I have a big problem that somebody is attacking me by adding multiple rows into my db. Hes using the form I have on my website. I got about 2500 rows in my db and all rows were different. Its been generating by any script. Do you have any suggestions how I can fix it? this is my form I have on my website
<?php
if(isset($_POST['type'])) {$type = mysql_real_escape_string($_POST['type']);}
if(isset($_POST['ip'])) {$ip = mysql_real_escape_string($_POST['ip']);}
if(isset($_POST['port'])) {$port = mysql_real_escape_string($_POST['port']);}
$add_date = time();
if(isset($_POST['email'])) {$email = mysql_real_escape_string($_POST['email']);}
if(isset($_POST['web'])) {$web = mysql_real_escape_string($_POST['web']);}
if(isset($_POST['mod'])) {$mod = mysql_real_escape_string($_POST['mod']);}
echo "
<form action='#' method='post'>
<legend>Formulár pre pridanie serveru</legend>
<table>
<tr>
<td>
Hra:
</td>
<td>
<select name='type'>
<option value='cs16'>Counter Strike 1.6</option>
<option value='source'>Counter Strike Source</option>
<option value='csgo'>Counter Strike Global Offensive</option>
</select>
(vyberte hru)
</td>
</tr>
<tr>
<td>
Typ:
</td>
<td>
<select name='mod'>";
$modes = mysql_query("SELECT * FROM `lgsl_modes`") or die(mysql_error());
while($modes_names = mysql_fetch_array($modes))
{
echo '<option value="'.$modes_names['mod'].'">'.$modes_names['name'].'</option>';
}
echo "</select>
(vyberte herný mód)
</td>
</tr>
<tr>
<td>
IP serveru:
</td>
<td>
<input type='text' name='ip' value='' required>
(iba číslice a bodky)
</td>
</tr>
<tr>
<td>
Port serveru:
</td>
<td>
<input type='text' name='port' value='' required>
(iba číslice)
</td>
</tr>
<tr>
<td>
Web serveru:
</td>
<td>
<input type='text' name='web' value='' required>
(uvádzajte bez začiatočného http://)
</td>
</tr>
<tr>
<td>
Váš email:
</td>
<td>
<input type='text' name='email' value='' required>
(kontaktný email)
</td>
</tr>
<tr>
<td>
<input type='submit' name='odoslat' value='Odoslať'>
</td>
</tr>
</table>
</form>
";
if($ip) if(!preg_match("/^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$/",$ip)) $usermsgip="Ip adresa bola uvedená v zlom tvare.";
if($port) if(!preg_match("/^[0-9]{5}$/",$port)) $usermsgport="Port bol uvedený v zlom tvare.";
if($email) if(!preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*#[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,})$/",$email)) $usermsgemail="Email bol uvedený v zlom tvare.";
if($web) if(!preg_match("%^((https?://)|(www\.))([a-z0-9-].?)+(:[0-9]+)?(/.*)?$%i" ,$web)) $usermsgweb="Web bol uvedený v zlom tvare.";
if(isset($_POST['odoslat']) && $usermsgip || $usermsgport || $usermsgemail || $usermsgweb) {
if($usermsgip) echo $usermsgip."<br>";
if($usermsgport) echo $usermsgport."<br>";
if($usermsgemail) echo $usermsgemail."<br>";
if($usermsgweb) echo $usermsgweb."<br>";
}
if(isset($_POST['odoslat']) && !$usermsgip && !$usermsgport && !$usermsgemail && !$usermsgweb) {
$kontrola = mysql_query("SELECT * FROM `lgsl` WHERE `ip`='".$ip."' AND `c_port`=".$port);
if(mysql_num_rows($kontrola)) {echo "Server už bol pridaný do banlistu.";}
else {
mysql_query("INSERT INTO `lgsl` (`type`, `ip`, `c_port`, `q_port`, `disabled`, `add_date`, `email`, `web`, `mod`)
VALUES ('$type', '$ip', '$port', '$port', '1', '$add_date', '$email', '$web', '$mod')");
echo 'Server bol úspešne odoslaný na schválenie.';
}
}
?>
I think you should rewrite the whole script using PDO. With Pdo you can avoid SQL-Injection in easy way. Here's a link where you can find that and all the web is full of guide and examples.
