Need help updating sql via template form

[guyb]

Hi, I've been modding the "phpbb-auction" mod for some time now and managed to accomplish most of what I wanted. Unfortunately the mod had a lot of code problems and support on their site is almost non-existent.

Where I'm having a problem is here: there is an admin panel called "admin_auction_offer.php" which in its original form shows the main details of all listed auctions, and I want to change it into an interactive control panel whereby as the admin I can edit and update those fields.

I've managed to convert the .php and .tpl files so the page indeed is a form, and I also created a "mode" for editing/updating the fields.

The form fields are populated with the present auction data, but I'm unable to edit/update them. I receive sql errors that certain fields can't be passed (probably because of whether they are INT or VAR and I'm unsure how to pass those strings). I also have a suspicion that the structure of the code in the .php file may be incorrect: if I want to display data and from that data make edits which I send back to sql, do I only have to UPDATE the sql table one time and only populate the template one time?

Currently this is the essence of the .php file:

in the original "admin_auction_offer.php" file, after this code:

Code: Select all

// START Grab all the offer-data 
     $sql = "SELECT t.*, 
                    u.username, 
                    u.user_id, 
                    u2.username as maxbidder_user_name, 
                    u2.user_id as maxbidder_user_id, 
                    i.pic_id, 
                    acc.auction_account_auction_amount, 
                    acc.auction_account_amount_paid 
             FROM (" . AUCTION_OFFER_TABLE . " t 
             LEFT JOIN " . USERS_TABLE . " u ON u.user_id = t.FK_auction_offer_user_id 
             LEFT JOIN " . USERS_TABLE . " u2 ON u2.user_id = t.FK_auction_offer_last_bid_user_id 
             LEFT JOIN " . AUCTION_IMAGE_TABLE . " i ON t.pk_auction_offer_id=i.pic_auction_id 
             LEFT JOIN " . AUCTION_ACCOUNT_TABLE . " acc ON t.pk_auction_offer_id=acc.fk_auction_offer_id) 
             ORDER BY t.auction_offer_time_stop;";   

I created:

Code: Select all

if ( $mode == "admin_offer_edit" ) 
    { 
    $total_offers = 0; 
     while( $row = $db->sql_fetchrow($result) ) 
     { 
         $offer_rowset[] = $row; 
         $total_offers++; 
     } // while 
     $db->sql_freeresult($result); 
     $offer_id = ( isset($HTTP_GET_VARS[POST_AUCTION_OFFER_URL]) ) ? $HTTP_GET_VARS[POST_AUCTION_OFFER_URL] : $HTTP_POST_VARS[POST_AUCTION_OFFER_URL];

and then tried creating these conditions (if a field received data from the form, that would be the variable's value, otherwise the default would be whatever was originally entered, i.e. probably nothing):

Code: Select all

if ( empty($HTTP_POST_VARS['auction_offer_title'])) 
                      { 
                     $auction_offer_title = $offer_rowset[$i]['auction_offer_title']; 
                      } 
else 
                      { 
                           $auction_offer_title = $HTTP_POST_VARS['auction_offer_title']; 
                      } 
                 
if ( empty($HTTP_POST_VARS['auction_offer_text'])) 
                      { 
                       $auction_offer_text = $offer_rowset[$i]['auction_offer_text']; 
                      } 
else 
                      { 
                           $auction_offer_text = $HTTP_POST_VARS['auction_offer_text']; 
                      } 

if ( empty($HTTP_POST_VARS['auction_offer_admins_uncensored_text'])) 
                      { 
                       $auction_offer_admins_uncensored_text = $offer_rowset[$i]['auction_offer_admins_uncensored_text']; 
                      } 
else 
                      { 
                           $auction_offer_admins_uncensored_text = $HTTP_POST_VARS['auction_offer_admins_uncensored_text']; 
                      } 

if ( empty($HTTP_POST_VARS['auction_offer_comment'])) 
                      { 
                       $auction_offer_comment = $offer_rowset[$i]['auction_offer_comment']; 
                      } 
else 
                      { 
                           $auction_offer_comment = $HTTP_POST_VARS['auction_offer_comment']; 
                      } 
                 
if ( empty($HTTP_POST_VARS['auction_offer_price_start'])) 
                      { 
                       $auction_offer_price_start = $offer_rowset[$i]['auction_offer_price_start']; 
                      } 
else 
                      { 
                           $auction_offer_price_start = $HTTP_POST_VARS['auction_offer_price_start']; 
                      } 
                 
if ( empty($HTTP_POST_VARS['auction_offer_reserve_factor'])) 
                      { 
                       $auction_offer_reserve_factor = $offer_rowset[$i]['auction_offer_reserve_factor']; 
                      } 
else 
                      { 
                           $auction_offer_reserve_factor = $HTTP_POST_VARS['auction_offer_reserve_factor']; 
                      } 
                 
if ( empty($HTTP_POST_VARS['auction_offer_direct_sell_price'])) 
                      { 
                       $auction_offer_direct_sell_price = $offer_rowset[$i]['auction_offer_direct_sell_price']; 
                      } 
else 
                      { 
                           $auction_offer_direct_sell_price = $HTTP_POST_VARS['auction_offer_direct_sell_price']; 
                      }                                                   
                     
if ( empty($HTTP_POST_VARS['auction_offer_shipping_price'])) 
                      { 
                       $auction_offer_shipping_price = $offer_rowset[$i]['auction_offer_shipping_price']; 
                      } 
else 
                      { 
                           $auction_offer_shipping_price = $HTTP_POST_VARS['auction_offer_shipping_price']; 
                      } 
                 
if (empty($HTTP_POST_VARS['offer_special']) ) 
                      { 
                           $auction_offer_special = 0; 
                      } 
else 
                      { 
                           $auction_offer_special = 1; 
                      }                 
                 
if (empty($HTTP_POST_VARS['offer_on_top']) ) 
                      { 
                           $auction_offer_on_top = 0; 
                      } 
else 
                      { 
                           $auction_offer_on_top = 1; 
                      } 
                 
if (empty($HTTP_POST_VARS['offer_bold']) ) 
                      { 
                           $auction_offer_bold = 0; 
                      } 
else 
                      { 
                           $auction_offer_bold = 1;

