PHP Update function? Problem

[ColdEdge]

Hello, I am trying to update my users avatar but it keeps updating MySQL to a blank field. Can some one tell me what I am doing wrong in my script?editAvatar.php

<?php# include required system classesinclude 'connect.php';include 'header.php';$uid = $_GET['id'];$pic = $_GET['new'];echo "<form action='?uid=".$_SESSION['user_id']."&pic=".$_POST['pic']."' method='post'>			  <input type='hidden' value='".$_SESSION['user_id']."' name='uid'>			  <input type='text' value='".$_SESSION['user_avatar']."' size='28' name='pic'>			  <input type='submit' value='Update Avatar'></form>";mysql_query("UPDATE users SET user_avatar = '".$_GET['new']."' WHERE user_id = '".mysql_real_escape_string($_GET['uid'])."'");include 'footer.php';?>

- Thanks, if you need additional info please just post it here. Thanks one again...

[boen_robot]

What's in connect.php and header.php? What errors do you get? Why do you unconditinally execute the query? You should only execute it if the parameters are present and are valid.

[dsonesuk]

echo "<form action='?uid=".$_SESSION['user_id']."&pic=".$_POST['pic']."' method='post'>change to ='get'

[ColdEdge]

@boen_robot Theres no errors, it just updates a field in mysql titled user_avatar to blank. Here's the scripts you requested as well.connect.php

<?php session_start();//connect.php$server		= 'localhost';$username	= 'haruka';$password	= '***********';$database	= 'kyonko';if(!mysql_connect($server, $username, $password)){ 	exit('Error: could not establish database connection');}if(!mysql_select_db($database)){ 	exit('Error: could not select the database');}?>

header.php

<?phpheader("Cache-Control: no-cache");header("Pragma: no-cache");?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>**************</title>	<script type="text/javascript" src="http://static.ak.*************.com/forum/general.js"></script>	<script type="text/javascript" src="http://static.ak.*************.com/forum/latest/jquery-1.4.2.min.js"></script>	<script type="text/javascript" src="http://static.ak.*************.com/forum/latest/markitup/jquery.markitup.js"></script>	<script type="text/javascript" src="http://static.ak.*************.com/forum/latest/markitup/sets/default/set.js"></script>	<link rel="stylesheet" type="text/css" href="http://static.ak.*************.com/forum/latest/markitup/skins/simple/style.css" />	<link rel="stylesheet" type="text/css" href="http://static.ak.*************.com/forum/latest/markitup/sets/default/style.css" />	<script type="text/javascript" >	$(document).ready(function() {	$("textarea").markItUp(mySettings);	});	</script>	 <script type="text/javascript">		$(document).ready(function(){		$(".btn1").click(function(){		$(".rep").show();		});		$(".btn2").click(function(){		$(".rep").hide();		});		});		</script><link rel="stylesheet" href="http://static.ak.*************.com/forum/style.css" type="text/css">	<link rel="stylesheet" href="http://static.ak.*************.com/forum/profile.css" type="text/css">	<body onload="java script:resize_avatars(200,180)"><h1></h1>	<div id="wrapper">	<div id="menu">	<!--		<a class="item" href="forum/addtopic">Create a topic</a> 		<a class="item" href="forum/create_cat.php">Create a category</a> 		<a class="item" href="forum/ucp.php">My Account</a>	-->		<?php		if($_SESSION['signed_in'])		{			echo '<a class="item" href="forum/">Home</a> ';			echo '<a class="item" href="forum/ucp/' . htmlentities($_SESSION['user_name']) . '">My Account</a>';			echo '<div id="userbar">';			echo 'Hello <b>' . htmlentities($_SESSION['user_name']) . '</b>. Not you? <a class="item" href="forum/logout/id' . htmlentities($_SESSION['user_id']) . '">Sign out</a>';		}		else		{   			echo '<div id="userbar">';			echo '<a class="item" href="forum/login.asp">Sign in</a> or <a class="item" href="forum/register.asp">create an account</a>';		}		?>		</div>	</div><?phpif($_GET['ref'] == '.home') {$sys_note = "<div style='padding:8px;background-color:#fae7af;'>You have been referenced here from the main page!</div>";}?>		<div id="content">				<?php echo "$sys_note"; ?>

About it, please ignore the .asp part I am using mod_rewrite, for majority of the site.

[justsomeguy]

Speaking of updating avatars, I think it would be a good idea if you changed your own...If this query: mysql_query("UPDATE users SET user_avatar = '".$_GET['new']."' WHERE user_id = '".mysql_real_escape_string($_GET['uid'])."'");..sets your user_avatar field to an empty string, then the reason for that is because $_GET['new'] does not contain any data. Where are you setting $_GET['new']?

[ColdEdge]

@justsomeguy...O.o sorry about my avatar, a friend of mine was messing around with my avatars while I was away he managed to change them not only for W3Schools but also for my Twitter and FaceBook pages. Fixed that part ^^.the $_GET['new'] should be comming from this script as stated in post #1 of this topic.

<?php# include required system classesinclude 'connect.php';include 'header.php';$uid = $_GET['id'];$pic = $_GET['new'];[b]// The action should execute the query on the same page[/b]echo "<form action='?uid=".$_SESSION['user_id']."&pic=".$_POST['pic']."' method='get'> [b]# changed this to GET rather then POST as before.[/b]			  <input type='hidden' value='".$_SESSION['user_id']."' name='uid'>			  <input type='text' value='".$_SESSION['user_avatar']."' size='28' name='new'> [b]# changed it from pic to new[/b]			  <input type='submit' value='Update Avatar'></form>";mysql_query("UPDATE users SET user_avatar = '".$_GET['new']."' WHERE user_id = '".mysql_real_escape_string($_GET['uid'])."'");include 'footer.php';?>

Even after fixing the $_GET['new'] and changing method to GET the query still passes a blank string to MySQL resulting in user_avatar field to go blank....

[ColdEdge]

nvm, fixed the script ^^ quick question how can I validate the avatar input field? so if its empty the script will not run...

[dsonesuk]

either use javascript to validate, before submitting, or php after submission and finding the field empty show the form js<form onsubmit="validateme();" .....><input type='text' value='".$_SESSION['user_avatar']."' size='28' name='new' id='new'>function validateme(){valid=false;avnew = document.getElementById("new").value;if(avnew != ""){valid=true;}else{alert("Input fiield blank")}return valid;}phpif(isset($_GET["new"])){Update database}else{show error message}

[ColdEdge]

@dsonesukThe function for the javascript displays alert message, however upon closing it or pressing OK the function still executes the method and sends the users the specified location.I used a bit different validation method that seems to work so far, I used this one that I found on W3Schools

<script type="text/javascript">function validate_required(field,alerttxt){with (field)  {  if (value==null||value=="")	{	alert(alerttxt);return false;	}  else	{	return true;	}  }}function validate_form(thisform){with (thisform)  {  if (validate_required(email,"Email must be filled out!")==false)  {email.focus();return false;}  }}</script>

[boen_robot]

1. Avoid using "with" in JavaScript. In an evil constuct, the only one more evil is eval()... you'll know why when you learn JavaScript in a greather detail.2. JavaScript validation can be bypassed by attackers. Sure, the form will behave normally for the average user, but a malicious user could do something harmful to your whole database, like deleting all avatars for example.3. In PHP, you can see if a variable is present with isset(). To check if a variable is empty, you can use empty().