Anyway if you want to fix your script you can use Captcha to avoid automatic form submit and a library to sanitize input.
Here you find a simple captcha example and a good sanitize library.
You can whatch here some good tips to solve problems.
Hope this helps.
Related
I set up an HTML with a form that would send the information over to a PHP page. Then the PHP would run through it and send it to my DB. I set it the database up in cPanel. I have another part to the code that searches for the item and that works. I just don't get why the query statement in this isn't pulling the information.
The error that I get is "An error has occurred. The item was not added." which I have set up after the query line. I can't seem to figure out why.
Here is the code:
html:
<form action="insert_product.php" method="post">
<table border="0">
<tr>
<td>ShoeName</td>
<td><input type="text" name="ShoeName" maxlength="13" size="13"></td>
</tr>
<tr>
<td>Price</td>
<td> <input type="text" name="Price" maxlength="7" size="7"></td>
</tr>
<tr>
<td>ProductID</td>
<td> <input type="text" name="ProductID" maxlength="7" size="7"></td>
</tr>
<tr>
<td>Size</td>
<td><input type="text" name="Size" maxlength="7" size="7"></td>
</tr>
<tr>
<td>ShoeType</td>
<td><input type="text" name="ShoeType" maxlength="7" size="7"></td>
</tr>
<tr>
<td>Brand</td>
<td><input type="text" name="Brand" maxlength="7" size="7"></td>
</tr>
<tr>
<td>Color</td>
<td><input type="text" name="Color" maxlength="7" size="7"></td>
</tr>
<tr>
<td>Rating</td>
<td><input type="text" name="Rating" maxlength="7" size="7"></td>
</tr>
<tr>
<td>Description</td>
<td><input type="text" name="Description" maxlength="40" size="40"></td>
</tr>
<tr>
<td>ImageName</td>
<td><input type="text" name="ImageName" maxlength="7" size="7"></td>
</tr>
<tr>
<td>StockAmount</td>
<td><input type="text" name="StockAmount" maxlength="7" size="7"></td>
</tr>
<tr>
<td colspan="2"><input type="submit" value="Register"></td>
</tr>
</table>
php:
<?php
// create short variable names
$ShoeName=$_POST['ShoeName'];
$Price=$_POST['Price'];
$ProductID=$_POST['ProductID'];
$Size=$_POST['Size'];
$ShoeType=$_POST['ShoeType'];
$Brand=$_POST['Brand'];
$Color=$_POST['Color'];
$Rating=$_POST['Rating'];
$Description=$_POST['Description'];
$ImageName=$_POST['ImageName'];
$StockAmount=$_POST['StockAmount'];
if (!$ShoeName || !$Price || !$ProductID || !$Size || !$ShoeType || !$Brand || !$Color || !$Rating || !$Description || !$ImageName || !$StockAmount) {
echo "You have not entered all the required details.<br />"
."Please go back and try again.";
exit;
}
if (!get_magic_quotes_gpc()) {
$ShoeName = addslashes($ShoeName);
$Price = doubleval($Price);
$ProductID = addslashes($ProductID);
$Size = addslashes($Size);
$ShoeType = addslashes($ShoeType);
$Brand = addslashes($Brand);
$Color = addslashes($Color);
$Rating = doubleval($Rating);
$Description = addslashes($Description);
$ImageName = addslashes($ImageName);
$StockAmount = doubleval($StockAmount);
}
# $db = new mysqli('localhost', 'admin', '(pass)', 'KicksUnlimited');
if (mysqli_connect_errno()) {
echo "Error: Could not connect to database. Please try again later.";
exit;
}
$query = "INSERT INTO product".'(ShoeName, Price, ProductID, Size, ShoeType, Brand, Color, Rating, Description, ImageName, StockAmount)'."values
('".$ShoeName."', '".$Price."', '".$ProductID."', '".$Size."', '".$ShoeType."', '".$Brand."', '".$Color."', '".$Rating."', '".$Description."', '".$ImageName."', '".$StockAmount."')";
$result = $db->query($query);
if ($result) {
echo $db->affected_rows." shoe inserted into database.";
} else {
echo "An error has occurred. The item was not added.";
}
$db->close();
?>
Test:
type query in cpanel with values not variable.
