Jump to content

Converting .ASP to PHP HELP!!


danmiddo

Recommended Posts

I have been given a .asp file that needs converting into PHP,

the only issue i am having is with the mass update fields.

 

 

<%@ Language=VBScript %>

<% if Request.QueryString("Home") = Request.QueryString("Away") Then %>
<% Response.Redirect("same.asp") %>
<%End If%>
<% if Request.QueryString("HomeGoal") > Request.QueryString("AwayGoal") Then%>
<%
  Home = Request.QueryString("Home")
  away = Request.QuerySTring("Away")
  Goal = Request.QueryString("HomeGoal")
  GoalIn = Request.QueryString("AwayGoal")

 

Set objConn = Server.CreateObject("ADODB.Connection")
ConnStr = "DRIVER={MySQL ODBC 3.51 Driver};SERVER=localhost;DATABASE=databse;UID=username;PWD=password!;"
objconn.Open(ConnStr)

 

        objConn.Execute "UPDATE teams SET Victories = Victories + 1 WHERE Team='" & Home & "'"
        objConn.Execute "UPDATE teams SET Points = Points + 3 WHERE Team='" & Home & "'"
        objConn.Execute "UPDATE teams SET Played = Played + 1 WHERE Team='" & Home & "'"
        objConn.Execute "UPDATE teams SET Made = Made + '" & Goal & "' WHERE Team='" & Home & "'"
        objConn.Execute "UPDATE teams SET Let = Let + '" & GoalIn & "' WHERE Team='" & Home & "'"
        objConn.Execute "UPDATE teams SET Defeats = Defeats + 1 WHERE Team='" & Away & "'"
        objConn.Execute "UPDATE teams SET Played = Played + 1 WHERE Team='" & Away & "'"
        objConn.Execute "UPDATE teams SET Made = Made + '" & GoalIn & "' WHERE Team='" & Away & "'"
        objConn.Execute "UPDATE teams SET Let = Let + '" & Goal & "' WHERE Team='" & Away & "'"
    objConn.Close
    Set objConn= Nothing
%>
<%End if%>
<% if Request.QueryString("HomeGoal") < Request.QueryString("AwayGoal") Then%>
<%
  Home = Request.QueryString("Home")
  Away = Request.QuerySTring("Away")
  Goal = Request.QueryString("HomeGoal")
  GoalIn = Request.QueryString("AwayGoal")
Set objConn = Server.CreateObject("ADODB.Connection")
ConnStr = "DRIVER={MySQL ODBC 3.51 Driver};SERVER=localhost;DATABASE=databse;UID=username;PWD=password!;"
objconn.Open(ConnStr)

    
        objConn.Execute "UPDATE teams SET Defeats = Defeats + 1 WHERE Team='" & Home & "'"
        objConn.Execute "UPDATE teams SET Played = Played + 1 WHERE Team='" & Home & "'"
        objConn.Execute "UPDATE teams SET Made = Made + '" & Goal & "' WHERE Team='" & Home & "'"
        objConn.Execute "UPDATE teams SET Let = Let + '" & GoalIn & "' WHERE Team='" & Home & "'"
        objConn.Execute "UPDATE teams SET Victories = Victories + 1 WHERE Team='" & Away & "'"
        objConn.Execute "UPDATE teams SET Points = Points + 3 WHERE Team='" & Away & "'"
        objConn.Execute "UPDATE teams SET Played = Played + 1 WHERE Team='" & Away & "'"
        objConn.Execute "UPDATE teams SET Made = Made + '" & GoalIn & "' WHERE Team='" & Away & "'"
        objConn.Execute "UPDATE teams SET Let = Let + '" & Goal & "' WHERE Team='" & Away & "'"
    objConn.Close
    Set objConn= Nothing
%>
<%End if%>
<% if Request.QueryString("HomeGoal") = Request.QueryString("AwayGoal") Then%>
<%
  Home = Request.QueryString("Home")
  Away = Request.QueryString("Away")
  Goal = Request.QueryString("HomeGoal")
  GoalIn = Request.QueryString("AwayGoal")
Set objConn = Server.CreateObject("ADODB.Connection")
ConnStr = "DRIVER={MySQL ODBC 3.51 Driver};SERVER=localhost;databse=fifa2;UID=username;PWD=password!;"
objconn.Open(ConnStr)

