Professional Web Applications Themes

no database query is allowed yet value is still returned - PHP Development

A very strange bug. [url]www.monkeyclaus.org[/url] is run by a cms I'm developing. One of types of users we allow is "justTestingTheSite", a type of user I developed to give demo's to prospective clients. The purpose of this level of security is to let someone log in and see everything as if they were root, and yet not be able to update or delete anything, as they have no real priveledges at all. I just logged in as root and created such an account, then I log out and logged back in using the new account. I tried to edit the ...

  1. #1

    Default no database query is allowed yet value is still returned

    A very strange bug. [url]www.monkeyclaus.org[/url] is run by a cms I'm
    developing. One of types of users we allow is "justTestingTheSite", a
    type of user I developed to give demo's to prospective clients. The
    purpose of this level of security is to let someone log in and see
    everything as if they were root, and yet not be able to update or
    delete anything, as they have no real priveledges at all.

    I just logged in as root and created such an account, then I log out
    and logged back in using the new account. I tried to edit the weblog
    on the front page of the site. Everything worked as it should of: I
    was able to get to the screen, edit it, and hit submit, and then,
    because of my low security rating, the software did not change the
    values. Perfect.

    But the results message said "You've just updated 26 items." I was
    expecting it to say "You've just updated 0 items." 26 just happens to
    be the number of entries on the weblog which is the front page of the
    site. For the life of me, I can not figure out how the software got
    the number 26. More so, the message seems to be incorrect, none of the
    26 items seems to have been updated.

    A function and a class method are involved, if anyone can see where
    the software is getting the number of weblog entries, I'll be most
    pleased.











    function standardUpdate($functionForEditing) {
    global $users;
    $users->check();

    extract($config=getConfig());

    global $cbKeyword01, $cbKeyword02, $cbKeyword03, $cbKeyword04,
    $cbKeyword05, $cbKeyword06, $cbKeyword07, $cbKeyword08, $cbKeyword09,
    $cbKeyword10;

    global $cbId;
    global $cbHeadline,$cbMainContent,$cbDateCreated,$cbWhich Type,$cbUserName,$cbPassword,$cbIsLoggedIn,$cbDate sModified,$cbLastModified,$cbDatesWhenViewed,
    $cbLinksToWhatUrl,$cbOOA,$cbSection;
    global $cbKeywords,$cbBelongsToWhichWebsite,$cbBelongsToW hichPage,$cbUserSecurityLevel,$cbNavTextDifFromHea dline,$cbNavText,$cbNavOOA,$cbNavSection,$cbTempla te,$cbSpecialOverrideCSSClass;
    global $cbExpirationDate,$cbModifier01,$cbModifier02,$cbM odifier03,$cbModifier04,$cbModifier05,$cbModifier0 6,$cbModifier07,$cbModifier08,$cbModifier09,$cbMod ifier10,$cbModifier11,$cbModifier12;
    global $cbModifier13,$cbModifier14,$cbModifier15,$cbModif ier16,$cbModifier17,$cbModifier18,$cbPublicName,$c bEmail,$cbUrl,$cbWhenLoggedIn,$cbBelongsToWho,$cbN umTimesViewed,$cbNumTimesViewedLast24;
    global $cbNumTimesViewedLastWeek,$cbNumTimesViewedLastMon th,$cbIsFrontPage,$cbPagePassword,$cbUserAddress,$ cbModifier19,$cbModifier20,$cbModifier21,$cbModifi er22,$cbModifier23,$cbModifier24,$cbStyle;
    global $cbAllowComments,$cbListOfAllFilesThatBelongToThis Entry,$cbIsRoughDraft,$cbHowManyEntriesShouldWeLis tOnThisPage,$cbUndo;

    global $forms, $io, $users, $links, $sql;
    global $cbPassword1, $cbPassword2;

    if ($cbKeyword01) $cbKeywords = $cbKeyword01.",\n";
    if ($cbKeyword02) $cbKeywords .= $cbKeyword02.",\n";
    if ($cbKeyword03) $cbKeywords .= $cbKeyword03.",\n";
    if ($cbKeyword04) $cbKeywords .= $cbKeyword04.",\n";
    if ($cbKeyword05) $cbKeywords .= $cbKeyword05.",\n";
    if ($cbKeyword06) $cbKeywords .= $cbKeyword06.",\n";
    if ($cbKeyword07) $cbKeywords .= $cbKeyword07.",\n";
    if ($cbKeyword08) $cbKeywords .= $cbKeyword08.",\n";
    if ($cbKeyword09) $cbKeywords .= $cbKeyword09.",\n";
    if ($cbKeyword10) $cbKeywords .= $cbKeyword10.",\n";

