Script werkt (half), formulier post niet
Om een mutatie toe te voegen (inkoop, defect product etc) en tevens te bewerken, heb ik het volgende geschreven. Het om de volgende lap code (dit is een deel van het script, maar tot hiertoe werkt alles). Het formulier is gevuld met gegevens uit het vorige deel van het script, dus die doet het. Als ik op verzenden klik, komt er een wit scherm... Wat doe ik fout?
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
<?php
} elseif(isset($_GET[ 'action']) && ($_GET['action'] == "productselected")) {
?>
<table width="100%">
<tr>
<td class="main" valign="top">
<?php
$newmutation_query_raw = ("SELECT p.products_id, p.products_quantity, p.manufacturers_id, pd.products_name, p.products_model, p.products_weight, p.products_costprice, p.products_price, p.products_tax_class_id, p.products_warranty, pr.manufacturers_name from " . TABLE_PRODUCTS . " p inner join " . TABLE_PRODUCTS_DESCRIPTION . " pd on p.products_id = pd.products_id left outer join " . TABLE_MANUFACTURERS . " pr ON (p.manufacturers_id = pr.manufacturers_id) WHERE p.products_id = '" . (int)$HTTP_GET_VARS['pID'] . "'");
$newmutation_query = tep_db_query($newmutation_query_raw);
while ($newmutation = tep_db_fetch_array($newmutation_query)) {
$products_id = $newmutation['products_id'];
$products_model = $newmutation['products_model'];
$products_name = $newmutation['products_name'];
$products_manufacturer = $newmutation['manufacturers_name'];
$products_price = $newmutation['products_price'];
$products_costprice = $newmutation['products_costprice'];
$products_tax_class_id = $newmutation['products_tax_class_id'];
$tax_query = tep_db_query("SELECT tax_rate from " . TABLE_TAX_RATES . " WHERE tax_class_id = '" . $products_tax_class_id . "'");
while ($tax = tep_db_fetch_array($tax_query)) {
$products_tax = $tax['tax_rate'];
?>
<form action="<?php echo FILENAME_PREFIXES_NEW; ?>?pID=<?php echo (int)$HTTP_GET_VARS['pID']; ?>&action=productselected" method="post" name="action" value="productselected">
<table border="0" width="100%" cellspacing="0" cellpadding="2">
<tr>
<td valign="top"><table border="0" width="500" cellspacing="0" cellpadding="2">
<tr class="main">
<td class="main" width="160" align="left"><?php echo TEXT_TABLE_HEADING_REGISTRATION_DATE; ?></td>
<td class="main" align="left">
<?php
if(isset($_GET[ 'date']) && ($_GET['date'] == "today")) {
?>
<input name="mutation_date" type="text" value="<?php echo date("Y-m-d") ?>" size="35">
<?php
} else {
?>
<SELECT name="mutation_date_day">
<?php echo OPTIONS_MUTATION_DATE_DAY_NEW; ?>
</SELECT>
<SELECT name="mutation_date_month">
<?php echo OPTIONS_MUTATION_DATE_MONTH_NEW; ?>
</SELECT>
<SELECT name="mutation_date_year">
<?php echo OPTIONS_MUTATION_DATE_YEAR_NEW; ?>
</SELECT>
<input name="" type="button" onClick="location.href='<?php tep_href_link(FILENAME_MUTATION_MANAGER_NEW, '', 'NONSSL'); ?>?action=productselected&pID=<?php echo $products_id; ?>&date=today'" value="<?php echo BUTTON_TODAY; ?>">
<?php
}
?>
</td>
</tr>
<tr class="main">
<td class="main" width="160" align="left"><?php echo TEXT_TABLE_HEADING_PRODUCT_ID; ?></td>
<td class="main" align="left"><input name="products_id" type="text" disabled value="<?php echo $products_id; ?>" size="35" readonly="true"></td>
</tr>
<tr class="main">
<td class="main" width="160" align="left"><?php echo TEXT_TABLE_HEADING_PRODUCT_MODEL; ?></td>
<td class="main" align="left"><input name="products_model" type="text" disabled value="<?php echo $products_model; ?>" size="35" readonly="true"></td>
</tr>
<tr class="main">