I'm then trying to update the sql table like this:

Code: Select all

$sql = "UPDATE " . AUCTION_OFFER_TABLE . " 
                        SET auction_offer_title = '" . $auction_offer_title . "', 
                     auction_offer_text = '" . $auction_offer_text . "', 
                            auction_offer_admins_uncensored_text = '" . $auction_offer_admins_uncensored_text . "', 
                     auction_offer_comment = '" . $auction_offer_comment . "', 
                            auction_offer_price_start = " . $auction_offer_price_start . ", 
                      auction_offer_reserve_factor = " . $auction_offer_reserve_factor . ", 
                            auction_offer_direct_sell_price = " . $auction_offer_direct_sell_price . ", 
                          auction_offer_shipping_price = " . $auction_offer_shipping_price . ", 
                     auction_offer_special = " . $auction_offer_special . ", 
                            auction_offer_on_top = " . $auction_offer_on_top . ", 
                            auction_offer_bold = " . $auction_offer_bold . " 
                  WHERE PK_auction_offer_id = " . $offer_id . "";                  

afterwards there are some IF statements regarding the sorting of the fields - original coding from this file, and after that is my tinkered command to populate the template:

Code: Select all

$template->assign_block_vars('offer', array( 
                     'L_AUCTION_OFFER_MARK_PAID' => $mark, 
                     'U_AUCTION_OFFER_MARK_PAID' => $u_mark, 

                     'AUCTION_OFFER_TITLE' => $offer_rowset[$i]['auction_offer_title'], 
                     'AUCTION_OFFER_ID' => $offer_rowset[$i]['PK_auction_offer_id'], 
                     'AUCTION_OFFER_OFFERER' => $offer_rowset[$i]['username'], 
                     'AUCTION_OFFER_VIEWS' => $offer_rowset[$i]['auction_offer_views'], 
                     'AUCTION_OFFER_PRICE_START' => $offer_rowset[$i]['auction_offer_price_start'], 
                     'AUCTION_OFFER_RESERVE_FACTOR' => $offer_rowset[$i]['auction_offer_reserve_factor'], 
                     'AUCTION_OFFER_DIRECT_SELL_PRICE' => $offer_rowset[$i]['auction_offer_direct_sell_price'], 
                     'AUCTION_OFFER_SHIPPING_PRICE' => $offer_rowset[$i]['auction_offer_shipping_price'], 
//               'S_ADD_EDIT_SHIPPING_PRICE' => append_sid("../auction_offer.$phpEx?mode=edit_shipping_price&" . POST_AUCTION_OFFER_URL . "=" . $offer_rowset[$i]['PK_auction_offer_id'] . ""), 
// REMOVED BECAUSE ADDED MY CASE INTO THIS FILE FROM AUCTION-OFFER.php              'S_ADMIN_OFFER_EDIT' => append_sid("../auction_offer.$phpEx?mode=admin_offer_edit&" . POST_AUCTION_OFFER_URL . "=" . $offer_rowset[$i]['PK_auction_offer_id'] . ""), 
// LATEST VER of BUTTON               'S_ADMIN_OFFER_EDIT' => append_sid("../auction_offer.$phpEx?mode=admin_offer_edit&" . POST_AUCTION_OFFER_URL . "=" . $offer_rowset[$i]['PK_auction_offer_id'] . ""), 

// IF CASE IS IN AUCTION_OFFER.php:               'U_ADMIN_OFFER_EDIT' => append_sid("../auction_offer.$phpEx?mode=admin_offer_edit&" . POST_AUCTION_OFFER_URL . "=" . $offer_rowset[$i]['PK_auction_offer_id'] . ""), 
                     'U_ADMIN_OFFER_EDIT' => append_sid("admin_auction_offer.$phpEx?mode=admin_offer_edit&" . POST_AUCTION_OFFER_URL . "=" . $offer_rowset[$i]['PK_auction_offer_id'] . ""), 
                     'AUCTION_OFFER_ON_TOP_CHECKED' => ( $offer_rowset[$i]['auction_offer_on_top']) ? "checked=\"checked\"" : "", 
                     'AUCTION_OFFER_SPECIAL_CHECKED' => ( $offer_rowset[$i]['auction_offer_special']) ? "checked=\"checked\"" : "", 
                     'AUCTION_OFFER_PICTURE' => ( $offer_rowset[$i]['pic_id'] ) ? "X" : "", 
                     'AUCTION_OFFER_SELL_ON_FIRST' => ( $offer_rowset[$i]['auction_offer_direct_sell_price']<0> $paid, 
                     'AUCTION_OFFER_TIME_END' => create_date("m/d/Y - h:i:s", $offer_rowset[$i]['auction_offer_time_stop'], $board_config['board_timezone']), 
                     'AUCTION_OFFER_TEXT' => $offer_rowset[$i]['auction_offer_text'],                
                     'AUCTION_OFFER_ADMINS_UNCENSORED_TEXT' => $offer_rowset[$i]['auction_offer_admins_uncensored_text'],                
                     'AUCTION_OFFER_COMMENT' => $offer_rowset[$i]['auction_offer_comment'], 