    $sql->setValue("cbHeadline", $cbHeadline);
    $sql->setValue("cbMainContent", $cbMainContent);
    $sql->setValue("cbWhichType", $cbWhichType);
    $sql->setValue("cbPassword", $cbPassword1);
    $sql->setValue("cbLinksToWhatUrl", $cbLinksToWhatUrl);
    $sql->setValue("cbOOA", $cbOOA);
    $sql->setValue("cbSection", $cbSection);
    $sql->setValue("cbKeywords", $cbKeywords);
    $sql->setValue("cbBelongsToWhichPage", $cbBelongsToWhichPage);
    $sql->setValue("cbNavTextDifFromHeadline",
    $cbNavTextDifFromHeadline);
    $sql->setValue("cbNavText", $cbNavText);
    $sql->setValue("cbNavSection", $cbNavSection);
    $sql->setValue("cbNavOOA", $cbNavOOA);
    $sql->setValue("cbStyle", $cbStyle);
    $sql->setValue("cbTemplate", $cbTemplate);
    $sql->setValue("cbSpecialOverrideCSSClass",
    $cbSpecialOverrideCSSClass);
    $sql->setValue("cbExpirationDate", $cbExpirationDate);
    $sql->setValue("cbModifier01", $cbModifier01);
    $sql->setValue("cbModifier02", $cbModifier02);
    $sql->setValue("cbModifier03", $cbModifier03);
    $sql->setValue("cbModifier04", $cbModifier04);
    $sql->setValue("cbModifier05", $cbModifier05);
    $sql->setValue("cbModifier06", $cbModifier06);
    $sql->setValue("cbModifier07", $cbModifier07);
    $sql->setValue("cbModifier08", $cbModifier08);
    $sql->setValue("cbModifier09", $cbModifier09);
    $sql->setValue("cbModifier10", $cbModifier10);
    $sql->setValue("cbModifier11", $cbModifier11);
    $sql->setValue("cbModifier12", $cbModifier12);
    $sql->setValue("cbModifier13", $cbModifier13);
    $sql->setValue("cbModifier14", $cbModifier14);
    $sql->setValue("cbModifier15", $cbModifier15);
    $sql->setValue("cbModifier16", $cbModifier16);
    $sql->setValue("cbModifier17", $cbModifier17);
    $sql->setValue("cbModifier18", $cbModifier18);
    $sql->setValue("cbPublicName", $cbPublicName);
    $sql->setValue("cbEmail", $cbEmail);
    $sql->setValue("cbUrl", $cbUrl);
    $sql->setValue("cbIsFrontPage", $cbIsFrontPage);
    $sql->setValue("cbPagePassword", $cbPagePassword1);
    $sql->setValue("cbUserAddress", $cbUserAddress);
    $sql->setValue("cbModifier19", $cbModifier19);
    $sql->setValue("cbModifier20", $cbModifier20);
    $sql->setValue("cbModifier21", $cbModifier21);
    $sql->setValue("cbModifier22", $cbModifier22);
    $sql->setValue("cbModifier23", $cbModifier23);
    $sql->setValue("cbModifier24", $cbModifier24);
    $sql->setValue("cbAllowComments", $cbAllowComments);
    $sql->setValue("cbListOfAllFilesThatBelongToThisEntry ",
    $cbListOfAllFilesThatBelongToThisEntry);
    $sql->setValue("cbIsRoughDraft", $cbIsRoughDraft);
    $sql->setValue("cbHowManyEntriesShouldWeListOnThisPage" ,
    $cbHowManyEntriesShouldWeListOnThisPage);
    $sql->update($cbId);
    $total = $sql->db->affected();