    
        objConn.Execute "UPDATE teams SET Draws = Draws + 1 WHERE Team='" & Home & "'"
        objConn.Execute "UPDATE teams SET Points = Points + 1 WHERE Team='" & Home & "'"
        objConn.Execute "UPDATE teams SET Played = Played + 1 WHERE Team='" & Home & "'"
        objConn.Execute "UPDATE teams SET Made = Made + '" & Goal & "' WHERE Team='" & Home & "'"
        objConn.Execute "UPDATE teams SET Let = Let + '" & GoalIn & "' WHERE Team='" & Home & "'"
        objConn.Execute "UPDATE teams SET Draws = Draws + 1 WHERE Team='" & Away & "'"
        objConn.Execute "UPDATE teams SET Points = Points + 1 WHERE Team='" & Away & "'"
        objConn.Execute "UPDATE teams SET Played = Played + 1 WHERE Team='" & Away & "'"
        objConn.Execute "UPDATE teams SET Made = Made + '" & GoalIn & "' WHERE Team='" & Away & "'"
        objConn.Execute "UPDATE teams SET Let = Let + '" & Goal & "' WHERE Team='" & Away & "'"
    objConn.Close
    Set objConn= Nothing
%>
<%End if%>
<% Home = Request.QueryString("Home") %>
<% Away = Request.QueryString("Away") %>
<% HomeGoal = Request.QueryString("HomeGoal") %>
<% AwayGoal = Request.QueryString("AwayGoal") %>

<head>
<title>Game: <%=Home%> against <%=Away%> - Result updated...</title>    


<H3>Result submitted</H3><HR>
<CENTER><B><%=Home%> - <%=HomeGoal%> - <%=AwayGoal%> - <%=Away%></CENTER><BR>
<HR>
<% if HomeGoal = AwayGoal Then %>
<CENTER>The game ended as a draw!</CENTER>
<%End If%>
<% if HomeGoal > AwayGoal Then %>
<CENTER><%=Home%> won against <%=Away%> !</CENTER>
<%End If%>
<% if HomeGoal < AwayGoal Then %>
<CENTER><%=Away%> won against <%=Home%> !</CENTER>
<%End If%>
</b>
<input type="button" value="Back" OnClick="top.location='results.asp'">

 

result_process.asp

Link to comment
Share on other sites

That ASP code is poorly-written.  There are blocks of 4 or 5 update statements which all update the same row in the database.  That only needs to be 1 update statement.  Instead of 5 queries which each update one value, you only need 1 query which updates 5 values.  There's nothing particularly advanced about that, that's just a normal update query.

What you do need to worry about is making sure that you're doing this the right way.  If you're using the old mysql extension with mysql_query, that's the wrong way, that's not supported in PHP 7.  You should use either PDO or mysqli, and you should use prepared statements for each of those update queries.  You need a total of 6 update queries, not the 30 that the original file has.

If you're having problems writing this then post the code you have now and say what issues you're having.

Link to comment
Share on other sites

Yes I am aware the ASP code is poorly presented which is why im probably struggling so much

what im working with at the moment is

 

<?php

if ($_GET["home"] == $_GET["away"]) {
  header("Location: same.php");

$servername = "localhost";
$username = "username";
$password = "password!";

try {
    $conn = new PDO("mysql:host=$servername;dbname=database", $username, $password);
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    echo "Connected successfully";
    }
catch(PDOException $e)
    {
    echo "Connection failed: " . $e->getMessage();
    }

if ($_GET["homegoal"] > $_GET["awaygoal"]) {
  $Home=$_GET["home"];
  $Away=$_GET["away"];
  $Goal=$_GET["homegoal"];
  $GoalIn=$_GET["awaygoal"];