                     'COUPON_USER_CREATED' => $coupon_rowset[$i]['coupon_creator'], 
                     'COUPON_DATE_USED' => ( $coupon_rowset[$i]['auction_coupon_date_used']>0 ) ? create_date("m/d/Y - h:i:s", $coupon_rowset[$i]['auction_coupon_date_used'], $board_config['board_timezone']) : $lang['coupon_not_used'], 
                     'COUPON_USER_USED' => ( $coupon_rowset[$i]['coupon_user']<coupon_rowset> append_sid("../auction_offer_view.$phpEx?" . POST_AUCTION_OFFER_URL . "=" . $offer_rowset[$i]['PK_auction_offer_id']), 
                     'U_AUCTION_OFFER_DELETE' => append_sid("admin_auction_offer.$phpEx?" . POST_AUCTION_OFFER_URL . "=" . $offer_rowset[$i]['PK_auction_offer_id'] . "&mode=delete"))); 
             } // for 
          } // if 

     $template->assign_vars(array( 
            'L_ADMIN_OFFER' => $lang['offer_admin'], 
            'L_AUCTION_OFFER_ID' => $lang['auction_offer_id'], 
            'L_ADMIN_OFFER_EXPLAIN' => $lang['offer_admin_explain'], 
            'L_AUCTION_OFFER_TITLE' => $lang['auction_offer_title'], 
            'L_AUCTION_OFFER_TIME_STOP' => $lang['auction_offer_time_stop'], 
            'L_AUCTION_OFFER_PAID' => $lang['auction_offer_paid_status'], 
            'L_AUCTION_OFFER_ON_TOP' => $lang['auction_offer_on_top_short'], 
            'L_AUCTION_OFFER_PICTURE' => $lang['auction_offer_picture_short'],          
            'L_AUCTION_OFFER_PRICE_START' => $lang['auction_offer_price_start_short'],          
            'L_AUCTION_OFFER_RESERVE_FACTOR' => $lang['auction_offer_reserve_factor_short'],          
            'L_AUCTION_OFFER_DIRECT_SELL' => $lang['auction_offer_direct_sell_short'],          
            'L_AUCTION_OFFER_SHIPPING_PRICE' => $lang['auction_offer_shipping_price_short'], 
            'L_AUCTION_OFFER_VIEWS' => $lang['auction_offer_views_short'], 
            'L_AUCTION_OFFER_SPECIAL' => $lang['auction_offer_special_short'], 
            'L_AUCTION_OFFER_BOLD' => $lang['auction_offer_bold_short'], 
            'L_AUCTION_OFFER_SELL_ON_FIRST' => $lang['auction_offer_sell_on_comment_short'], 
//            'L_AUCTION_OFFER_COMMENT' => $lang['auction_offer_comment_short'], 
            'L_AUCTION_OFFER_OFFERER' => $lang['auction_offer_offerer'], 
            'L_AUCTION_OFFER_DELETE' => $lang['auction_offer_delete'], 
            'L_AUCTION_OFFER_MARK_PAID' => $lang['auction_offer_function'], 
            'L_AUCTION_OFFER_DELETE' => $lang['auction_offer_delete'], 
            'L_AUCTION_OFFER_SORT_JUST_PAID' => $lang['auction_offer_sort_just_paid'], 
            'L_AUCTION_OFFER_SORT_JUST_NOT_PAID' => $lang['auction_offer_sort_just_not_paid'], 
            'L_ADMIN_AUCTION_OFFER_FIELD_EDIT' => $lang['admin_auction_offer_field_edit'], 
            'L_AUCTION_OFFER_TEXT' => $lang['auction_offer_text_short'], 
            'L_AUCTION_OFFER_ADMINS_UNCENSORED_TEXT' => $lang['auction_offer_admins_uncensored_text_short'], 
            'L_AUCTION_OFFER_COMMENT' => $lang['auction_offer_comment_short2'], 
          
            'L_COUPON_USER_CREATED' => $lang['coupon_user_created'], 
            'L_COUPON_DATE_USED' => $lang['coupon_date_used'], 
            'L_COUPNG_USER_USED'=> $lang['coupon_user_used'], 
            'L_COUPON_CREATE' => $lang['coupon_create'], 
            'L_CHOOSE_COUPON_TYPE' => $lang['coupon_choose_type'], 

            'S_AUCTION_COUPON_ACTION' => append_sid("admin_auction_coupon.$phpEx?mode=create"), 

            'COUPON_LIST_DD' => $coupon_list_dd, 
            'U_AUCTION_OFFER_SORT_TITLE' => append_sid("admin_auction_offer.$phpEx?sort=title"), 
            'U_AUCTION_OFFER_SORT_USERNAME' => append_sid("admin_auction_offer.$phpEx?sort=username"), 
            'U_AUCTION_OFFER_SORT_PAID' => append_sid("admin_auction_offer.$phpEx?sort=paid"),        
            'U_AUCTION_OFFER_SORT_JUST_PAID' => append_sid("admin_auction_offer.$phpEx?sort=just_paid"), 
            'U_AUCTION_OFFER_SORT_JUST_NOT_PAID' => append_sid("admin_auction_offer.$phpEx?sort=just_not_paid"), 
            'U_AUCTION_OFFER_SORT_TIME' => append_sid("admin_auction_offer.$phpEx"))); 


      $template->pparse("body"); 

The end result is that I can get an offer's original data to populate a form field, but if I try to edit/update the form with a new value (or just delete an existing value), I get this:

Couldn't update Admin's account changes. Please try again.

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ' auction_offer_reserve_factor = ,

UPDATE phpbb_auction_offer SET auction_offer_title = '', auction_offer_text = '', auction_offer_admins_uncensored_text = '', auction_offer_comment = '', auction_offer_price_start = , auction_offer_reserve_factor = , auction_offer_direct_sell_price = , auction_offer_shipping_price = , auction_offer_special = 0, auction_offer_on_top = 0, auction_offer_bold = 0 WHERE PK_auction_offer_id = 333

Line : 451
File : admin_auction_offer.php

I can see that 4 values are being received, but the 3 zeros for the special, bold, on-top are actually non-responsive: even if I click them and try uploading, the 0 value gets passed.

