Upload a file question

Pépê wrote:
> On 24 Jun, 12:46, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>> Pépê wrote:
>>> On 20 Jun, 11:22, Captain Paralytic <paul_laut...@yahoo.com> wrote:
>>>> On Jun 20, 10:54 am, Pépê <josemariabar...@gmail.com> wrote:
>>>>> Hi all.
>>>>> Im a newbie in PHP and im trying touploada file to the server.
>>>>> I use a form touploada pdf file and some text information about it.
>>>>> The client uploads the file and the system renames that file and puts
>>>>> all the information in the database.
>>>>> The problem is when the client goes again to edit the information, i
>>>>> always have to choose a file touploador else it will put blank the
>>>>> pdf column and he cant find the old one!
>>>>> i do a $_POST['file'] to the UPDATE statement but i think i need to do
>>>>> a if clause(and dont know what im going to put )...but where? i tried
>>>>> it in the UPDATE statement and i cant..
>>>> Build your update statement dynamically. This is the sort of thing,
>>>> but you should sanitise the $_POST input.
>>>> if($_POST['file'])
>>>> $fileup = ",file = '{$_POST['file']}'";
>>>> else
>>>> $fileup = '';
>>>> $qry = "
>>>> INSERT INTO fred SET
>>>> id = {$id},
>>>> info1 = '{$info1}',
>>>> info2 = '{$info2}
>>>> {$fileup}
>>>> ON DUPLICATE KEY UPDATE
>>>> info1 = '{$info1}',
>>>> info2 = '{$info2}'
>>>> {$fileup}
>>>> ";
>>> Hi Captain,
>>> I tried what you ve done but with the update statment:
>>> if($_POST['relatorio_pdf']){
>>> $fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'";
>>> }else{
>>> $fileup = '';
>>> if (empty($error) ) {
>>> $sql = "UPDATE relatorio SET
>>> relatorio_nome = '{$_POST['relatorio_nome']}',
>>> relatorio_ano = '{$_POST['relatorio_ano']}',
>>> relatorio_pdf = '$fileup',
>>> relatorio_activo = '{$_POST['relatorio_activo']}'
>>> WHERE relatorio_id = {$_GET['relatorio_id']}";
>>> }
>>> But it didnt worked..
>>> And i didnt quite understand this line: $fileup = ",relatorio_pdf =
>>> '{$_POST['relatorio_pdf']}'"; (why the comma, and then a variable name?
>> That's because you use UPDATE instead of INSERT.
>>
>> INSERT adds a new row to the database (or, as a MySQL extension, updates
>> a current row). UPDATE only changes a row which already exists; it does
>> not add a new row.
>>
>> Additionally,
>>
>> $fileup = ",relatorio_pdf = '{$_POST['relatorio_pdf']}'"
>>
>> is part of the SQL statement. Do you have a column named
>> 'relatorio_pdf' in your table? Also, is the field name in your form
>> 'relatorio_pdf'? If the answer to both is yes, then this code is
>> correct. Otherwise, this is a problem.
>>
>> And finally, when you get your code to what Paul showed you, "it's not
>> working" isn't much help. What errors do you get?
>>
>> --
>> ==================
>> Remove the "x" from my email address
>> Jerry Stuckle
>> JDS Computer Training Corp.
>> jstuck...@attglobal.net
>> ==================
>
> Thanks Jerry, yes everything was working in SQL. It was an error with
> PHP.ini about filesize ...
>
> Other question, an attacker can insert sql injection through an INSERT
> or UPDATE statement?
>
> Because im reading a book about security in SQL and he uses the secury
> method only to SELECT statements like in this example:
>
> $query = sprintf('SELECT field FROM table WHERE FIELD_ID = %d',
> $_POST['field_id']);
>
>

Yes, UPDATE and INSERT statements are even more dangerous - SELECT
allows him to possibly see things he couldn't. INSERT/UPDATE allows him
to CHANGE things to what he shouldn't.

For instance - I had a customer about 2-3 years ago who was running
PHPBB2 on his site. He didn't keep up with the security fixes, and one
day a hacker went in and defaced the entire BBS. Fortunately, no data
was lost and after a couple of hours determining just what had been
changed, I was able to get into the database and fix it, with no loss of
data. Then I upgraded his PHPBB2 to the latest version. He now keeps
it updated.

But because of a security breach in an UPDATE statement, someone was
able to hack it.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================