Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Createing an Edit page.

Cabbit

Cabbit

macrumors 68020
Original poster
Jan 30, 2006
2,128
1
Scotland
Hi i have a database with storys in it and the user can upload but i cant work out how to get the edit function to update the database.

The forum
Code: 
<?php
$host = "";
$username = "";
$password = "";
$database = "";
$server = mysql_connect($host, $username, $password);
$connection = mysql_select_db($database, $server);
$db = mysql_select_db($database, $server);

$id = $_GET['id'];
$sql = mysql_query("SELECT * FROM `storys` WHERE id = $id");
$row = mysql_fetch_row($sql);
?>
<form name="story" action="edit/story_edit_uploader.php?id=<?php print $id?>" method="post">
<table width="100%" border="0" cellspacing="0" cellpadding="4">
  <tr>
    <td class="story_title">Edit your story</td><td class="story_title"></td>
	</tr>
	<tr>
    <td class="green">Poster</td>
    <td><div align="right">
      <input type="text" name="poster" value="<? print "$row[1]"; ?>" disabled="disabled" />
    </div></td>
  </tr>
  <tr>
    <td class="green">Author</td>
    <td><div align="right">
      <input type="text" name="author" value="<? print "$row[2]"; ?>" />
    </div></td>
  </tr>
  <tr>
    <td class="green">Title</td>
    <td><div align="right">
      <input type="text" name="title" value="<? print "$row[3]"; ?>" />
    </div></td>
  </tr>
  <tr>
    <td colspan="2"><textarea name="body" cols="80" rows="40" value="<?php
print nl2br($row[4]);?>" ></textarea></td>
  <tr>
    <td><input name="bn_submit" type="submit" value="Submit Edit" /></td>
    <td> </td>
  </tr>
</table>
</form>


The uploader

Code: 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Upload</title>
<meta http-equiv="Refresh" content="1;URL=../stories.php" />
</head>
<body>
<?php
//story upload
$host = "mysql10.streamline.net";
$username = "";
$password = "";
$database = "";
$server = mysql_connect($host, $username, $password);
$connection = mysql_select_db($database, $server);

//grab data from form
$id = $_GET['id'];
$poster = $_GET['poster'];
$author = $_POST['author'];
$title = $_POST['title'];
$body = $_POST['body'];

$server = mysql_connect($host, $username, $password);
$db = mysql_select_db($database, $server); 
$sql_phrase = 'INSERT INTO `storys` (`id`, `poster`, `author`, `title`, `body`) VALUES (\''.$id.'\, \''.$poster.'\', \''.$author.'\', \''.$title.'\', \''.$body.	'\');';
$sql = mysql_query($sql_phrase);
if(!$sql) {
echo "There was an error, please try again.";
print mysql_error();
} 
else 
echo "uploaded";
?> 
</body>
</html>
 
Still no go, sorry im really on the basics with mysql querys.
Code: 
$id = $_GET['id'];
$poster = $_POST['poster'];
$author = $_POST['author'];
$title = $_POST['title'];
$body = $_POST['body'];

$server = mysql_connect($host, $username, $password);
$db = mysql_select_db($database, $server); 
$query = 'UPDATE storys SET body=$body WHERE id=$id;'
mysql_query($query) or die('Error, query failed');
if(!$sql) {
echo "There was an error, please try again.";
print mysql_error();
} 
else 
echo "uploaded";
?>
 
Ok i have made it all work perfict now

Code: 
//grab data from form
$id = $_GET['id'];
$author = $_POST['author'];
$title = $_POST['title'];
$body = $_POST['body'];

$server = mysql_connect($host, $username, $password);
$db = mysql_select_db($database, $server); 
$query = "UPDATE `storys` SET body = '$body', title = '$title', author = '$author' WHERE id = '$id'";
mysql_query($query) or die('Error, query failed');
if(!$query) {
echo "There was an error, please try again.";
print mysql_error();
} 
else 
echo "uploaded";
?>
 
Just a side note: you might want to use addslashes() on your $_POST stuff to escape any quotation marks the user types. Otherwise it could wreak havoc on your SQL queries.
 
ppc_michael said:
Just a side note: you might want to use addslashes() on your $_POST stuff to escape any quotation marks the user types. Otherwise it could wreak havoc on your SQL queries.
Click to expand...

Actually, you should use mysql_real_escape_string() on all strings which you are passing into MySQL queries, and either use intval() on any number or use another method of checking that it is indeed a number. Otherwise, security concerns galore...

In addition, if ID is numeric (and the field in the database is numeric), it would be best to not put quotes around it. But again, you must use intval() on the number to make sure it actually is a number, otherwise a hacker could basically insert whatever SQL code they wanted instead of the actual number.
 
CoreWeb said:
Actually, you should use mysql_real_escape_string() on all strings which you are passing into MySQL queries, and either use intval() on any number or use another method of checking that it is indeed a number. Otherwise, security concerns galore...

In addition, if ID is numeric (and the field in the database is numeric), it would be best to not put quotes around it. But again, you must use intval() on the number to make sure it actually is a number, otherwise a hacker could basically insert whatever SQL code they wanted instead of the actual number.
Click to expand...
Is that all i need to do to secure php code. i need to work on how to implement that
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back