<td class="main" width="160" align="left"><?php echo TEXT_TABLE_HEADING_PRODUCT_MANUFACTURER; ?></td>
<td class="main" align="left"><input name="products_manufacturer" type="text" disabled value="<?php echo $products_manufacturer; ?>" size="35" readonly="true"></td>
</tr>
<tr class="main">
<td class="main" width="160" align="left"><?php echo TEXT_TABLE_HEADING_PRODUCT_NAME; ?></td>
<td class="main" align="left"><input name="products_name" type="text" disabled value="<?php echo $products_name; ?>" size="35" readonly="true"></td>
</tr>
<tr class="main">
<td class="main" width="160" align="left"><?php echo TEXT_TABLE_HEADING_PRODUCT_COSTPRICE; ?></td>
<td class="main" align="left"><input name="products_costprice" type="text" disabled value="<?php echo $products_costprice; ?>" size="35" readonly="true"></td>
</tr>
<tr class="main">
<td class="main" width="160" align="left"><?php echo TEXT_TABLE_HEADING_PRODUCT_PRICE; ?></td>
<td class="main" align="left"><input name="products_price" type="text" disabled value="<?php echo $products_price; ?>" size="35" readonly="true"></td>
</tr>
<tr class="main">
<td class="main" width="160" align="left"><?php echo TEXT_TABLE_HEADING_PRODUCT_TAX; ?></td>
<td class="main" align="left"><input name="products_tax" type="text" disabled value="<?php echo $products_tax; ?>" size="35" readonly="true"></td>
</tr>
<tr class="main">
<td class="main" width="160" align="left"> </td>
<td class="main" align="left"> </td>
</tr>
<tr class="main">
<td class="main" width="160" align="left"><?php echo TEXT_TABLE_HEADING_MUTATION_REASON; ?></td>
<td class="main" align="left"><input name="mutation_id" type="text" size="35" maxlength="2"></td>
</tr>
<tr class="main">
<td class="main" width="160" align="left"><?php echo TEXT_TABLE_HEADING_MUTATION_QUANTITY; ?></td>
<td class="main" align="left">
<table><tr><td class="main">
<p>
<label><input name="mutation_prefix" type="radio" value="+" checked> +</label>
<br>
<label><input name="mutation_prefix" type="radio" value="-"> -</label>
<br>
</p>
</td><td class="main" rowspan="2">
<input name="mutation_quantity" type="text" size="27">
</td></tr></table>
</td>
</tr>
<?php
if (isset($admin['id'])){
$cs_id=$admin['id'].'-'. $admin['username'];
}else{
$cs_id = $_SERVER['REMOTE_USER'];
}
?>
<tr class="main">
<td class="main" width="160" align="left"><?php echo TEXT_TABLE_HEADING_USER_ID; ?></td>
<td class="main" align="left"><input name="user_id" type="text" disabled value="<?php echo $cs_id; ?>" size="35" readonly="true"></td>
</tr>
<tr>
<td colspan="3"><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td>
</tr>
<tr>
<td colspan="2" class="main">
<input type="hidden" name="action" value="productselected">
<input name="<?php echo SEND_FORM; ?>" type="submit" value="<?php echo SEND_FORM; ?>">
</form>
<?php
if ($_POST['action'] == "productselected"){
if(isset($_GET[ 'date']) && ($_GET['date'] == "today")) {
$reg_date = $_POST['mutation_date'];
} else {
$reg_date = $_POST['mutation_date_year'] . '-' . $_POST['mutation_date_month'] . '-' . $_POST['mutation_date_day'];
}
$products_id = $_POST['products_id'];
$products_model = $_POST['products_model'];
$products_name = $_POST['products_name'];
$products_manufacturer = $_POST['products_manufacturer'];
$products_price = $_POST['products_price'];
$products_costprice = $_POST['products_costprice'];
$products_tax = $_POST['products_tax'];
$mutation_id = $_POST['mutation_id'];
$mutation_prefix = $_POST['mutation_prefix'];
$mutation_quantity = $_POST['mutation_quantity'];
$user_id = $_POST['user_id'];