    if ($cbPagePassword1 != $cbPagePassword2) {
    $functionForEditing($cbId, "The two passwords that you typed did not
    match one another.");
    die();
    }

    if ($cbId) {
    startPage("Your entry was updated in the database. $total enties
    were affected.");
    defaultScreen();
    endPage();
    } else {
    startPage("There was some kind of problem. Your entry could not be
    updated in the database.");
    defaultScreen();
    endPage();
    }
    }










    function update($cbId, $checkIfUserIsSafe="y", $field1="",
    $operator1="=", $value1="", $field2="", $operator2="=", $value2="",
    $field3="", $operator3="=", $value3="") {
    if (!$this->userIsSafe && $checkIfUserIsSafe=="y") {
    return false;
    } else {
    // 06-19-03 - because of the if tests there is no way for this
    function to blank an entry. In other words, if a user has entered
    // a title for their webpage, but then later decides they don't
    want any title at all, they can't blank it, because a empty field
    // will fail the if test here. We must test for the presense of
    "#x#blank#x#" - lk
    $this->cbLastModified = time();
    // 06-21-03 - we will need to give potential clients the ability to
    come in and kick the tires,
    // see everything, and yet we don't want them to be able to change
    anything. Therefore, we set up
    // this special test, looking to see if the user is marked as
    "justTestingTheSite".
    // We test for the presense of such a security rating and only
    proceed if the check fails
    // (if the user is not so marked). -lk
    if (!stristr($this->userSecurityLevel, "justTestingTheSite")) {
    // 07-05-03 - We want to be able to offer at least one level of
    undo to the user. Therefore we need to first back up the previous
    // version of this entry, in a string marked by a separator that
    can later be used to bust it into an array and turn it back into an
    // entry if they should choose to undo their work. A flag will
    also need to be set, so that the function startPage will know to
    // display the "undo" text option.
    $entry = $this->getJustOneEntry($cbId);

    // IMPORTANT !!! If more fields are added to the database, this
    next line will have to be changed.
    // 07-07-03 - this next line is to make sure that cbUndo isn't
    included in the next undo
    array_pop($entry);
    $cbUndo = implode("\n\n\n##%%^***%%##", $entry);
    $this->setValue("cbUndo", $cbUndo);
    $this->setFlagForUndo($cbId);

    // THE QUERY
    // 07-05-03 - and now we finally start building the query string -
    lk
    $query = "UPDATE mcContentBlocks SET ";

    // 07-07-03 - CAREFUL!!!! I just erased this next line, not
    realizing what it was. This is not $sql->reset, but the built-in PHP
    function, reset.
    // It is reseting the pointer in the array. In future, having
    methods with the same name as PHP functions may not be a good idea.

    reset($this->tableValues);
    while (list($key, $val) = each($this->tableValues)) {
    // 06-20-03 - the following if restrictions means that a special
    function will have to handle
    // changing the value of cbUserName, or cbDateCreated.
    if ($key != "cbBelongToWhichWebsite" && $key != "cbDateCreated"
    && $key != "cbUserName") {
    // 06-24-03 - this next line is the line that makes sure blank
    values get left out.
    if ($val) {
    // 06-20-03 - in this next bit we're going to test for
    "#x#blank#x# which is what a user should type
    // in if they really want a field to be blank. We're going to
    use trim() and strtolower() to try to
    // minimize the number of errors that might come happen because
    of the user's inconsistent typing.
    $blank = trim($this->$val);
    $blank = strtolower($blank);
    if ($blank == "#x#blank#x#") {
    $query .= $key."='', ";
    } else {
    $query .= $key."='$val', ";

    }
    }
    }
    }
    // 06-19-03 - because of the if clauses above we can't know which
    of the above is the last, therefore we need the next line to take
    // the comma off the end of the query, otherwise we get SQL
    errors.
    $query = substr($query, 0, -2);