One of my concerns is, have I placed the order of all these commands okay, or is my problem that the coding so far does not allow for an "upload" of data following its initial display? Looking at the coding for populating the template I'm also concerned if I'm calling up the data correctly: I think the template is only going to show the original auction data and nothing from the form field... I reached this mod site doing a search into "$template->assign_block_vars" versus "$template->assign_vars" because I started thinking maybe I need to use "assign_vars"...

Any help would be greatly appreciated!

[Obsidian]

Hi there. From what it seems to me, upon firing the SQL query you are using variables that are not set.

Additionally, you are pulling data right from $HTTP_POST_VARS, which is highly insecure and not recommended if you are using phpBB3. You'll want to read this if that is the case: http://wiki.phpbb.com/Request_var

[guyb]

Hi! Thanks for replying. Any feedback is helpful.

Regarding your comment about the SQL query and the variables, does it matter in what order the SQL call up and the $Template-> assign_block-vars is in?

I thought I had declared the variables further up in here:

Code: Select all

if ( empty($HTTP_GET_VARS['auction_offer_title']))
                      {
                     $auction_offer_title = $offer_rowset[$i]['auction_offer_title'];
                      }
else
                      {
                           $auction_offer_title = $HTTP_POST_VARS['auction_offer_title'];
                      }

so that this SQL callup would be valid:

Code: Select all

               $sql = "UPDATE " . AUCTION_OFFER_TABLE . "
                        SET auction_offer_title = '" . $auction_offer_title . "',

But until your reply, I was concerned that the $Template call up here

Code: Select all

                 $template->assign_block_vars('offer', array(
                     'L_AUCTION_OFFER_MARK_PAID' => $mark,
                     'U_AUCTION_OFFER_MARK_PAID' => $u_mark,

                     'AUCTION_OFFER_TITLE' => $offer_rowset[$i]['auction_offer_title'],

was referencing the variable incorrectly

the references to

Code: Select all

$offer_rowset[$i]['auction_offer_title']

relate to the auction item's originally entered variable (i.e. offer name)
whereas

Code: Select all

$HTTP_POST_VARS['auction_offer_title'];

should be that same variable read off from the form - and so possibly the edited/update version of that variable.

What confuses me about the order of the code is whether the template reading off the auction item's original title is preventing the template from subsequently displaying POST_VARS data if I edit/change the name.

I had tried declaring all the variables like so:

Code: Select all

     $auction_offer_title = ( isset($HTTP_POST_VARS['auction_offer_title']) ) ? $HTTP_POST_VARS['auction_offer_title'] : $offer_rowset[$i]['auction_offer_title'];

And then in the SQL calling them up like so:

Code: Select all

$sql = "UPDATE " . AUCTION_OFFER_TABLE . "
                        SET auction_offer_title = $auction_offer_title,

And finally populating the template like this:

Code: Select all

                 $template->assign_block_vars('offer', array(
                     'L_AUCTION_OFFER_MARK_PAID' => $mark,
                     'U_AUCTION_OFFER_MARK_PAID' => $u_mark,

                     'AUCTION_OFFER_TITLE' => $auction_offer_title,

..but all I saw were blank fields, and I still could not successfully make edits/updates - nothing was received.

[guyb]

What I'm trying to use (unsuccessfully) in the meantime is this:

my "mode" which is activated when clicking to edit/update the data fields:

Code: Select all

     if ( $mode == "admin_offer_edit" )
    {
    $total_offers = 0;
     while( $row = $db->sql_fetchrow($result) )
     {
         $offer_rowset[] = $row;
         $total_offers++;
     } // while
     $db->sql_freeresult($result);
     $offer_id = ( isset($HTTP_GET_VARS[POST_AUCTION_OFFER_URL]) ) ? $HTTP_GET_VARS[POST_AUCTION_OFFER_URL] : $HTTP_POST_VARS[POST_AUCTION_OFFER_URL];

     $auction_offer_title = ( isset($HTTP_POST_VARS['auction_offer_title']) ) ? $HTTP_POST_VARS['auction_offer_title'] : $offer_rowset[$i]['auction_offer_title'];
     $auction_offer_text = ( isset($HTTP_POST_VARS['auction_offer_text']) ) ? $HTTP_POST_VARS['auction_offer_text'] : $offer_rowset[$i]['auction_offer_text'];
     $auction_offer_admins_uncensored_text = ( isset($HTTP_POST_VARS['auction_offer_admins_uncensored_text']) ) ? $HTTP_POST_VARS['auction_offer_admins_uncensored_text'] : $offer_rowset[$i]['auction_offer_admins_uncensored_text'];
    $auction_offer_comment = ( isset($HTTP_POST_VARS['auction_offer_comment']) ) ? $HTTP_POST_VARS['auction_offer_comment'] : $offer_rowset[$i]['auction_offer_comment'];
    $auction_offer_price_start = ( isset($HTTP_POST_VARS['auction_offer_price_start']) ) ? $HTTP_POST_VARS['auction_offer_price_start'] : $offer_rowset[$i]['auction_offer_price_start'];
    $auction_offer_reserve_factor = ( isset($HTTP_POST_VARS['auction_offer_reserve_factor']) ) ? $HTTP_POST_VARS['auction_offer_reserve_factor'] : $offer_rowset[$i]['auction_offer_reserve_factor'];
    $auction_offer_direct_sell_price = ( isset($HTTP_POST_VARS['auction_offer_direct_sell_price']) ) ? $HTTP_POST_VARS['auction_offer_direct_sell_price'] : $offer_rowset[$i]['auction_offer_direct_sell_price'];
    $auction_offer_shipping_price = ( isset($HTTP_POST_VARS['auction_offer_shipping_price']) ) ? $HTTP_POST_VARS['auction_offer_shipping_price'] : $offer_rowset[$i]['auction_offer_shipping_price'];    
     $auction_offer_special = ( isset($HTTP_POST_VARS['offer_special']) ) ? ( ($HTTP_POST_VARS['offer_special']) ? TRUE : 0 ) : $HTTP_POST_VARS['offer_special'];    
     $auction_offer_on_top = ( isset($HTTP_POST_VARS['offer_on_top']) ) ? ( ($HTTP_POST_VARS['offer_on_top']) ? TRUE : 0) : $HTTP_POST_VARS['offer_on_top'];
     $auction_offer_bold = ( isset($HTTP_POST_VARS['offer_bold']) ) ? ( ($HTTP_POST_VARS['offer_bold']) ? TRUE : 0) : $HTTP_POST_VARS['offer_bold'];