$sql = "UPDATE `teams` SET `Victories` = 'Victories + 1', `Points` = 'Points + 3', `Played` = 'Played + 1', `Made` = 'Made + $Goal', `Let` = 'Let + $GoalIn' WHERE team = $Home AND SET 'Defeats' = 'Defeats + 1', 'Played' = 'Played + 1', 'Made' = 'Made + $GoalIn', 'Let' = 'Let + $Goal' WHERE team = $Away";

?>

 

I am aware that there is flaws with my SQL statement as this is where i am struggling

Untitled.png

Edited by danmiddo
Attached Image
Link to comment
Share on other sites

Your quotes aren't correct.  Don't quote the field name, when you quote the field name you're telling it to use the actual name of the field instead of the value in that field.  So instead of this:

UPDATE `teams` SET `Victories` = 'Victories + 1',

You should do this:

UPDATE `teams` SET `Victories` = `Victories` + 1,

The backticks are optional, you don't need to surround table or field names with them but it's good practice.  You don't need to quote the value at all if it's a number.

You also don't separate 2 update queries with AND like you did there.  You need to actually write and execute 2 update queries, not try to cram 2 update queries into one.

Also, where you have variables in your queries, you should make those placeholders and then add the values later.  That will protect your code from SQL injection attacks.  So instead of this:

`Made` = `Made` + $Goal

You do this:

`Made` = `Made` + ?

or this:

`Made` = `Made` + :goal

And you bind a value to that parameter when you execute the query.  That's what prepared statements are, you prepare the query first with placeholders for the values, and then when you execute it you send the values to the database server.  That will cause the database to always treat the values correctly (you don't have to worry about escaping any characters, or whether or not a value needs to be quoted), and it will prevent SQL injection attacks.

http://php.net/manual/en/pdo.prepared-statements.php

Link to comment
Share on other sites

Yeah i know that the AND statement doesn't/wouldn't work i was just struggling for how to run 2 queries.

I don't need to worry about SQL injection for this as all variables are sent from a previous page which has all values as pre defined values via drop down lists.

have you any idea how i could work this into 2 executable queries?

Link to comment
Share on other sites

Yeah i know that the AND statement doesn't/wouldn't work i was just struggling for how to run 2 queries.

You just define and run them separately.  2 calls to PDO->prepare, execute, etc.

I don't need to worry about SQL injection for this as all variables are sent from a previous page which has all values as pre defined values via drop down lists.

That's not an excuse, there's no rule that says I need to use your form to send $_GET data to that page.  I can type whatever I want in the URL and your code will use it.  You can validate the values or convert to integers if you want to on the server, but any time you use a variable in your query you should use a prepared statement.  That's the rule.

Link to comment
Share on other sites

 

1 minute ago, justsomeguy said:

That's not an excuse, there's no rule that says I need to use your form to send $_GET data to that page.  I can type whatever I want in the URL and your code will use it.  You can validate the values or convert to integers if you want to on the server, but any time you use a variable in your query you should use a prepared statement.  That's the rule.

Everything will be changed to post once its working, GET is purely for testing right now.
and everything on the previous page has the security.

Thanks for your help :)

I shall try and sort this out again, and will update

Link to comment
Share on other sites

Any idea where i am going wrong now? -.-

 

<?php

if ($_GET["home"] == $_GET["away"]) {
  header("Location: same.php");
}

// Connection data (server_address, database, name, poassword)
$servername = "localhost";
$username = "username";
$password = "password!";
$db = "database";

if ($_GET["homegoal"] > $_GET["awaygoal"]) {
  $Home=$_GET["home"];
  $Away=$_GET["away"];
  $Goal=$_GET["homegoal"];
  $GoalIn=$_GET["awaygoal"];

  // Connect and create the PDO object
  $conn = new PDO("mysql:host=$servername; dbname=$db", $username, $password);
 
