Createing an Edit page.

Discussion in 'Web Design and Development' started by Cabbit, Jul 7, 2007.

  1. Cabbit macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #1
    Hi i have a database with storys in it and the user can upload but i cant work out how to get the edit function to update the database.

    The forum
    Code:
    <?php
    $host = "";
    $username = "";
    $password = "";
    $database = "";
    $server = mysql_connect($host, $username, $password);
    $connection = mysql_select_db($database, $server);
    $db = mysql_select_db($database, $server);
    
    $id = $_GET['id'];
    $sql = mysql_query("SELECT * FROM `storys` WHERE id = $id");
    $row = mysql_fetch_row($sql);
    ?>
    <form name="story" action="edit/story_edit_uploader.php?id=<?php print $id?>" method="post">
    <table width="100%" border="0" cellspacing="0" cellpadding="4">
      <tr>
        <td class="story_title">Edit your story</td><td class="story_title"></td>
    	</tr>
    	<tr>
        <td class="green">Poster</td>
        <td><div align="right">
          <input type="text" name="poster" value="<? print "$row[1]"; ?>" disabled="disabled" />
        </div></td>
      </tr>
      <tr>
        <td class="green">Author</td>
        <td><div align="right">
          <input type="text" name="author" value="<? print "$row[2]"; ?>" />
        </div></td>
      </tr>
      <tr>
        <td class="green">Title</td>
        <td><div align="right">
          <input type="text" name="title" value="<? print "$row[3]"; ?>" />
        </div></td>
      </tr>
      <tr>
        <td colspan="2"><textarea name="body" cols="80" rows="40" value="<?php
    print nl2br($row[4]);?>" ></textarea></td>
      <tr>
        <td><input name="bn_submit" type="submit" value="Submit Edit" /></td>
        <td> </td>
      </tr>
    </table>
    </form>

    The uploader

    Code:
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <title>Upload</title>
    <meta http-equiv="Refresh" content="1;URL=../stories.php" />
    </head>
    <body>
    <?php
    //story upload
    $host = "mysql10.streamline.net";
    $username = "";
    $password = "";
    $database = "";
    $server = mysql_connect($host, $username, $password);
    $connection = mysql_select_db($database, $server);
    
    //grab data from form
    $id = $_GET['id'];
    $poster = $_GET['poster'];
    $author = $_POST['author'];
    $title = $_POST['title'];
    $body = $_POST['body'];
    
    $server = mysql_connect($host, $username, $password);
    $db = mysql_select_db($database, $server); 
    $sql_phrase = 'INSERT INTO `storys` (`id`, `poster`, `author`, `title`, `body`) VALUES (\''.$id.'\, \''.$poster.'\', \''.$author.'\', \''.$title.'\', \''.$body.	'\');';
    $sql = mysql_query($sql_phrase);
    if(!$sql) {
    echo "There was an error, please try again.";
    print mysql_error();
    } 
    else 
    echo "uploaded";
    ?> 
    </body>
    </html>
    
     
  2. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #2
    Still no go, sorry im really on the basics with mysql querys.
    Code:
    $id = $_GET['id'];
    $poster = $_POST['poster'];
    $author = $_POST['author'];
    $title = $_POST['title'];
    $body = $_POST['body'];
    
    $server = mysql_connect($host, $username, $password);
    $db = mysql_select_db($database, $server); 
    $query = 'UPDATE storys SET body=$body WHERE id=$id;'
    mysql_query($query) or die('Error, query failed');
    if(!$sql) {
    echo "There was an error, please try again.";
    print mysql_error();
    } 
    else 
    echo "uploaded";
    ?>
     
  3. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #3
    Ok i have made it all work perfict now

    Code:
    //grab data from form
    $id = $_GET['id'];
    $author = $_POST['author'];
    $title = $_POST['title'];
    $body = $_POST['body'];
    
    $server = mysql_connect($host, $username, $password);
    $db = mysql_select_db($database, $server); 
    $query = "UPDATE `storys` SET body = '$body', title = '$title', author = '$author' WHERE id = '$id'";
    mysql_query($query) or die('Error, query failed');
    if(!$query) {
    echo "There was an error, please try again.";
    print mysql_error();
    } 
    else 
    echo "uploaded";
    ?> 
    
     
  4. ppc_michael Guest

    ppc_michael

    Joined:
    Apr 26, 2005
    Location:
    Los Angeles, CA
    #4
    Just a side note: you might want to use addslashes() on your $_POST stuff to escape any quotation marks the user types. Otherwise it could wreak havoc on your SQL queries.
     
  5. CoreWeb macrumors 6502

    Joined:
    Mar 2, 2007
    Location:
    Edge of reason
    #5
    Actually, you should use mysql_real_escape_string() on all strings which you are passing into MySQL queries, and either use intval() on any number or use another method of checking that it is indeed a number. Otherwise, security concerns galore...

    In addition, if ID is numeric (and the field in the database is numeric), it would be best to not put quotes around it. But again, you must use intval() on the number to make sure it actually is a number, otherwise a hacker could basically insert whatever SQL code they wanted instead of the actual number.
     
  6. Cabbit thread starter macrumors 68020

    Cabbit

    Joined:
    Jan 30, 2006
    Location:
    Scotland
    #6
    Is that all i need to do to secure php code. i need to work on how to implement that
     

Share This Page