$sql = "INSERT INTO " . TABLE_MANAGESTOCK . " (reg_date, products_id, products_model, products_name, products_manufacturer, products_price, products_costprice, products_tax, mutation_id, mutation_prefix, mutation_quantity, user_id)
VALUES ('" . $reg_date . "', '" . $products_id . "', '" . $products_model . "', '" . $products_name . "', '" . $products_manufacturer . "', '" . $products_price . "', '" . $products_costprice . "', '" . $products_tax . "', '" . $mutation_id . "', '" . $mutation_prefix . "', '" . $mutation_quantity . "', '" . $user_id . "')";
$result = mysql_query($sql) or die(mysql_error());
echo '<meta http-equiv="refresh" content="0;url=mutationmanager.php">';
} }
}
?>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td></tr></table></td>
} elseif(isset($_GET[ 'action']) && ($_GET['action'] == "productselected")) {
?>
<table width="100%">
<tr>
<td class="main" valign="top">
<?php
$newmutation_query_raw = ("SELECT p.products_id, p.products_quantity, p.manufacturers_id, pd.products_name, p.products_model, p.products_weight, p.products_costprice, p.products_price, p.products_tax_class_id, p.products_warranty, pr.manufacturers_name from " . TABLE_PRODUCTS . " p inner join " . TABLE_PRODUCTS_DESCRIPTION . " pd on p.products_id = pd.products_id left outer join " . TABLE_MANUFACTURERS . " pr ON (p.manufacturers_id = pr.manufacturers_id) WHERE p.products_id = '" . (int)$HTTP_GET_VARS['pID'] . "'");
$newmutation_query = tep_db_query($newmutation_query_raw);
while ($newmutation = tep_db_fetch_array($newmutation_query)) {
$products_id = $newmutation['products_id'];
$products_model = $newmutation['products_model'];
$products_name = $newmutation['products_name'];
$products_manufacturer = $newmutation['manufacturers_name'];
$products_price = $newmutation['products_price'];
$products_costprice = $newmutation['products_costprice'];
$products_tax_class_id = $newmutation['products_tax_class_id'];
$tax_query = tep_db_query("SELECT tax_rate from " . TABLE_TAX_RATES . " WHERE tax_class_id = '" . $products_tax_class_id . "'");
while ($tax = tep_db_fetch_array($tax_query)) {
$products_tax = $tax['tax_rate'];
?>
<form action="<?php echo FILENAME_PREFIXES_NEW; ?>?pID=<?php echo (int)$HTTP_GET_VARS['pID']; ?>&action=productselected" method="post" name="action" value="productselected">
<table border="0" width="100%" cellspacing="0" cellpadding="2">
<tr>
<td valign="top"><table border="0" width="500" cellspacing="0" cellpadding="2">
<tr class="main">
<td class="main" width="160" align="left"><?php echo TEXT_TABLE_HEADING_REGISTRATION_DATE; ?></td>
<td class="main" align="left">
<?php
if(isset($_GET[ 'date']) && ($_GET['date'] == "today")) {
?>
<input name="mutation_date" type="text" value="<?php echo date("Y-m-d") ?>" size="35">
<?php
} else {
?>
<SELECT name="mutation_date_day">
<?php echo OPTIONS_MUTATION_DATE_DAY_NEW; ?>
</SELECT>
<SELECT name="mutation_date_month">
<?php echo OPTIONS_MUTATION_DATE_MONTH_NEW; ?>
</SELECT>
<SELECT name="mutation_date_year">
<?php echo OPTIONS_MUTATION_DATE_YEAR_NEW; ?>
</SELECT>
<input name="" type="button" onClick="location.href='<?php tep_href_link(FILENAME_MUTATION_MANAGER_NEW, '', 'NONSSL'); ?>?action=productselected&pID=<?php echo $products_id; ?>&date=today'" value="<?php echo BUTTON_TODAY; ?>">
<?php
}
?>
</td>
</tr>
<tr class="main">
<td class="main" width="160" align="left"><?php echo TEXT_TABLE_HEADING_PRODUCT_ID; ?></td>
<td class="main" align="left"><input name="products_id" type="text" disabled value="<?php echo $products_id; ?>" size="35" readonly="true"></td>
</tr>
<tr class="main">
<td class="main" width="160" align="left"><?php echo TEXT_TABLE_HEADING_PRODUCT_MODEL; ?></td>