And UPDATING sql like this:

Code: Select all

               
$sql = "UPDATE " . AUCTION_OFFER_TABLE . "
                SET auction_offer_title = '" . $auction_offer_title . "',
   auction_offer_text = '" . $auction_offer_text . "',
                auction_offer_admins_uncensored_text = '" . $auction_offer_admins_uncensored_text . "',
                auction_offer_comment = '" . $auction_offer_comment . "',
                auction_offer_price_start = '" . $auction_offer_price_start . "',
   auction_offer_reserve_factor = " . $auction_offer_reserve_factor . ",
                auction_offer_direct_sell_price = " . $auction_offer_direct_sell_price . ",
                auction_offer_shipping_price = " . $auction_offer_shipping_price . ",
   auction_offer_special = " . $auction_offer_special . ",
                auction_offer_on_top = " . $auction_offer_on_top . ",
                auction_offer_bold = " . $auction_offer_bold . "
WHERE PK_auction_offer_id = " . $offer_id . "";                  

(* some of the strings above are mediumint, varchar and decimal - but I'm not sure if I've written the code correctly. I no longer receive any sql errors even though nothing gets updated when I test the update link; I click the link, the page refreshes and all the data remains the same as before)

and populating the template like this:

Code: Select all

                 $template->assign_block_vars('offer', array(
                     'L_AUCTION_OFFER_MARK_PAID' => $mark,
                     'U_AUCTION_OFFER_MARK_PAID' => $u_mark,

                     'AUCTION_OFFER_TITLE' => $offer_rowset[$i]['auction_offer_title'],
                     'AUCTION_OFFER_ID' => $offer_rowset[$i]['PK_auction_offer_id'],
                     'AUCTION_OFFER_OFFERER' => $offer_rowset[$i]['username'],
                     'AUCTION_OFFER_VIEWS' => $offer_rowset[$i]['auction_offer_views'],
                     'AUCTION_OFFER_PRICE_START' => $offer_rowset[$i]['auction_offer_price_start'],

The link to update the fields references the mode above, and looks like this (in the SQL update):

Code: Select all

               'U_ADMIN_OFFER_EDIT' => append_sid("admin_auction_offer.$phpEx?mode=admin_offer_edit&" . POST_AUCTION_OFFER_URL . "=" . $offer_rowset[$i]['PK_auction_offer_id'] . ""),
               'S_ADMIN_OFFER_EDIT' => append_sid("admin_auction_offer.$phpEx?mode=admin_offer_edit&" . POST_AUCTION_OFFER_URL . "=" . $offer_rowset[$i]['PK_auction_offer_id'] . ""),

When the function in the form was just a text link, it looked like this:

Code: Select all

<td class="row2"><a href="{offer.U_ADMIN_OFFER_EDIT}" class="gensmall">{L_ADMIN_AUCTION_OFFER_FIELD_EDIT}</a></td>

Now that I've changed it to a button with "submit" it looks like this:

Code: Select all

        <td class="row2"><input type="submit" name="{offer.S_ADMIN_OFFER_EDIT}" value="{L_ADMIN_AUCTION_OFFER_FIELD_EDIT}"></td>

...but still, the process of editing/updating just doesn't work....

[Obsidian]

The odd thing is, looking at the error message returned from the DB is showing, has blank values for most of the fields.

Code: Select all

UPDATE phpbb_auction_offer SET auction_offer_title = '', auction_offer_text = '', auction_offer_admins_uncensored_text = '', auction_offer_comment = '', auction_offer_price_start = , auction_offer_reserve_factor = , auction_offer_direct_sell_price = , auction_offer_shipping_price = , auction_offer_special = 0, auction_offer_on_top = 0, auction_offer_bold = 0 WHERE PK_auction_offer_id = 333

It looks like some variables are not being set properly, or if they are, it is in an incorrect scope. What I would do is try adding this before the update SQL:

Code: Select all

die('<pre>' . var_dump($offer_rowset) . '</pre>');

See what you get for debug info.

[guyb]

Thanks! I'll try that line of code and see what happens...

If I may trouble you, I have a few more questions:

1.
From the lines of code you've seen so far in the various segments, do you see any glaring
mistakes in how I'm trying to define values or call them up?

I've been modding this mod (successfully till now) using coding formulations I see in the
mod, but there are so many variations there that I'm not sure I'm declaring things correctly...


2.
I'm working on a theory that maybe my problem has to do with where I'm executing the UPDATE of the SQL table. See if you can follow the logic:
- there is an "admin_auction_offer.php" file which displays present offers which have not been deleted
- there is an "admin_auction_table.tpl" file which displays this information; this is the file I changed into a form, and in its original style it was configured to allow sorting of the data by certain field names

- there is also a file called "auction_offer.php" and is the file where a customer would enter and upload an article for sale. This is the same file whereby bids are logged in and a certain text field can be edited/updated by the customer - it's the "heart" of the auction offers management.

