new value overwriting the previous values

Question

Ok so i have this javascript

function getpreconfigproducts(str1,str2)
{
var url="ajax_preconfig_products.php?";
url=url+"id="+str1+"&cid="+str2;
xmlHttp = GetXmlHttpObject(stateChangeHandler);
xmlHttp_Get(xmlHttp, url);
return false;
}

and it calls this php

<?php 
if($_GET['id']!='')
{
   $sql="SELECT * FROM productinfo WHERE ProductID=".$_GET['id']." AND Status=1";
   $pro=ExecuteGetRows($sql);
?>
<p>Qty: <input type="input" name="qty[]" id="fpro[]" value="1" style="width:15px; margin-top:-3px;" /> <label><?php echo $pro[0]['ProductName'];?></label> </p>
<?php 
        echo "^_^";
        echo ",".$pro[0]['ProductID'];
    } ?>

which generates this

<div class="fields">
<h2>Final Products</h2>
<p id="finalproductsid">
  <p>Qty: <input name="qty[]" id="fpro[]" value="1" style="width: 15px; margin-top: -3px;" type="input"> <label>FIREBOX S5510 15</label> </p>
  <p>Qty: <input name="qty[]" id="fpro[]" value="1" style="width: 15px; margin-top: -3px;" type="input"> <label>FIREBOX S5510 15</label> </p>
</p>
</div>

The problem is that if a user changes the input qty[] to say 5 and adds another product it reverts back to 1 ...any ideas how i can address this

Answer 1

Aside from all the SQL injection stuff, mentioned already, I think I might know what your problem is. Tell me if I understand your script:

1. User clicks an 'add product' button
2. Button fires an AJAX request to the PHP script above
3. The PHP script generates some HTML
4. Somehow (?) the generated HTML gets displayed
5. The values of all of the other product fields in the form revert back to one

I'm assuming #4 is where the problem (#5) is occurring. Depending on how you append the HTML to the form, the input fields will sometimes revert. For instance:

//Reverts all form inputs to default-
myForm.innerHTML += "<input name='new_input'/>";
//Keeps current input values-
var newNode = document.createElement('input');
myForm.appendChild(newNode);

May I suggest, that instead of appending a string of HTML, you create the HTML with JavaScript, getting the product name/id through an AJAX request.

I don't quite understand how your script is working though. As far as my limited knowledge goes, the PHP isn't displaying onto the current page, but echoing to the AJAX's response text. Is there something more, or is it just me?

Answer 2

Re: Where is the sql injection?

This answer is in response to the OP's comment asking about the sql injection error.

Note the line:

$sql="SELECT * FROM productinfo WHERE ProductID=".$_GET['id']." AND Status=1";

The error is that the incoming HTML value for "id" is not properly escaped. You're expecting that it will contain an integer or nothing. But if a hacker sent something like

1;truncate users;select * from users where id=1 as the value of id, you'd end up with the sql statement:

$sql="SELECT * FROM productinfo WHERE ProductID=1;truncate users;select * from users where id=1 AND Status=1";

The right way is to ALWAYS ALWAYS ALWAYS properly escape or untaint any data coming in to the program. For Php MySQL dbms queries (manual):

$sql= sprintf("SELECT * FROM productinfo WHERE ProductID=%s AND Status=1",
      mysql_real_escape_string($_GET['id']));

Notes:

• For databases other than MySQL, there are other Php techniques. See the docs.