Hi all.

Im a newbie in PHP and im trying to upload a file to the server.

I use a form to upload a pdf file and some text information about it.

The client uploads the file and the system renames that file and puts
all the information in the database.

The problem is when the client goes again to edit the information, i
always have to choose a file to upload or else it will put blank the
pdf column and he cant find the old one!

i do a $_POST['file'] to the UPDATE statement but i think i need to do
a if clause(and dont know what im going to put )...but where? i tried
it in the UPDATE statement and i cant..

On Jun 20, 10:54am, Pépê <josemariabar...@gmail.com> wrote:
> Hi all.
>
> Im a newbie in PHP and im trying to upload a file to the server.
>
> I use a form to upload a pdf file and some text information about it.
>
> The client uploads the file and the system renames that file and puts
> all the information in the database.
>
> The problem is when the client goes again to edit the information, i
> always have to choose a file to upload or else it will put blank the
> pdf column and he cant find the old one!
>
> i do a $_POST['file'] to the UPDATE statement but i think i need to do
> a if clause(and dont know what im going to put )...but where? i tried
> it in the UPDATE statement and i cant..

Build your update statement dynamically. This is the sort of thing,
but you should sanitise the $_POST input.

if($_POST['file'])
$fileup = ",file = '{$_POST['file']}'";
else
$fileup = '';

$qry = "
INSERT INTO fred SET
id = {$id},
info1 = '{$info1}',
info2 = '{$info2}
{$fileup}
ON DUPLICATE KEY UPDATE
info1 = '{$info1}',
info2 = '{$info2}'
{$fileup}
";

Thanks for the Captain.

Ive had some problems recently with sql injection in ASP.

Im new in PHP. How can i protect the forms in PHP?

I will do a search in google in the meantime...

Once again, thanks

On 20 Jun, 11:22, Captain Paralytic <paul_laut...@yahoo.com> wrote:
> On Jun 20, 10:54am, Pépê <josemariabar...@gmail.com> wrote:
>
>
>
> > Hi all.
>
> > Im a newbie in PHP and im trying to upload a file to the server.
>
> > I use a form to upload a pdf file and some text information about it.
>
> > The client uploads the file and the system renames that file and puts
> > all the information in the database.
>
> > The problem is when the client goes again to edit the information, i
> > always have to choose a file to upload or else it will put blank the
> > pdf column and he cant find the old one!
>
> > i do a $_POST['file'] to the UPDATE statement but i think i need to do
> > a if clause(and dont know what im going to put )...but where? i tried
> > it in the UPDATE statement and i cant..
>
> Build your update statement dynamically. This is the sort of thing,
> but you should sanitise the $_POST input.
>
> if($_POST['file'])
> $fileup = ",file = '{$_POST['file']}'";
> else
> $fileup = '';
>
> $qry = "
> INSERT INTO fred SET
> id = {$id},
> info1 = '{$info1}',
> info2 = '{$info2}
> {$fileup}
> ON DUPLICATE KEY UPDATE
> info1 = '{$info1}',
> info2 = '{$info2}'
> {$fileup}
> ";

Pépê wrote:
> Thanks for the Captain.
>
> Ive had some problems recently with sql injection in ASP.
>
> Im new in PHP. How can i protect the forms in PHP?

Look up mysql_real_escape_string

On Jun 20, 11:33am, Pépê <josemariabar...@gmail.com> wrote:
> On 20 Jun, 11:22, Captain Paralytic <paul_laut...@yahoo.com> wrote:
> > On Jun 20, 10:54am, Pépê <josemariabar...@gmail.com> wrote:
>
> > > Hi all.
>
> > > Im a newbie in PHP and im trying to upload a file to the server.
>
> > > I use a form to upload a pdf file and some text information about it.
>
> > > The client uploads the file and the system renames that file and puts
> > > all the information in the database.
>
> > > The problem is when the client goes again to edit the information, i
> > > always have to choose a file to upload or else it will put blank the
> > > pdf column and he cant find the old one!
>
> > > i do a $_POST['file'] to the UPDATE statement but i think i need to do
> > > a if clause(and dont know what im going to put )...but where? i tried
> > > it in the UPDATE statement and i cant..
>
> > Build your update statement dynamically. This is the sort of thing,
> > but you should sanitise the $_POST input.
>
> > if($_POST['file'])
> > $fileup = ",file = '{$_POST['file']}'";
> > else
> > $fileup = '';
>
> > $qry = "
> > INSERT INTO fred SET
> > id = {$id},
> > info1 = '{$info1}',
> > info2 = '{$info2}
> > {$fileup}
> > ON DUPLICATE KEY UPDATE
> > info1 = '{$info1}',
> > info2 = '{$info2}'
> > {$fileup}
> >
> Thanks for the Captain.
>
> Ive had some problems recently with sql injection in ASP.
>
> Im new in PHP. How can i protect the forms in PHP?
>
> I will do a search in google in the meantime...
>
> Once again, thanks