My theory is, I'd originally decided that the correct place to have the sql UPDATE from the admin's screen would be that "admin_auction_offer.php" because the trigger to execute it would be from the ACP side.

But in light of the odd problem getting data updated and saved, I'm wondering if that execution should really be getting done in the "auction_offer" file. The only sql functionality originally in "admin_auction_offer.php" was in support of deleting a listing in its entirety or allowing to re-sort the data in a certain order.

If you think that I really should be doing the execution is the "auction_offer" file, and my call-up for the mode is presently:

Code: Select all

'S_ADMIN_OFFER_EDIT' => append_sid("admin_auction_offer.$phpEx?mode=admin_offer_edit&" . POST_AUCTION_OFFER_URL . "=" . $offer_rowset[$i]['PK_auction_offer_id'] . ""),

How do I alter the URL there so I can call up the mode in "auction_offer.php", which is in a different directory altogether (base directory)? Originally I had scripted this, but is this okay:

Code: Select all

'S_ADMIN_OFFER_EDIT' => append_sid("../auction_offer.$phpEx?mode=admin_offer_edit&" . POST_AUCTION_OFFER_URL . "=" . $offer_rowset[$i]['PK_auction_offer_id'] . ""),

* and would it be possible to reference a full URL in that code, starting with "http"?


3.
Someone who briefly glanced at my code yesterday pointed out that my .tpl file with the <form> fields lacked a input type="submit" command. Without realizing it, I'd been trying to execute the sql UPDATE with a reference to a mode only. That said, now that I've added the "submit", still nothing changes (that was before my posts above too).

Do you see anything wrong with the code for either my original non-submit link or the new submit button:

This is the text-link that I originally used:

Code: Select all

<td class="row2"><a href="{offer.U_ADMIN_OFFER_EDIT}" class="gensmall">{L_ADMIN_AUCTION_OFFER_FIELD_EDIT}</a></td>

And it references this line in the $Template->assign_block_vars:

Code: Select all

'U_ADMIN_OFFER_EDIT' => append_sid("admin_auction_offer.$phpEx?mode=admin_offer_edit&" . POST_AUCTION_OFFER_URL . "=" . $offer_rowset[$i]['PK_auction_offer_id'] . ""),

Which in turn references the mode shown in my earlier post.

What I used for input=submit is this:

Code: Select all

<input type="submit" name="{offer.S_ADMIN_OFFER_EDIT}" value="{L_ADMIN_AUCTION_OFFER_FIELD_EDIT}">

Which references this line in the $Template->assign_block_vars:

Code: Select all

'S_ADMIN_OFFER_EDIT' => append_sid("admin_auction_offer.$phpEx?mode=admin_offer_edit&" . POST_AUCTION_OFFER_URL . "=" . $offer_rowset[$i]['PK_auction_offer_id'] . ""),

My concern here is, when I roll my mouse over the submit button I no longer see a snippet after the name of the mode, called "ao=[AUCTION-OFFER-NUMBER]" which references the item number; not that it helped before, but now without seeing that segment and only "session id" after the name of the mode, I'm concerned that the submit button has a built-in problem in that it may not be referencing the relevant item number at all. The "auction offer" number (ao) was being referenced by that prefix "offer." in callups like "offer.U_ADMIN_OFFER_EDIT"

Any replies by anyone would be much appreciated

[Obsidian]

I just looked at this bit here,

What I used for input=submit is this:

Code: Select all

<input type="submit" name="{offer.S_ADMIN_OFFER_EDIT}" value="{L_ADMIN_AUCTION_OFFER_FIELD_EDIT}">

Which references this line in the $Template->assign_block_vars:

Code: Select all

'S_ADMIN_OFFER_EDIT' => append_sid("admin_auction_offer.$phpEx?mode=admin_offer_edit&" . POST_AUCTION_OFFER_URL . "=" . $offer_rowset[$i]['PK_auction_offer_id'] . ""),

My concern here is, when I roll my mouse over the submit button I no longer see a snippet after the name of the mode, called "ao=[AUCTION-OFFER-NUMBER]" which references the item number; not that it helped before, but now without seeing that segment and only "session id" after the name of the mode, I'm concerned that the submit button has a built-in problem in that it may not be referencing the relevant item number at all. The "auction offer" number (ao) was being referenced by that prefix "offer." in callups like "offer.U_ADMIN_OFFER_EDIT"

From what I see there, you're actually messing with the wrong thing there.

You shouldn't be using the submit value for the URI to submit to, you should be using that for the action param of the form tag in your HTML. I would suggest setting a template variable for that "auction offer" number and stuffing it into the form with a hidden type input.

Also, you may want to consider switching from phpBB2 sometime -- I heard from a little bird that someone on one of the phpBB Teams is working on a proof-of-concept for a vulnerability in phpBB2 that could not be patched due to the codebase (along with the fact that v2 is no longer supported).

[guyb]

Hi, to make sure I understand:

if my <form> is already referencing "S_ADMIN_OFFER_EDIT" here:

Code: Select all

<form enctype="multipart/form-data" method="post" action="{S_ADMIN_OFFER_EDIT}">

and "S_ADMIN_OFFER_EDIT" is really associated with this:

Code: Select all

'S_ADMIN_OFFER_EDIT' => append_sid("admin_auction_offer.$phpEx?mode=admin_offer_edit&" . POST_AUCTION_OFFER_URL . "=" . $offer_rowset[$i]['PK_auction_offer_id'] . ""),

then my "submit" would call that action up without me having to use "S_ADMIN_OFFER_EDIT" in my code as you saw above:

Code: Select all

<input type="submit" name="{offer.S_ADMIN_OFFER_EDIT}" value="{L_ADMIN_AUCTION_OFFER_FIELD_EDIT}">

All I would need then is a standard "submit" which with class="hidden" would send the auction_id? Example:

Code: Select all

<td class="row2"><input type="hidden" name="offer_id" value="{offer.AUCTION_OFFER_ID}" />
<input type="submit" name="mode" value="{L_ADMIN_AUCTION_OFFER_FIELD_EDIT}"></td>

where "offer_id" is the number of the specific offer and "mode" relates to the "admin_offer_edit" mode?

