Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.

I would like to start off by saying I am very new at PHP. The following code was written by an acquaintance who is no longer able to assist and I am trying to further develop some additional things with it. I am running into an issue that I cannot wrap my head around.

The explode array is used to break a series of commands up into parts that are used within mysql statements to manipulate a database.

The issue I am having is some commands seem to work and some don't. See below:

if(isset ($_POST['commandline'])){
//handle cammand
$command = $_POST['commandline'];
$parts = explode(",",$command);
//print_r($parts);
//we know the first part is a command

//UPDATE NATURE CODE BY EVENT NUMBER  WORKS
//PART 1 IS THE EVENT ID PART 2 IS THE NEW CALL TYPE
else if(preg_match("/UTE/",$parts[0])){
    mysql_query("UPDATE runs SET calltype='{$parts[2]}' WHERE id='{$parts[1]}'");}

//UPDATE LOCATION EVENT NUMBER  WORKS
//PART 1 IS THE EVENT ID PART 2 IS THE NEW LOCATION
else if(preg_match("/ULE/",$parts[0])){
    mysql_query("UPDATE runs SET location='{$parts[2]}' WHERE id='{$parts[1]}'");}

//UPDATE DESCRIPTION EVENT NUMBER  WILL NOT WORK
//PART 1 IS THE EVENT ID PART 2 IS THE NEW DESCRIPTION
else if(preg_match("/UDE/",$parts[0])){
    mysql_query("UPDATE runs SET discrip='{$parts[2]}' WHERE id='{$parts[1]}'");}



else { header("Location: main.php?message=fail"); 
die;} 
}

As you can see from my comments the UTE and ULE command works however the UDE command will not work. I have a feeling it has something to do with the "UTE" and "UDE" part as if I change "UDE" to a random letter like "Q" it will work.

Anyone know what is going on and how to get the "UDE" part to work? Any help is much appreciated.

share|improve this question

closed as too localized by Marcin Orlowski, andrewsi, Peter Ritchie, hjpotter92, Frank van Puffelen May 19 '13 at 12:22

This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center. If this question can be reworded to fit the rules in the help center, please edit the question.

    
Where is the closing brace of the first if? Or is this not the complete code? As it is you would get an error about unexpected T_ELSE on line 9 of your excerpt. –  ScallioXTX May 18 '13 at 21:13
    
@PeeHaa埽 - No there was no exchange of money as this was written by them as a favor to me and said acquaintance allowed me to continue using the code –  NC1787 May 18 '13 at 21:20
    
@ScallioXTX - This is not all of the code. There are several other commands above and below these commands that are working. The closing brace is here code else { header("Location: main.php?message=fail"); die;} } code –  NC1787 May 18 '13 at 21:23
1  
Is your field really called discrip or should that be descrip? –  Vedran Šego May 18 '13 at 21:47
1  
"No there was no exchange of money" That explains why your acquiantance is trying to program backdoors into your application. xkcd.com/327 –  Niet the Dark Absol May 18 '13 at 21:53

1 Answer 1

1) SQL Injection danger

2) /UDE has no special meaning, so that '/UDE/' will behave the same as '/ULE/' or '/ABC/'.

3) If you add an echo into above the deffective query, does it get shown?

else if(preg_match("/UDE/",$parts[0])){
echo 'Do you see that line here?';
mysql_query("UPDATE runs SET discrip='{$parts[2]}' WHERE id='{$parts[1]}'");}

4) What happens if you execute that query manually?

The last two points ara a general procedure to tell php and mysql errors apart.

Edit: If you print_r($parts) and it is an empty array, then $party[0] cannot match your regex. In that case you must track down, why the explode() fails. Shorten the part after ?commandline= to ?commandline=xxx,yyy ; Then change it to the bare minimum needed to reproduce the error.

Liekly reason:

does the part after ?commandline= in your url contain any of the characters "? & #" ? That would immediately end the parameter.

share|improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.