Use print $ShoeName=$_POST['ShoeName']; in front of every $_POST[] and on the end print exit; It is to control that value coming from Form.
Comment all between variables $_POST[] and INSERT INTO .....
Control quote. It is mess of quote, double, single, it does not need. And control if it is need quote around every values.
Sorry, I have not time to do all that for to find for sure error.
Do it yourself because it is the best way of learning.
I've got two tables: Subjects and Careers :
"Subjects" includes (id, careers_id (is the foreign key to the column "id" of the table Careers) subject, description, hours)
"Careers" includes (id,name,description)
I put a button which allows me to add a new subject. So when I click on it another page open. I need to add a slider/select which shows me the careers available in the table career. Take a look,I need something like this :
Here is my code to add a new subject (it works,but i dont know how to make the slider/select which fetch data from the table careers :/)
<?php include('connect.php');
$error="";
if(isset($_POST['btnsave']))
{
$carreras_id=$_POST['txtcarreras_id'];
$subject=$_POST['txtsubject'];
$descripcion=$_POST['txtdescripcion'];
$carga_horaria=$_POST['txtcarga_horaria'];
if($_POST['txtid']=="0")
{
$a_sql=mysql_query("INSERT INTO subjects VALUES('','$carreras_id','$subject','$descripcion','$carga_horaria')");
if($a_sql)
{
header("location:index.php");
}
}else{
echo "Actualizar";
}
}
?>
<h2 align="center">ADD NEW SUBJECT</h2>
<form method="Post">
<table align="center">
<tr>
<td>Career:</td>
<td>
<input type='text' name='txtcarreras_id' />
<input type="hidden" name="txtid" value="0" />
</td>
</tr>
<tr>
<td>Subject:</td>
<td>
<input type='text' name='txtsubject' />
</td>
</tr>
<tr>
<td>Description:</td>
<td>
<input type='text' name='txtdescripcion' />
</td>
</tr>
<tr>
<td>Hours:</td>
<td>
<input type='text' name='txtcarga_horaria' />
</td>
</tr>
<tr>
<td></td>
<td>
<input type='submit' value=save name='btnsave' />
</td>
</tr>
</table>
</form>
I don't know what to do?
Hope you can help me!
Thanks!
To build your <option>s you would do something like this ->
$sql = mysql_query("SELECT * FROM Careers");
$options = "";
while($result = mysql_fetch_array($sql)){
$options .= "<option value='".$result['id']."'>".$result['name']."</option>";
}
(Note - you should update from mysql_ to MySQLi or PDO - MySQL: choosing an API )
Then you would change your <input> to a <select> with your $options ->
<tr>
<td>Career:</td>
<td><select name='txtcarreras_id'><?php echo $options; ?></select><input type="hidden" name="txtid" value="0" /></td>
</tr>
I have a form where I ask the user to enter some values. Then, using PHP, I'm trying to process the values the user entered.
The issue I'm facing is that, after the user submitted the form, all my values are set to 1 instead of the value the user entered.