Please do not top post (top posting fixed).

Your main tool for this is mysql_real_escape_string(), but you will
find lots of good threads about this subject in the archives of this
forum.

sheldonlg wrote:
> Pépê wrote:
>> Thanks for the Captain.
>>
>> Ive had some problems recently with sql injection in ASP.
>>
>> Im new in PHP. How can i protect the forms in PHP?
>
> Look up mysql_real_escape_string


I'm new to php also.

Wouldn't that be unnecessary with PDO and placeholders?

It is with perl DBI that strongly resembles PDO and I'd like to know
if I'm mistaken.

Jeff

On Fri, 20 Jun 2008 14:17:27 +0200, Jeff <jeff@spam_me_not.com> wrote:

> sheldonlg wrote:
>> Pépê wrote:
>>> Thanks for the Captain.
>>>
>>> Ive had some problems recently with sql injection in ASP.
>>>
>>> Im new in PHP. How can i protect the forms in PHP?
>> Look up mysql_real_escape_string
>
>
> I'm new to php also.
>
> Wouldn't that be unnecessary with PDO and placeholders?

If you indeed use prepared statments, then yes, it is not necessary to use
mysql_real_escape_string(). It would be destructive even, as your
variables in the database could be polluted with unnecessary (and unused)
escaping characters.
--
Rik Wasmus
....spamrun finished

On 20 Jun, 11:22, Captain Paralytic <paul_laut...@yahoo.com> wrote:
> On Jun 20, 10:54am, Pépê <josemariabar...@gmail.com> wrote:
>
>
>
> > Hi all.
>
> > Im a newbie in PHP and im trying touploada file to the server.
>
> > I use a form touploada pdf file and some text information about it.
>
> > The client uploads the file and the system renames that file and puts
> > all the information in the database.
>
> > The problem is when the client goes again to edit the information, i
> > always have to choose a file touploador else it will put blank the
> > pdf column and he cant find the old one!
>
> > i do a $_POST['file'] to the UPDATE statement but i think i need to do
> > a if clause(and dont know what im going to put )...but where? i tried
> > it in the UPDATE statement and i cant..
>
> Build your update statement dynamically. This is the sort of thing,
> but you should sanitise the $_POST input.
>
> if($_POST['file'])
> $fileup = ",file = '{$_POST['file']}'";
> else
> $fileup = '';
>
> $qry = "
> INSERT INTO fred SET
> id = {$id},
> info1 = '{$info1}',
> info2 = '{$info2}
> {$fileup}
> ON DUPLICATE KEY UPDATE
> info1 = '{$info1}',
> info2 = '{$info2}'
> {$fileup}
> ";

Hi Captain,

I tried what you ve done but with the update statment:

if($_POST['relatorio_pdf']){
$fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'";
}else{
$fileup = '';

if (empty($error) ) {

$sql = "UPDATE relatorio SET
relatorio_nome = '{$_POST['relatorio_nome']}',
relatorio_ano = '{$_POST['relatorio_ano']}',
relatorio_pdf = '$fileup',
relatorio_activo = '{$_POST['relatorio_activo']}'
WHERE relatorio_id = {$_GET['relatorio_id']}";


}
But it didnt worked..

And i didnt quite understand this line: $fileup = ",relatorio_pdf =
'{$_POST['relatorio_pdf']}'"; (why the comma, and then a variable name?