    $query .= " WHERE cbId=$cbId ";
    // 07-05-03 - last week working on the user class I invented an
    $sql method called updateWithConditions. Later I decided it was a big
    // mistake having more than one update method. So now I've gotten
    rid of the other method and added the functionality here. This method
    // accepts up to 3 extra conditions to the WHERE clause.
    if ($field1) $query .= " AND $field1 $operator1 '$value1' ";
    if ($field2) $query .= " AND $field2 $operator2 '$value2' ";
    if ($field3) $qeury .= " AND $field3 $operator3 '$value3' ";
    $query .= " AND cbBelongsToWhichWebsite='$this->cbBelongsToWhichWebsite'";
    $this->db->query($query);
    echo $query;
    $this->db->rows();
    $this->reset();
    return $this->db->numRows;
    } //ends if(!$test) clause
    }
    $this->reset();
    }
    lawrence Guest

  2. #2

    Default Re: no database query is allowed yet value is still returned

    Hi lawrence!

    On 7 Jul 2003 15:04:44 -0700, [email]lkrubnergeocities.com[/email] (lawrence) wrote:
    >A very strange bug. [url]www.monkeyclaus.org[/url] is run by a cms I'm
    >developing. One of types of users we allow is "justTestingTheSite", a
    >type of user I developed to give demo's to prospective clients. The
    >purpose of this level of security is to let someone log in and see
    >everything as if they were root, and yet not be able to update or
    >delete anything, as they have no real priveledges at all.
    >
    >I just logged in as root and created such an account, then I log out
    >and logged back in using the new account. I tried to edit the weblog
    >on the front page of the site. Everything worked as it should of: I
    >was able to get to the screen, edit it, and hit submit, and then,
    >because of my low security rating, the software did not change the
    >values. Perfect.
    >
    >But the results message said "You've just updated 26 items." I was
    >expecting it to say "You've just updated 0 items." 26 just happens to
    >be the number of entries on the weblog which is the front page of the
    >site. For the life of me, I can not figure out how the software got
    >the number 26. More so, the message seems to be incorrect, none of the
    >26 items seems to have been updated.
    >
    Look for all update SQL statements in your code, print them and look
    which one return 26 on success.

    Please cut down the amount of code you post a bit. No one wants to
    look through library classes.

    HTH, Jochen
    --
    Jochen Daum - CANS Ltd.
    PHP DB Edit Toolkit -- PHP scripts for building
    database editing interfaces.
    [url]http://sourceforge.net/projects/phpdbedittk/[/url]
    Jochen Daum Guest

  3. #3

    Default Re: no database query is allowed yet value is still returned

    Jochen Daum <jochen.daumcans.co.nz> wrote in message
    > Look for all update SQL statements in your code, print them and look
    > which one return 26 on success.
    Thanks. After walking through it several times I realized the problem
    was with these lines:

    $sql->update($cbId);
    $total = $sql->db->affected();


    The update method knew perfectly well that no rows had been affected,
    and was returning the correct answer, but I wasn't capturing it.
    However, the affected method of db returns how many rows were affected
    the last time something was affected. I've no idea what I was thinking
    when I wrote it like this, the $db object should never appear outside
    of the $sql object in my code. When I rewrote it like this, everything
    worked as it should:


    $total = $sql->update($cbId);






    > Please cut down the amount of code you post a bit. No one wants to
    > look through library classes.
    I'll try, but in this case I had no idea where the problem was, and
    was therefore shooting wide and blind.
    lawrence Guest

Similar Threads

  1. CF Query Column Names Returned in UPPERCASE
    By ericbelair in forum Macromedia Flex General Discussion
    Replies: 1
    Last Post: April 30th, 02:41 PM
  2. How to set the value of a variable to some data returned from a query
    By jimspace in forum Coldfusion Database Access
    Replies: 0
    Last Post: June 4th, 07:39 AM
  3. How to limit # of rows returned from query
    By Steve Grosz in forum Macromedia ColdFusion
    Replies: 7
    Last Post: May 2nd, 07:35 PM
  4. sql query returned a to table in a field
    By Gm3512 in forum Dreamweaver AppDev
    Replies: 0
    Last Post: May 1st, 11:14 PM
  5. Problem with ' character in returned query
    By leDuke in forum Macromedia ColdFusion
    Replies: 4
    Last Post: April 21st, 03:43 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139