I have a problem with my PHP-Fusion infusion (plugin). I created a POST form, but when I try to call those POST variables they do not echo (I plan adding them to a database). My code:
$id_ucznia = $_GET["id"];
$result2 = dbquery("SELECT id,imiona,nazwiska,dom,punkty FROM ".DB_ZAPISY." WHERE (funkcja = 'Student') AND (id = '".$id_ucznia."')");
if (dbrows($result2)) {
while ($data2 = dbarray($result2)) {
echo '<form method="POST" action="">
<input type="hidden" name="uczen_id" value="'.$id_ucznia.'">
<table border="0" align="center">
<tr><td align="right">Imiona ucznia: </td> <td align="left"><input type="text" class="input" name="imiona" value="'.$data2["imiona"].'" disabled></td></tr>
<tr><td align="right">Nazwiska ucznia: </td> <td align="left"><input type="text" class="input" name="nazwiska" value="'.$data2["nazwiska"].'" disabled></td></tr>
<tr><td align="right">Dom ucznia: </td> <td align="left"><input type="text" class="input" name="dom" value="'.$data2["dom"].'" disabled></td></tr>
<tr><td align="right">Aktualne punkty: </td> <td align="left"><input type="text" class="input" name="punkty_start" value="'.$data2["punkty"].'" disabled></td></tr>
<tr><td align="right">Punkty do dodania: </td> <td align="left"><input type="text" class="input" name="ile"></td></tr>
<tr><td align="right">Uzasadnienie: </td> <td align="left"><input type="text" class="input" name="zaco" maxlength="500"></td></tr>
<tr><td colspan="2" align="center"><input type="submit" class="button" name="dodaj_punkty" value="Dodaj punkty"></td></tr>
</table>
</form>
';
}
}
if (isset($_POST['dodaj_punkty'])) {
$imiona = $_POST["imiona"];
$nazwiska = $_POST['nazwiska'];
$dom = $_POST['dom'];
$punkty_start = $_POST['punkty_start'];
$ile = $_POST['ile'];
$zaco = $_POST['zaco'];
$punkty_uczen_end = $punkty_start + $ile;
$kto_akcja = $userdata['user_name'];
$kto_id = $userdata['user_id'];
$komu = ''.$imiona.' '.$nazwiska.'';
$dzis = date("Y-m-d H:i:s");
$result3 = dbquery("SELECT id,nazwa,punkty FROM ".DB_DOMY." WHERE `nazwa` = '".$dom."'");
if (dbrows($result3)) {
while ($data3 = dbarray($result3)) {
$id_domu = $data3["id"];
$nazwa = $data3["nazwa"];
$punkty_dom_start = $data3["punkty"];
}
}
$punkty_dom_end = $punkty_dom_start + $ile;
echo 'Dla ucznia ('.$imiona.$nazwiska.') dodano: '.$punkty_uczen_end.' a dla domu ('.$id_domu.$nazwa.'): '.$punkty_domu_end.' ';
$resulta = dbquery("UPDATE ".DB_DOMY." SET punkty = '{$punkty_dom_end}' WHERE id = '{$id_domu}';");
$resultb = dbquery("INSERT INTO ".DB_RANKING_DOMOW." (ile, akcja, kto, komu, opis) VALUES ('{$ile}','+','{$kto_akcja}','{$komu}','{$zaco}');");
$resultc = dbquery("UPDATE ".DB_ZAPISY." SET punkty = '{$punkty_uczen_end}' WHERE id = '{$uczen_id}';");
$resultd = dbquery("INSERT INTO ".DB_RU." (kiedy, kto_dane, kto_id, komu, ile, zaco, co) VALUES ('{$dzis}','{$kto_akcja}','{$kto_id}','{$komu}','{$ile}', '{$zaco}', '+');");
redirect(FUSION_SELF.$aidlink."&wykonane");
}
HTML form input elements are set to disabled thus their values will not be submitted. Maybe a readonly or hidden -attribute was intended.
Provided code has some variables (redundantly) copied before use. Concerning content management system uses this practice to save a sanitized copy of form-posted data (to prevent SQL injection).
Related
I want to display all rows by a php query and update all by a submit button in sql. I this way below a can display all row and update particular row by its own submit button. But I want to update all by a single submit button.
So for do it, I thank, I want to loop for update. But I cannot understand how to do it in this case.