The phpbb2 issue is a problem to fix because *everything* I'm using there is phpbb2 with all the mods that go with it - forum, mx-publisher cms and this auction mod

[Obsidian]

Uhh, not sure what you are trying to do there with the value of the submit button, because submit only returns 1 or 0 for post submission -- value is only the text displayed for the button's visible label.
You may need another hidden input there for the mode.

[guyb]

If you were referring to this: "value="{L_ADMIN_AUCTION_OFFER_FIELD_EDIT}"" that's just a preset text variable for the button. This mod uses that approach a lot instead of hardcoding a text phrase in the site pages.

[guyb]

the QA continues and I think the source of my problems is on the template/"submit" side, because sql debugging mode indicates no values I enter are being picked up - including now the critical offer id number.

Here's what I have for the relevant portion of the form:

Code: Select all

    <tr>

        <td class="row2"><input type="hidden" name="offer_id" value="{offer.AUCTION_OFFER_ID}" /><a href="{offer.U_AUCTION_OFFER_VIEW}" target="_blank" class="gensmall">{offer.AUCTION_OFFER_ID}</a></td>
        <td class="row2" align="center"><textarea rows="2" cols="30" class="post" type="text" name="auction_offer_title" maxlength="255" size="255" />{offer.AUCTION_OFFER_TITLE}</textarea></td>
        <td class="row2" align="center"><input type="text" class="post" name="auction_offer_price_start" size="10" maxlength="10" value="{offer.AUCTION_OFFER_PRICE_START}" /></td>
        <td class="row2" align="center"><input type="text" class="post" name="auction_offer_reserve_factor" size="10" maxlength="10" value="{offer.AUCTION_OFFER_RESERVE_FACTOR}" /></td>
<!--        <td class="row2" align="center">{offer.AUCTION_OFFER_RESERVE_FACTOR}</td> -->
        <td class="row2" align="center"><input type="text" class="post" name="auction_offer_direct_sell_price" size="10" maxlength="10" value="{offer.AUCTION_OFFER_DIRECT_SELL_PRICE}" /></td>
        <td class="row2" align="center"><input type="text" class="post" name="auction_offer_shipping_price" size="10" maxlength="10" value="{offer.AUCTION_OFFER_SHIPPING_PRICE}" /></td>
        <td class="row2" align="center">{offer.AUCTION_OFFER_PAID}</td>
        <td class="row2"><a href="{offer.U_AUCTION_OFFER_MARK_PAID}" class="gensmall">{offer.L_AUCTION_OFFER_MARK_PAID}</a></td>
        <td class="row2" align="center">{offer.AUCTION_OFFER_OFFERER}</td>
        <td class="row2" align="center">{offer.AUCTION_OFFER_VIEWS}</td>
        <td class="row2" align="center">{offer.AUCTION_OFFER_PICTURE}</td>
        <td class="row2" align="center"><input type="checkbox" name="offer_special" value="1" {offer.AUCTION_OFFER_SPECIAL_CHECKED}/></td>
        <td class="row2" align="center"><input type="checkbox" name="offer_bold" value="1" {offer.AUCTION_OFFER_BOLD_CHECKED} /></td>
        <td class="row2" align="center"><input type="checkbox" name="offer_on_top" value="1" {offer.AUCTION_OFFER_ON_TOP_CHECKED} /></td>
        <td class="row2" align="center">{offer.AUCTION_OFFER_SELL_ON_FIRST}</td>
<!--        <td class="row2" align="center">{offer.AUCTION_OFFER_COMMENT}</td> -->
        <td class="row2">{offer.AUCTION_OFFER_TIME_END}</td>
        <td class="row2"><a href="{offer.U_AUCTION_OFFER_DELETE}" class="gensmall">{L_AUCTION_OFFER_DELETE}</a></td>
        <td class="row2" align="center"><textarea rows="2" cols="40" class="post" type="text" name="auction_offer_text" maxlength="255" size="255" />{offer.AUCTION_OFFER_TEXT}</textarea></td>
        <td class="row2" align="center"><textarea rows="2" cols="40" class="post" type="text" name="auction_offer_admins_uncensored_text" maxlength="200" size="200" />{offer.AUCTION_OFFER_ADMINS_UNCENSORED_TEXT}</textarea></td>
        <td class="row2" align="center"><textarea rows="2" cols="40" class="post" type="text" name="auction_offer_comment" maxlength="255" size="255" />{offer.AUCTION_OFFER_COMMENT}</textarea></td>
      <td class="row2"><input type="hidden" name="mode" value="admin_offer_edit" />
      <input type="hidden" name="offer_id" value="{offer.AUCTION_OFFER_ID}" />
<!--      <input type="submit" name="submit" value="{L_ADMIN_AUCTION_OFFER_FIELD_EDIT}" /></td>      -->
      <input type="submit" name="{offer.U_ADMIN_OFFER_EDIT}" value="{L_ADMIN_AUCTION_OFFER_FIELD_EDIT}" /></td>
      
    </tr>

and here's what I see if I do "view source":