  $sql1 = "UPDATE teams SET Victories = 'Victories' + 1, Points = 'Points' + 3, Played = 'Played' + 1, Made = 'Made' + $Goal, Let = 'Let' + $GoalIn WHERE team = $Home";
  $sql2 = "UPDATE teams SET Defeats = 'Defeats' + 1, Played = 'Played' + 1, Made = 'Made' + $GoalIn, Let = 'Let' + $Goal WHERE team = $Away";
  $count = $conn->exec($sql1, $sql2);

  $conn = null;        // Disconnect
}
catch(PDOException $e) {
  echo $e->getMessage();
}


?>

Edited by danmiddo
Na
Link to comment
Share on other sites

Everything will be changed to post once its working, GET is purely for testing right now.

Again, there is literally no reason to avoid prepared statements.  I don't have to use your form to do anything.  I can open my browser's developer tools and create a new request to your page and submit whatever post data I want.  Assuming that you can trust the data coming in is probably the #1 major mistake that web programmers make, it's the reason why sites get hacked.  Don't assume that you can trust any data coming in.  What the data is for will depend on how you handle it, if it's going in a database then at a minimum you use a prepared statement to get it there.  If you're going to print it anywhere on a page then you also have to sanitize it against things like cross-site scripting attacks.  If you are expecting numbers, or email addresses, or some type of data, then validate and convert if necessary.  If all of those values you're expecting are numbers then explicitly convert them all to numbers in PHP.  And, really, use prepared statements.  Don't learn how to write PHP code the wrong way, get in the habit of using good practices from the start.

and everything on the previous page has the security.

Assuming that responsibilities for security are somewhere else is how you get into trouble.  With PHP, each request stands alone, they do not depend on other requests.  Security is a responsibility in every request.

Any idea where i am going wrong now?

You're still quoting the column names.  You're telling it to add 1 to the text "Victories".  You don't want text, you want the value in that column.  Don't quote them, quoted things are text.

Also, the exec method only takes 1 parameter:

http://php.net/manual/en/pdo.exec.php

If you're going to use exec you call it once per query, that's what it expects.  You shouldn't use exec though, you should use prepare to prepare your statements with placeholders:

http://php.net/manual/en/pdo.prepare.php

And then call execute to pass the values.  Learn how to do this the right way from the start, there's no reason to even learn the wrong way to do things.

Link to comment
Share on other sites

e.g.:

$stmt = $conn->prepare('UPDATE teams SET Victories = Victories + 1, Points = Points + 3, Played = Played + 1, Made = Made + :goal, Let = Let + :goalin WHERE team = :home');
	$stmt->execute([
	  ':goal' => $Goal, 
	  ':goalin' => $Goalin, 
	  ':home' => $Home
	]);

Link to comment
Share on other sites

1 minute ago, justsomeguy said:

I appreciate your reply,
i can get that part working no issues
my issue is that i need to have 2 queries running
  $sql1 = "UPDATE teams SET Victories = 'Victories' + 1, Points = 'Points' + 3, Played = 'Played' + 1, Made = 'Made' + $Goal, Let = 'Let' + $GoalIn WHERE team = $Home";
  $sql2 = "UPDATE teams SET Defeats = 'Defeats' + 1, Played = 'Played' + 1, Made = 'Made' + $GoalIn, Let = 'Let' + $Goal WHERE team = $Away";

I pull in data for example
Man Utd (home)
3 (goals)

Chelsea (away)

1(goals)

so i need to do 2 updates one for the home team that gets the win and one for the away team that gets the loss.
your example only provides the winning teams Victories, Points, Played, Made, Let
 

 

1 minute ago, justsomeguy said:

 


$stmt = $conn->prepare('UPDATE teams SET Victories = Victories + 1, Points = Points + 3, Played = Played + 1, Made = Made + :goal, Let = Let + :goalin WHERE team = :home');
	$stmt->execute([
	  ':goal' => $Goal, 
	  ':goalin' => $Goalin, 
	  ':home' => $Home
	]);

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...