<td class="main" align="left"><input name="products_model" type="text" disabled value="<?php echo $products_model; ?>" size="35" readonly="true"></td>
</tr>
<tr class="main">
<td class="main" width="160" align="left"><?php echo TEXT_TABLE_HEADING_PRODUCT_MANUFACTURER; ?></td>
<td class="main" align="left"><input name="products_manufacturer" type="text" disabled value="<?php echo $products_manufacturer; ?>" size="35" readonly="true"></td>
</tr>
<tr class="main">
<td class="main" width="160" align="left"><?php echo TEXT_TABLE_HEADING_PRODUCT_NAME; ?></td>
<td class="main" align="left"><input name="products_name" type="text" disabled value="<?php echo $products_name; ?>" size="35" readonly="true"></td>
</tr>
<tr class="main">
<td class="main" width="160" align="left"><?php echo TEXT_TABLE_HEADING_PRODUCT_COSTPRICE; ?></td>
<td class="main" align="left"><input name="products_costprice" type="text" disabled value="<?php echo $products_costprice; ?>" size="35" readonly="true"></td>
</tr>
<tr class="main">
<td class="main" width="160" align="left"><?php echo TEXT_TABLE_HEADING_PRODUCT_PRICE; ?></td>
<td class="main" align="left"><input name="products_price" type="text" disabled value="<?php echo $products_price; ?>" size="35" readonly="true"></td>
</tr>
<tr class="main">
<td class="main" width="160" align="left"><?php echo TEXT_TABLE_HEADING_PRODUCT_TAX; ?></td>
<td class="main" align="left"><input name="products_tax" type="text" disabled value="<?php echo $products_tax; ?>" size="35" readonly="true"></td>
</tr>
<tr class="main">
<td class="main" width="160" align="left"> </td>
<td class="main" align="left"> </td>
</tr>
<tr class="main">
<td class="main" width="160" align="left"><?php echo TEXT_TABLE_HEADING_MUTATION_REASON; ?></td>
<td class="main" align="left"><input name="mutation_id" type="text" size="35" maxlength="2"></td>
</tr>
<tr class="main">
<td class="main" width="160" align="left"><?php echo TEXT_TABLE_HEADING_MUTATION_QUANTITY; ?></td>
<td class="main" align="left">
<table><tr><td class="main">
<p>
<label><input name="mutation_prefix" type="radio" value="+" checked> +</label>
<br>
<label><input name="mutation_prefix" type="radio" value="-"> -</label>
<br>
</p>
</td><td class="main" rowspan="2">
<input name="mutation_quantity" type="text" size="27">
</td></tr></table>
</td>
</tr>
<?php
if (isset($admin['id'])){
$cs_id=$admin['id'].'-'. $admin['username'];
}else{
$cs_id = $_SERVER['REMOTE_USER'];
}
?>
<tr class="main">
<td class="main" width="160" align="left"><?php echo TEXT_TABLE_HEADING_USER_ID; ?></td>
<td class="main" align="left"><input name="user_id" type="text" disabled value="<?php echo $cs_id; ?>" size="35" readonly="true"></td>
</tr>
<tr>
<td colspan="3"><?php echo tep_draw_separator('pixel_trans.gif', '1', '10'); ?></td>
</tr>
<tr>
<td colspan="2" class="main">
<input type="hidden" name="action" value="productselected">
<input name="<?php echo SEND_FORM; ?>" type="submit" value="<?php echo SEND_FORM; ?>">
</form>
<?php
if ($_POST['action'] == "productselected"){
if(isset($_GET[ 'date']) && ($_GET['date'] == "today")) {
$reg_date = $_POST['mutation_date'];
} else {
$reg_date = $_POST['mutation_date_year'] . '-' . $_POST['mutation_date_month'] . '-' . $_POST['mutation_date_day'];
}
$products_id = $_POST['products_id'];
$products_model = $_POST['products_model'];
$products_name = $_POST['products_name'];
$products_manufacturer = $_POST['products_manufacturer'];
$products_price = $_POST['products_price'];
$products_costprice = $_POST['products_costprice'];