Code: Select all

    <tr>

        <td class="row2"><input type="hidden" name="offer_id" value="333" /><a href="../auction_offer_view.php?ao=333&amp;sid=edb2f62bf32402a7680d90459fd8748c" target="_blank" class="gensmall">333</a></td>
        <td class="row2" align="center"><textarea rows="2" cols="30" class="post" type="text" name="auction_offer_title" maxlength="255" size="255" />auction_offer_title</textarea></td>
        <td class="row2" align="center"><input type="text" class="post" name="auction_offer_price_start" size="10" maxlength="10" value="0.00" /></td>
        <td class="row2" align="center"><input type="text" class="post" name="auction_offer_reserve_factor" size="10" maxlength="10" value="0.00" /></td>
<!--        <td class="row2" align="center">0.00</td> -->
        <td class="row2" align="center"><input type="text" class="post" name="auction_offer_direct_sell_price" size="10" maxlength="10" value="0.00" /></td>
        <td class="row2" align="center"><input type="text" class="post" name="auction_offer_shipping_price" size="10" maxlength="10" value="0.00" /></td>
        <td class="row2" align="center">Not Paid</td>
        <td class="row2"><a href="admin_auction_offer.php?ao=333&mode=mark_paid&amp;sid=edb2f62bf32402a7680d90459fd8748c" class="gensmall">Mark PAID</a></td>
        <td class="row2" align="center">myname</td>
        <td class="row2" align="center">27</td>
        <td class="row2" align="center">X</td>
        <td class="row2" align="center"><input type="checkbox" name="offer_special" value="1" /></td>
        <td class="row2" align="center"><input type="checkbox" name="offer_bold" value="1"  /></td>
        <td class="row2" align="center"><input type="checkbox" name="offer_on_top" value="1"  /></td>
        <td class="row2" align="center"></td>
<!--        <td class="row2" align="center"></td> -->
        <td class="row2">03/05/2009 - 02:55:08</td>
        <td class="row2"><a href="admin_auction_offer.php?ao=333&mode=delete&amp;sid=edb2f62bf32402a7680d90459fd8748c" class="gensmall">Delete offer. No Undo!</a></td>
        <td class="row2" align="center"><textarea rows="2" cols="40" class="post" type="text" name="auction_offer_text" maxlength="255" size="255" />auction_offer_text</textarea></td>
        <td class="row2" align="center"><textarea rows="2" cols="40" class="post" type="text" name="auction_offer_admins_uncensored_text" maxlength="200" size="200" />auction_offer_admins_uncensored_text</textarea></td>
        <td class="row2" align="center"><textarea rows="2" cols="40" class="post" type="text" name="auction_offer_comment" maxlength="255" size="255" /></textarea></td>
      <td class="row2"><input type="hidden" name="mode" value="admin_offer_edit" />
      <input type="hidden" name="offer_id" value="333" />
<!--      <input type="submit" name="submit" value="Upload Edit" /></td>      -->
      <input type="submit" name="admin_auction_offer.php?mode=admin_offer_edit&ao=333&amp;sid=edb2f62bf32402a7680d90459fd8748c" value="Upload Edit" /></td>

    </tr>

What is odd is this: if you look at the last 4 lines of code, there is 1 I commented out because written as it was it didn't appear to catch the all important "ao=" (auction_id number) part which would tell sql which entry to update; in the 4th line I replaced "name=submit" with the pre-coded URL for the item and I can see that it does catch that "ao=" part - but on debugging that field appears blank:

Code: Select all

Couldn't update Admin's account changes. Please try again.

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ' auction_offer_price_start = 0.00,

UPDATE phpbb_auction_offer SET auction_offer_title = auction_offer_title, auction_offer_text = auction_offer_text, auction_offer_admins_uncensored_text = auction_offer_admins_uncensored_text, auction_offer_comment = , auction_offer_price_start = 0.00, auction_offer_reserve_factor = 0.00, auction_offer_direct_sell_price = 0.00, auction_offer_shipping_price = 0.00, auction_offer_special = 1, auction_offer_on_top = , auction_offer_bold = WHERE PK_auction_offer_id = ''

Line : 457
File : admin_auction_offer.php

In my earlier tests, even when I received this exact same debugging error, when I didn't have a "submit" function and only a text link to the mode, the debugger did show the auction_offer_id at the end, but now that I've added a submit function it doesn't catch it - I'm even passing the individual offer id number as a hidden type in a separate input command, above the "submit" code, but it doesn't make a difference.

In the attached screenshot, when I mouseover the "submit" button you see that the URL displayed lacks the "ao=" segment as well. It also doesn't include any reference to the "mode" function, which we do see in "view source". As a result, it may be that my "mode" isn't being executed at all, hence no form fields are being updated. Much of my form coding is even based on what I see on other phpbb form pages (like profile.php)... any ideas?

[Obsidian]

Hmmm...I really don't have enough experience with phpBB2 coding methods, so I would suggest you try going to this site, http://www.phpbb2refugees.com/

[guyb]

Thanks for the suggestions above anyway - everything helps. I've posted my question at the site above and also at phpbbhacks.


Separately, would you be able to tell me what is the difference between this (from profile.php):

Code: Select all

if ( isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode']) )
{
   $mode = ( isset($HTTP_GET_VARS['mode']) ) ? $HTTP_GET_VARS['mode'] : $HTTP_POST_VARS['mode'];
   $mode = htmlspecialchars($mode);

and this (from the auction offer php):

Code: Select all

     if( isset($HTTP_POST_VARS['mode']) || isset($HTTP_GET_VARS['mode']) )
          {
               $mode = ( isset($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
               $mode = htmlspecialchars($mode);
          }
     else
          {
               $mode = "";
          } // if

They are written in opposite ways but I don't understand how they would work. I'm exploring different things I could try doing to get my "mode" to work and I see both of these in use on the phpbb pages....

[Obsidian]

It looks like the second example initializes $mode if the appropriate GET or POST var isn't set anyways, which is actually a smart thing to do (as it is error-proofing that way), however the code itself isn't quite so clean and (if this were in phpBB3) could be a lot easier to read.