Calling error page returns back excuting code below.

Beginners - Learning PHP
#1

when my php page posts values back to itself for updating record , I have a check on the posted value is above or below predefined thresholds, I then call a error page which displays error message and then allows user to press ok and passes them back to the same page.
example $r_size_mm=3.6

[php]
if (ISSET($_POST[‘edit_x’]))
{
$r_recon_id = $_POST[‘recon_id’];
$r_site = mysqli_real_escape_string($db,$_POST[‘site’]);
if (strlen($r_site) > 40)
fail(‘Site too long (MAX : 40 characters)’,‘W’);
$r_side = $_POST[‘side’];
$r_size_mm = mysqli_real_escape_string($db,$_POST[‘size_mm’]);
$r_size_mm = number_format($r_size_mm,2,’.’,’’);

if ($r_size_mm < 4.0)
fail(‘Size too small (MIN : 4.0 mm )’,‘W’);
if ($r_size_mm > 15.0)
fail(‘Size too high (MAX : 15.0 mm )’,‘W’);
$r_comp = mysqli_real_escape_string($db,$_POST[‘comp’]);
if (strlen($r_comp) > 128)
fail(‘Complication too long (MAX : 128 characters)’,‘W’);

$r_id = $_POST[‘r_id’];

($e_stmt = $db->prepare(‘update reconstructions set recon_type_id = ?, site = ?, side = ?, size_mm = ?, complications = ? where reconstruction_id = ?’))
|| fail(‘MySQL prepare’,‘C’, $db->error);
$e_stmt->bind_param(‘issdsi’, $r_recon_id,$r_site,$r_side,$r_size_mm,$r_comp,$r_id)
|| fail(‘MySQL bind_param’,‘C’, $db->error);
$e_stmt->execute()
|| fail(‘MySQL execute’,‘C’, $db->error);

$e_stmt->close();

}
[/php]

Below this code I have a update statement to a mySQL db that updates the columns that for the record. but this shouldnt get executed if the above condition is true.
The Error page is called with the correct error and then sends them back to the original page so they can correct there error.

[php]
if (ISSET($_POST[‘ok’]))
{
if ($_SESSION[‘ErrorSev’] == ‘W’ || $_SESSION[‘ErrorSev’] == ‘I’)
{
session_write_close();
header(“location:” . $_SESSION[‘webpage’]);
}
else
{
session_destroy();
header(“location:login.html”);
}
}
[/php]

When it passes back to the page that was triggered from, I notice that the record has been updated with the value I was trying to stop.

I’m trying to understand how this happens, and what I can do to stop this from happening.

#2

You should try debugging your script, stepping through it will let you see easily where it “goes in the wrong direction”. You also don’t need to clutter your code with mysql escaping when you have parameterized queries.

Sponsor our Newsletter | Privacy Policy | Terms of Service