Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

[PHP] can't update DB thru form

  • 21-04-2006 1:52pm
    #1
    Registered Users, Registered Users 2 Posts: 3,514 ✭✭✭


    I'm using the code down below to update a database thru a form. The contents are pulled from the databse thru ID which is passed to this page from another using GET function. The form displays all the necessary content but when i attempt to edit it thru the form nothing happens. Just wondering if someone can spot the mistake?

    [PHP]<?php include("dbconnect.php")

    if(isset($_GET))
    {
    $query = "SELECT * FROM mynews WHERE id = '{$_GET}'";
    if (!isset($_POST["submit"])) //if submit has not yet been pressed, do this
    {

    $id = $_GET["id"]; //get the id of the news article being edited. This is provided in the link to edit it.
    $sql = "SELECT * FROM mynews WHERE id='$id'"; //select all columns from mynews with this id
    $result = mysql_query($sql);
    $myrow = mysql_fetch_array($result);

    if ($_POST)
    {

    $title = $_POST;
    $message = $_POST;
    $user = $_POST;


    $sql = "UPDATE mynews SET title='$title', message='$message', user='$user', link='$link', rss='$rss', keyword='$keyword' WHERE id='$id'";

    $result = mysql_query($sql); //run this query
    echo "Information updated. <a href=test2.php>Return</a>";
    }
    ?>

    <form action="editcontent.php" method="post">
    <table width="400" border="0">
    <tr>
    <td width="109">News Title </td>
    <td width="281"><INPUT TYPE="TEXT" NAME="title" VALUE="<?php echo $myrow["title"] ?>" SIZE=30></td>
    </tr>
    </table>
    </form>


    <?

    }
    }

    ?>

    [/PHP]

    The form has more than one field but i took them out because its just duplicating code.


Comments

  • Closed Accounts Posts: 2,046 ✭✭✭democrates


    When you submit the form it's variables are only available through the $_POST and $_REQUEST arrays (assuming register_globals is off), are you depending on the original get?

    And I assume the three left curly braces and one right is due to the quick edit down for posting?

    I always echo sql statements before running them to catch these errors and avoid messing my test data by mistake. You'll see quick enough what's out of kilter. If the sql looks good try it in your mysql gui directly for a more detailed error message.


  • Closed Accounts Posts: 169 ✭✭akari no ryu


    democrates wrote:
    I always echo sql statements before running them to catch these errors and avoid messing my test data by mistake. You'll see quick enough what's out of kilter. If the sql looks good try it in your mysql gui directly for a more detailed error message.
    I'm not sure what you mean by this.
    I presume you mean "During test phase, I always echo sql statements" as opposed to the "I always echo sql statements and leave them there permanently".

    Regardless, either way is a security hazard. The first becuase you run the risk of forgetting to remove an echo statement, ending up with the second which leaves your database scheme up there making it easy to inject sql.

    Personally, I use the PEAR log classes. Any time an sql statement is successfully run, I log it as "info", any time it fails I log it as a criticil failure.


  • Closed Accounts Posts: 2,046 ✭✭✭democrates


    I'm not sure what you mean by this.
    I presume you mean "During test phase, I always echo sql statements" as opposed to the "I always echo sql statements and leave them there permanently".

    Regardless, either way is a security hazard. The first becuase you run the risk of forgetting to remove an echo statement, ending up with the second which leaves your database scheme up there making it easy to inject sql.

    Personally, I use the PEAR log classes. Any time an sql statement is successfully run, I log it as "info", any time it fails I log it as a criticil failure.
    That's a good point, you've prompted me to tighten up my debugging practices. From now on no debugging, non-user error messages etc shall go back to the client on my dev box, I'll log them on the server where only I can see them, just in case I ever forget to turn them off.
    Thanks for the tip.


  • Closed Accounts Posts: 169 ✭✭akari no ryu


    I really can't emphasise how handy the PEAR log class is. It means, if you're willing to change your debugging practices a tiny bit, that you have one set of procedures for both the development server and the live and if there's unexpected behaviour on the live, you have an (ideally) identical system to check it up against.


Advertisement