Here is the form:
<form method="post" action="checkOutResult.php">
<p> Transaction #:
<input type="text" name="transactionNum" placeholder="Input #">
</p>
<table>
<tr>
<td>Student ID</td>
<td>Employee ID</td>
<td>Professor ID</td>
</tr>
<tr>
<td>
<input type="text" name="studentID" placeholder="7 Digit Student ID">
</td>
<td>
<input type="text" name="empID" placeholder="7 Digit Employee ID">
</td>
<td>
<input type="text" name="profID" placeholder="7 Digit Professor ID">
</td>
</tr>
</table>
<table>
<tr>
<td>Product ID</td>
</tr>
<tr>
<td>
<input type="text" name="productID" placeholder="Scan Barcode">
</td>
</tr>
</table>
<center>
<table>
<tr>
<iframe src="http://free.timeanddate.com/clock/i4nrjjak/n179/fn10/fs24/fcb40431/ftb/bas2/bat1/bacfff/pa8/tt0/tw1/td2/th2/tb4" frameborder="0" width="334" height="74"></iframe>
<td>CheckOut Date</td>
<td>CheckOut Time</td>
</tr>
<tr>
<td>
<input type="text" name="checkoutDate" placeholder="YYYY-MM-DD">
</td>
<td>
<input type="text" name="checkoutTime" placeholder="HH:MM:SS">
</td>
</tr>
</table>
</center>
<center>
<table>
<tr>
<td>Due Date</td>
<td>Due Time</td>
</tr>
<tr>
<td>
<input type="text" name="dueDate" placeholder="YYYY-MM-DD">
</td>
<td>
<input type="text" name="dueTime" placeholder="HH:MM:SS">
</td>
</tr>
</table>
</center>
<input type="submit" name="Submit" value="submit">
</form>
This is the PHP code that is executed upon form submission.
<?php
include ("thesis.php");
$transactionNum = isset($_POST['transactionNum']);
$studentID = isset($_POST['studentID']);
$empID = isset($_POST['empID']);
$profID = isset($_POST['profID']);
$productID = isset($_POST['productID']);
$checkoutDate = isset($_POST['checkoutDate']);
$checkoutTime = isset($_POST['checkoutTime']);
$dueDate = isset($_POST['dueDate']);
$dueTime = isset($_POST['dueTime']);
$query = "INSERT INTO Transactions(transactionNum, studentID, empID, profID, productID, checkoutDate, checkoutTime, dueDate, dueTime)
VALUES ('$transactionNum', '$studentID', '$empID', '$profID', '$productID', '$checkoutDate', '$checkoutTime', '$dueDate', '$dueTime')";
if($link->query($query) === TRUE){
echo "New Record Created Successfully. ";
echo"<br>";
}
else{
echo" Error: " .$query ."<br>" .$link->error;
}
echo"<br>";
echo "Transacton #: ".$transactionNum;
echo"<br>";
echo "Student ID: ".$profID;
echo"<br>";
echo "Employee ID: ".$empID;
echo"<br>";
echo "Professor ID: ".$profID;
echo"<br>";
echo "Product ID: ".$productID;
echo"<br>";
echo "Out Date: ".$checkoutDate;
echo"<br>";
echo "Out Time: ".$checkoutTime;
echo"<br>";
echo "Due Date: ".$dueDate;
echo"<br>";
echo "Due Time: ".$dueTime;
echo"<br>";
?>
Why do I keep getting 1s instead of the values I submit with the form?
The following command retuns true (1 as a string) if the field empID isset in your $_POST data.
$empID =isset($_POST['empID']);
it should be
$empID = isset($_POST['empID']) ? $_POST['empID'] : "";
and so on.
Which means: catch the empID of $_POST if there is one, else catch an empty string. It is a short version of the following:
if(isset($_POST['empID'])) {
$empID = $_POST['empID'];
} else {
$empID = "";
}
You are getting boolean for isset here
$empID = isset($_POST['empID']);
Which is why it is giving you a value of 1 as that is the value for true in this case.