$products_tax = $_POST['products_tax'];
$mutation_id = $_POST['mutation_id'];
$mutation_prefix = $_POST['mutation_prefix'];
$mutation_quantity = $_POST['mutation_quantity'];
$user_id = $_POST['user_id'];
$sql = "INSERT INTO " . TABLE_MANAGESTOCK . " (reg_date, products_id, products_model, products_name, products_manufacturer, products_price, products_costprice, products_tax, mutation_id, mutation_prefix, mutation_quantity, user_id)
VALUES ('" . $reg_date . "', '" . $products_id . "', '" . $products_model . "', '" . $products_name . "', '" . $products_manufacturer . "', '" . $products_price . "', '" . $products_costprice . "', '" . $products_tax . "', '" . $mutation_id . "', '" . $mutation_prefix . "', '" . $mutation_quantity . "', '" . $user_id . "')";
$result = mysql_query($sql) or die(mysql_error());
echo '<meta http-equiv="refresh" content="0;url=mutationmanager.php">';
} }
}
?>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td></tr></table></td>
Ik zie zinloos copiëren van $vars. Je script is lek -> sql-injection. Veel inputvelden staan op disabled, die worden dus ook niet mee verzonden.
Het geeft evt. niet als het script lek is; het zit toch achter een beveiligd deel van de website.
Code (php)
Als je niets ziet, kan dit komen doordat aan beide if's niet wordt voldaan. Probeer van elseif gewoon else te maken, en kijk wat er gebeurd. Als het dan ineens wel werkt, weet je dus dat $_GET['action'] niet geset wordt of niet gelijk is aan "productselected"...
Ook altijd handig om bovenaan de pagina error_reporting(E_ALL); te hebben staan
EDIT: btw, vertrouw never ever user input, zelfs als het achter een 'veilig' stukje site zit. Mocht 'veilig' niet veilig genoeg zijn, kan een kwaadwillend persoon zonder enige weerstand alles overhoop gooien (databases vernietigen, data verwijderen, etc.). Als alles goed beveiligd is, kan zelfs die persoon (als hij doordringt in het 'veilige' stukje) nog steeds niet veel schade aanrichten...
2ND EDIT: als je niet wilt dat mensen preloaded input data gaan veranderen, gebruik readonly="readonly" (zoals in <input type="text" readonly="readonly" />)
Gewijzigd op 01/01/1970 01:00:00 door Martijn van den Ende
Code (php)
1
2
3
2
3
} else {
echo '<meta http-equiv="refresh" content="0;url=mutation_new.php?action=selectproduct">';
}
echo '<meta http-equiv="refresh" content="0;url=mutation_new.php?action=selectproduct">';
}
Als er dus niet aan voldaan zou worden, zou hij naar de eerste if gaan, waar er weer een product moet worden gekozen. Volgens mij is het script verder toch goed? Ik heb al een soortgelijk, kleiner script gemaakt dat wel werkt...
EDIT: De error_reporting staat al aan en toch een witte pagina. De pagina zit in een beveiligde map die bij de hosting is aangemaakt met gebr en wachtwoord. Volgens mij gaat er nooit iemand inkomen, maar als het script werkt kan ik het altijd nog beveiligen...
Gewijzigd op 01/01/1970 01:00:00 door Ronald Edelschaap
Blanco pagina kan duiden op het niet afsluiten van ( en ) of { en }. Ook kan het zijn dat er ergens een . (punt) mist tussen het aan elkaar knopen van $vars en/of tekst.
Heb met dreamweaver gezocht, het aantal ( is gelijk aan ), { aan } en [ aan ], en de punten, " en ' zijn een even aantal, dus in principe zou dat het ook al niet kunnen zijn. Ook als ik de reporting_errors bij het stukje zet waar hij de sql query afsluit en teruggaat naar de vorige pagina, komen er geen foutmeldingen uit... Echt vreemd!
Heb het hele stuk maar opnieuw opgebouwd, en nu werkt hij gek genoeg wel... Vraag me af wat de fout was, maar goed... Hij doet het :)
Goed gedaan ;)