Update database

  • Resolved mortenamdk

    (@mortenamdk)


    5 years, 4 months ago

    Hi

    Have a problem with update database nothing change.
    Here is my code:

        global $wpdb;
$outPut = $wpdb->get_results( 
	"
	SELECT * 
	FROM wp_topbanner
	"
);

	foreach ( $outPut as $(hidden)_top_banner ) {
        if(isset($_POST['submit_update'])) {
            global $wpdb;
        $wpdb->update( 
	'wp_topbanner', 
	array( 
        '(hidden)_top_banner_name'                  => $_POST['(hidden)_top_banner_name'],
        '(hidden)_top_banner_name_color'            => $_POST['(hidden)_top_banner_name_color'],
        '(hidden)_top_banner_name_top_height'       => $_POST['(hidden)_top_banner_name_top_height'],
        '(hidden)_top_banner_name_top_start_date'   => $_POST['(hidden)_top_banner_name_top_start_date'],
        '(hidden)_top_banner_name_top_stop_date'    => $_POST['(hidden)_top_banner_name_top_stop_date'],
        '(hidden)_top_banner_name_media'            => $_POST['(hidden)_top_banner_name_media'],
        '(hidden)_image_attachment_id'              => $_POST['(hidden)_image_attachment_id ']	// integer (number) 
	), 
	array( 'id' => $(hidden)_top_banner->id, ), 
	array( 
		'%s', '%s', '%s', '%s', '%s', '%s', '%d'
	), 
	array( '%d' ) 
);
        }

    Best Regards
    Morten

    The page I need help with: [log in to see the link]

Viewing 7 replies - 1 through 7 (of 7 total)
  • Moderator bcworkz

    (@bcworkz)

    $(hidden)_top_banner isn’t a valid PHP variable name, you cannot use parentheses in names.

    FYI, coding questions are best asked in the Developing WP forum. I moved your post there, its URL remains the same.

    Thread Starter mortenamdk

    (@mortenamdk)

    Ok but the (hidden) are only here not in the real code ;o)

    Moderator bcworkz

    (@bcworkz)

    I see. I don’t see any other obvious reasons your code wouldn’t work then. It’s difficult to investigate code related to custom tables. If you haven’t done so, define WP_DEBUG as true in wp-config.php so you will be notified of any errors that are encountered.

    You can use the “query” filter to determine the SQL that $wpdb->update() constructs. Test the SQL in phpMyAdmin. It’ll flag any issues with the query. It’s advisable to make a backup of the table before messing around with phpMyAdmin.

    I hope you realize using values from $_POST without validation and sanitation is a huge security risk. It’s not unheard of for people to develop code, intending to add security later. Just be sure you do.

    Thread Starter mortenamdk

    (@mortenamdk)

    Hi thanks for you answer yes, I Was in wordpress doc. I found the problem so now it works.
    The risk is sone closed, I have tryet some, but if you has a good salution
    I will be really happy to hear ??
    Have seen some in wordpress doc. But if you have some. Will be S? happy, need injection shield to a text editor, id, and text input.

    Best regards
    Morten

    Thread Starter mortenamdk

    (@mortenamdk)

    I have made this with wordpress functions 

    $(Hidden)_top_banner_name = wp_kses_post($_POST[‘(Hidden)_top_banner_name’.(Hidden)_top_banner->id]);
(Hidden)_top_banner_name_color = sanitize_hex_color($_POST[‘(Hidden)_top_banner_name_color’.(Hidden)_top_banner->id]);
(Hidden)_top_banner_name_top_text_line = sanitize_text_field($_POST[‘(Hidden)_top_banner_name_top_text_line’.(Hidden)_top_banner->id]);
(Hidden)_top_banner_name_top_height = sanitize_text_field($_POST[‘(Hidden)_top_banner_name_top_height’.(Hidden)_top_banner->id]);
(Hidden)_top_banner_name_top_start_date = sanitize_text_field($_POST[‘(Hidden)_top_banner_name_top_start_date’.(Hidden)_top_banner->id]);
(Hidden)_top_banner_name_top_stop_date = sanitize_text_field($_POST[‘(Hidden)_top_banner_name_top_stop_date’.(Hidden)_top_banner->id]);
(Hidden)_top_banner_name_media = sanitize_text_field($_POST[‘(Hidden)_top_banner_name_media’.(Hidden)_top_banner->id]);
(Hidden)_image_attachment_id = sanitize_text_field($_POST[‘(Hidden)_image_attachment_id’.(Hidden)_top_banner->id]);

    Will this work, i can see if i spell <?php echo "Hej"; ?> it dont spell it on the database.

    So hope it work at it should.

    Best Regards
    Morten

    • This reply was modified 5 years, 3 months ago by mortenamdk.
    • This reply was modified 5 years, 3 months ago by mortenamdk.
    • This reply was modified 5 years, 3 months ago by bcworkz. Reason: use backticks only at col 0
    Moderator bcworkz

    (@bcworkz)

    I’m not a security expert, but that’s probably adequate. That said, it’s also a good idea to validate data to the extent possible, further limiting input to what is allowed. For example, if the desired date format is “6-11-2019”, you could only allow chars [0-9\-]. Similar for IDs. If the ID is an integer, an easy sanitation and validation is $my_id = (int) $_POST['my_id']; Obviously there is little more you can do for open text fields, but where possible it’s a good idea to further validate.

    In case it makes a difference, don’t forget that data in $_POST is slashed where applicable, mainly for quotes.

    Thread Starter mortenamdk

    (@mortenamdk)

    Hi

    Thank you very much, I want to go ahead and get it done. With the things you suggest and are really glad you took the time to help me.

    Best Regards
    Morten

    PS. I’m closing the thread for now.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Update database’ is closed to new replies.