Resolve with if isset($_POST['empID']) {$empID = $_POST['empID'];}
I'm trying to create a form that displays current service information for a user on their profile and then allows them to select a check box for one or more services they provide and then hit a delete button to remove the service(s) related to the check box. Each service has a unique ID and so I'm assuming I need to use this so that the query knows what to delete.
Here is relevant code and the form I am using:
<?php
if (isset($_POST['OddJobName']) && isset($_POST['Description']) && isset($_POST['DaysAvailable']) && empty($errors) === true){//if (empty($_POST) === false && empty($errors) === true) { //if (isset(empty($_POST['OddJobName'])) && isset(empty($_POST['Description'])) && isset(empty($_POST['DaysAvailable'])) === false && empty($errors) === true)
$daysavailable='';
foreach ($_POST['DaysAvailable'] as $value)
{
$daysavailable .=$value." ";
}
$Delete_Oddjob = array (
'MemberID' => $MemberID,
'OddJobID' => $_POST['OddJobID'],
'OddJobName' => $_POST['OddJobName'],
'Description' => $_POST['Description'],
'DaysAvailable' => $daysavailable,
);
Delete_Oddjob ($Delete_Oddjob);
if(success){
header('Location: member.php?username='.$username);
exit ();
}
} else if (empty($errors) === false){
//otherwise output errors
echo output_errors($errors);
}
?>
<?php
$result = mysql_query("SELECT * FROM `oddjob` WHERE `MemberID` = $MemberID");
while($row = mysql_fetch_assoc($result))
{
echo"<table width='100%' border='1' cellspacing='0' cellpadding='5'>
<td width='50%'>
<table width='100%' cellspacing='17' cellpadding='0'>
<form action='' method ='post' enctype='multipart/form-data'>
<tr>
<td>
<input type='hidden' name='MemberID' id='MemberID' value= ". $MemberID .">
</td>
</tr>
<tr>
<td>
<input type='hidden' name='OddJobID' id='OddJobID' value= ". $row['OddJobID'] .">
</td>
</tr>
<tr>
<td width='35%'>
<p>Name of OddJob*:</p>
</td>
<td>
<input type='text' name='OddJobID' style='width:180px' value= ". $row['OddJobID'].">
</td>
</tr>
<tr>
<td width='35%'>
<p>Name of OddJob*:</p>
</td>
<td>
<input type='text' name='OddJobName' style='width:180px' value= ". $row['OddJobName'].">
</td>
</tr>
<tr>
<td>
<p>Description*:</p>
</td>
<td>
<div class='expandingArea'>
<pre><span></span><br></pre>
<textarea name='Description'>". $row['Description'] ."</textarea>
</div>
</td>
</tr>
<tr>
<td>
<p>Days Available(current week)*:</p>
<p>(hold Ctrl to select multiple)</p>
</td>
<td>
<select name='DaysAvailable[]' size='5' multiple='multiple' id='DaysAvailable[]'>
<option value='Monday'>Monday</option>
<option value='Tuesday'>Tuesday</option>
<option value='Wednesday'>Wednesday</option>
<option value='Thursday'>Thursday</option>
<option value='Friday'>Friday</option>
<option value='Saturday'>Saturday</option>
<option value='Sunday'>Sunday</option>
</select>
</td>
</td>
<tr>
<td>
<input type='checkbox' name='Delete' value= ". $row['OddJobID'] .">
</td>
</tr>
</table>
</table>
</table>
<input type='submit' name='Delete' value='Delete'>
</form> ";
}
?>
Function:
function Delete_Oddjob ($Delete_Oddjob){
//global $Add_Oddjob;
array_walk($Delete_Oddjob, 'array_sanitize');
mysql_query("DELETE FROM `oddjob` WHERE `OddJobID` = '".$_POST['OddJobID']."'") or die (mysql_error());
}
I don't understand how to make this work. At the moment when I select a check box and click the delete button the page seems to refresh but nothing else happens. Also If i try to echo out the query nothing is displayed.
echo "DELETE FROM `oddjob` WHERE `OddJobID` = '".$_POST['OddJobID']."'";
Any help would be great. Thank you.
