Turn an number negative

I am sure this is fairly simple but I am not getting it. I need disQty to be negative. The user using the preceding, simple, html from must input a positive number. Any help please.

Multiply the value by -1. You can't perform multiplication inside {} in a string, you need to use normal concatenation instead; ie "string" . (expression) . "string"

FYI Your code contains SQL injection vulnerabilities.

... and several other bad practices like this "or die()" stuff and reconnecting to the database for every single row (why do you even do that?).

Check the link in my signature and throw away whatever tutorial or book you got those code patterns from.

Okay, I have tried this and it is still positive.

INSERT INTO exchInv (exchInvItemID,exchQty) VALUES ('{$pulledItem[$i]}','$disQty[$i] * -1')

Okay thank you for the feedback. Ill make some changes but in the case of reconnecting to the database what has happened before is a never ending loop inserting the first row until the database with my isp shuts down.

Have you read what E-Oreo said about string concatenation and that you can't do multiplication inside a string?





Well, then you should fix that rather than use strange workarounds. Going through the whole start-up procedure again and again is a performance killer and also stresses your server, so it's really not something you should have in your code.

What you could try is build the query up and then insert all values at once.

Oh okay, I will do that. I did read what E-Oreo said and I got it but just didn't get it. I did however figure it out by your re-explanation. Code listed below. Also, is trigger_error is more acceptable rather than or die?

Yes! Because that actually generates an error, which can be turned off later, redirected to a log file etc.

A die() just dumps its output on the page, not matter if it's you testing the code on your local server or your users visiting your live site. Query errors expose a lot of the internal database code, so they can be used to launch attacks specifically on weak parts of the code.

In conjunction with the injection vulnerabilities (which are still there), I fear your website wouldn't last very long. There are automated tools for this, so it doesn't even have to be a genius "hacker".

Why not just convert it when you read in the positive number? Like so:

$disQty = -(abs($_POST['disQty']));

Jim

I will address the vulnerabilities. 90% of the database is set to INT and this is not a public site.

That makes no difference. The point is that your queries can be manipulated by whoever happens to visit the site. If you check testing tools like sqlmap, you'll realize those vulnerabilities can compromise your whole server. So even if you don't give a damn about your data, I'm pretty sure you do care about your server.





I know, there are a thousand justifications for unsecure code (it's a private site, it's just for testing, we'll rewrite everything later and so on).

But, seriously: Aren't those just excuses? Security isn't "only" about protecting yourself against evil hackers, it's also about correct code. Using unescaped variables is technically wrong, because the whole thing will blow up as soon as the input happens to contain characters like quotes, slashes, hyphens etc. So you don't even need an actual attacker, who does this on purpose.

To put it bluntly: security holes are bugs, even if nobody has noticed them yet.

I understand that you might have to deal with a lot of legacy code you cannot possibly rewrite. But at least for new features, it might be a good idea to be conscious of those issues and do it properly.