL injection, that Bobby mentioned in the comment to your question, is one way, by which a certain type of bug manifests itself.

The actual bug is, that your your SQL statements do not have the semantics that you intend them to have. You must fix this now, not only to prevent SQL injection, but to determine whether or not that bug is the bug that causes the problem you are experiencing.

share|improve this answer
Thanks Oswald but I am entering in this data myself manually on my testing environment and know that all the data being passed in is properly formatted. I don't think it is a problem with that although I do know I need to fix the SQL injection issues. – tecshaun Dec 19 '12 at 2:17

Not the answer you're looking for? Browse other questions tagged or ask your own question.