You pretty much have the solution there.
Rename your Delete checkboxes to name="delete[]" that allows multiple checkboxes to be posted under the one name, then on the PHP side of things you can access these by saying:
if (isset($_POST['delete'])) {
foreach($_POST['delete'] as $oddjob) {
if (Delete_Oddjob($oddjob)) {
// success
} else {
// failure
}
}
}
Whenever the form is submitted and the delete option has been selected this will loop through all the checked checkboxes on the form and delete them using their ID.
Please, I am having a problem when updating data in the database through a form. When ever I press the Update button to submit any changes made to a record, all the data in the mysql fields corresponding to drop list controls is errased. I do not know what is causing this problem. Here is the code:
<?php
//include database connection
include 'db_connect.php';
// get value of object id that was sent from address bar
$c_id = $_GET['c_id'];
//check any user action
$action = isset( $_POST['action'] ) ? $_POST['action'] : "";
if($action == "update"){ //if the user hit the submit button
//write our update query
//$mysqli->real_escape_string() function helps us prevent attacks such as SQL injection
$query = "UPDATE collections
SET
ctitle = '".$mysqli->real_escape_string($_POST['ctitle'])."',
csubject = '".$mysqli->real_escape_string($_POST['csubject'])."',
creference = '".$mysqli->real_escape_string($_POST['creference'])."',
cyear = '".$mysqli->real_escape_string($_POST['cyear'])."',
cobjecttype = '".$mysqli->real_escape_string($_POST['cobjecttype'])."',
cmaterial = '".$mysqli->real_escape_string($_POST['cmaterial'])."',
ctechnic = '".$mysqli->real_escape_string($_POST['ctechnic'])."',
cwidth = '".$mysqli->real_escape_string($_POST['cwidth'])."',
cheight = '".$mysqli->real_escape_string($_POST['cheight'])."',
cperiod = '".$mysqli->real_escape_string($_POST['cperiod'])."',
cmarkings = '".$mysqli->real_escape_string($_POST['cmarkings'])."',
cdescription = '".$mysqli->real_escape_string($_POST['cdescription'])."',
csource = '".$mysqli->real_escape_string($_POST['csource'])."',
cartist = '".$mysqli->real_escape_string($_POST['cartist'])."'
where c_id='".$mysqli->real_escape_string($_REQUEST['c_id'])."'";
//execute the query
if( $mysqli->query($query) ) {
//if updating the record was successful
echo "The record was updated.";
}else{
//if unable to update new record
echo "Database Error: Unable to update record.";
}
}
//select the specific database record to update
$query = "SELECT c_id, ctitle, csubject, creference, cyear, cobjecttype, cmaterial, ctechnic, cwidth, cheight, cperiod, cmarkings, cdescription, csource, cartist, cfilename
FROM collections
WHERE c_id='".$mysqli->real_escape_string($_REQUEST['c_id'])."'
limit 0,1";
//execute the query
$result = $mysqli->query( $query );
//get the result
$row = $result->fetch_assoc();
//assign the result to certain variable so our html form will be filled up with values
$c_id = $row['c_id'];
$ctitle = $row['ctitle'];
$csubject = $row['csubject'];
$creference = $row['creference'];
$cyear = $row['cyear'];
$cobjecttype = $row['cobjecttype'];
$cmaterial = $row['cmaterial'];
$ctechnic = $row['ctechnic'];
$cwidth = $row['cwidth'];
$cheight = $row['cheight'];
$cperiod = $row['cperiod'];
$cmarkings = $row['cmarkings'];
$cdescription = $row['cdescription'];
$csource = $row['csource'];
$cartist = $row['cartist'];
$cfilename = $row['cfilename'];
?>
<!--we have our html form here where new object information will be entered-->
<table align=left>
<tr>
<td> <?php echo '<img src="./images/'.$cfilename.'" width="300" height="400" />'; ?> </td>
</tr>
<table>
<form action='#' method='post' border='0'>
<table>
<tr>
<td>TITLE</td>
<td><input type='text' name='ctitle' value='<?php echo $ctitle; ?>' /></td>
</tr>
<tr>
<td>SUBJECT</td>
<td><input type='text' name='csubject' value='<?php echo $csubject; ?>' /></td>
</tr>
<tr>
<td>REFERENCE No.</td>
<td><input type='text' name='creference' value='<?php echo $creference; ?>' /></td>
</tr>
<tr>
<td>YEAR</td>
<td><input type='text' name='cyear' value='<?php echo $cyear; ?>' /></td>
<tr><td>OBJECT TYPE</td>
<td>
<select name="cobjecttype" id="cobjecttype" tabindex="">
<option value="">---Select object type---</option>
<option value="ceramic">Ceramic</option>
<option value="clock">Clock</option>
<option value="gold">Gold and silverware</option>
<option value="mask">Mask</option>
<option value="painting">Painting</option>
<option value="sculpture">Sculpture</option>
<option value="tapestry">Tapestry</option>
</select>
</td></tr>
<tr><td>MATERIAL USED</td>
<td>
<select name="cmaterial" id="cmaterial" tabindex="" >
<option value="">---Select Material---</option>
<option value="brass">Brass</option>
<option value="oil">Oil</option>
<option value="wood">Wood</option>
<option value="carved">Canvas/Cotton/Fabric/Linen/Wool</option>
</select>
</td></tr>
<tr><td>TECHNIC</td>
<td>
<select name="ctechnic" id="ctechnic" tabindex="7" >
<option value="">---Select Technic---</option>
<option value="cast">Cast</option>
<option value="carved">Carved</option>
<option value="etched">Etched</option>
</select>
</td></tr>
<tr>
<td>WIDTH</td>
<td width="100"><input name="cwidth" type="text" id="cwidth" value="<?php echo $cwidth; ?>" size="10"></td>
</tr>
<tr>
<td>HEIGHT</td>
<td width="100"><input name="cheight" type="text" id="cheight" value="<?php echo $cheight; ?>" size="10"></td>
</tr>
<tr>
<td>PERIOD</td>
<td width="100"><input name="cperiod" type="text" id="cperiod" value="<?php echo $cperiod; ?>" size="30"></td>
</tr>
<tr>
<td>MARKINGS</td>
<td width="100"><input name="cmarkings" type="text" id="cmarkings" value="<?php echo $cmarkings; ?>" size="30"></td>
</tr>
<tr>
<td>DESCRIPTION</td>
<td width="400"><textarea name="cdescription" rows="2" cols="50" id="cdescription" value="<?php echo $cdescription; ?>"></textarea></td></tr>
<tr>
<td>SOURCE</td>
<td width="100"><input name="csource" type="text" id="csource" value="<?php echo $csource; ?>" size="30"></td>
</tr>
<tr>
<td>ARTIST</td>
<td width="100"><input name="cartist" type="text" id="cartist" value="<?php echo $cartist; ?>" size="30"></td>
</tr>
<td></td>
<td>
<!-- so that we could identify what record is to be updated -->
<input type='hidden' name='c_id' value='<?php echo $c_id ?>' />
<!-- we will set the action to update -->
<input type='hidden' name='action' value='update' />
<input type='submit' value='Save' />
<a href='gallery.php'>Back to display page</a>
</td>
</tr>
</table>
</form>
Can someone help to identify what the problem is?
Such problem occur when you dont validate your POST data correctly. In your code, you are updating your records directly, by using mysql_real_escape_string($variable). But although this might fix some security issues will not validated every data if it is present or not.
Validate your variables to be present and hold data before updating to the query.
you post a form with the method POST, but get the c_id with $_GET
change it to $_POST['c_id'] or $_REQUEST['c_id'] ...