Here is my code:
<?php
include_once('../db.php');
global $db;
$result = mysqli_query($dbh,"SELECT * FROM ppad");
if(!$result) {
die("Database query failed: " . mysqli_error());
}
while($row = mysqli_fetch_assoc($result)) {
$id=$row['id'];
$name=$row['name'];
$date=$row['date'];
$title=$row['title'];
$Detail=$row['Detail'];
echo '<form action="padSproccess.php" method="POST">
<table width="100%" border="1">
<tr>
<td width="10%">Date</td>
<td width="14%">Time</td>
<td width="20%">Name(url)</td>
<td width="30%">Detail</td>
</tr>
<tr>
<td width="10%"><input type="text" name="date" maxlength="2" value="'.$date.'"></td>
<td width="14%"><input type="text" name="title" maxlength="50" value="'.$title.'"></td>
<td width="20%"><input type="text" name="name" maxlength="50" value="'.$name.'"></td>
<td width="30%"><input type="text" name="Detail" maxlength="100" value="'.$Detail.'"></td>
<input type="hidden" name="id" value="'.$id.'">
</tr>
</table>
<input type="submit" name="submit" id="submit" value="Submit">
</form>';}
?>
padSproccess.php
include("../db.php");
global $db;
if(isset($_POST['submit'])){
$date = mysqli_real_escape_string($dbh,$_POST['date']);
$title = mysqli_real_escape_string($dbh,$_POST['title']);
$name = mysqli_real_escape_string($dbh,$_POST['name']);
$Detail = mysqli_real_escape_string($dbh,$_POST['Detail']);
$id = mysqli_real_escape_string($dbh,$_POST['id']);
// update data in mysql database
$update = mysqli_query($dbh,"UPDATE ppad SET date='$date', month='$month', name='$name', Detail='$Detail' WHERE id = '$id'");
// if successfully updated.
}
For this you need to update your code into
<?php
include_once('../db.php');
global $db;
$result = mysqli_query($dbh,"SELECT * FROM ppad");
if(!$result) {
die("Database query failed: " . mysqli_error());
}?>
<form action="padSproccess.php" method="POST">
<table width="100%" border="1">
<tr>
<td width="10%">Date</td>
<td width="14%">Time</td>
<td width="20%">Name(url)</td>
<td width="30%">Detail</td>
</tr>
<?php
while($row = mysqli_fetch_assoc($result)) {
$id=$row['id'];
$name=$row['name'];
$date=$row['date'];
$title=$row['title'];
$Detail=$row['Detail'];
echo '<tr>
<td width="10%"><input type="text" name="date[]" maxlength="2" value="'.$date.'"></td>
<td width="14%"><input type="text" name="title[]" maxlength="50" value="'.$title.'"></td>
<td width="20%"><input type="text" name="name[]" maxlength="50" value="'.$name.'"></td>
<td width="30%"><input type="text" name="Detail[]" maxlength="100" value="'.$Detail.'"></td>
<input type="hidden" name="id[]" value="'.$id.'">
</tr>';
}?>
</table>
<input type="submit" name="submit" id="submit" value="Submit">
</form>
Now within your padSproccess.php you'll receive an array of results within your variables which'll be updated using foreach loop
What you need to do first is have an overall form, not a form for each (unless you want to throw in javascript to fire off ajax calls). So what you'll need to do is make sure each row can be associated with a specific id:
<?php
include_once '../db.php';
$result = mysqli_query($dbh, "SELECT * FROM ppad");
if(!$result) {
die("Database query failed: " . mysqli_error());
}
?>
<form action="padSproccess.php" method="POST">
<table width="100%" border="1">
<thead>
<tr>
<td width="10%">Date</td>
<td width="14%">Time</td>
<td width="20%">Name(url)</td>
<td width="30%">Detail</td>
</tr>
</thead>
<tbody>
<?php
while($row = mysqli_fetch_assoc($result)) {
$id = $row['id'];
$name = $row['name'];
$date = $row['date'];
$title = $row['title'];
$Detail = $row['Detail'];
echo '
<tr>
<td width="10%"><input type="text" name="date[' . $id . ']" maxlength="2" value="'.$date.'"></td>
<td width="14%"><input type="text" name="title[' . $id . ']" maxlength="50" value="'.$title.'"></td>
<td width="20%"><input type="text" name="name[' . $id . ']" maxlength="50" value="'.$name.'"></td>
<td width="30%"><input type="text" name="Detail[' . $id . ']" maxlength="100" value="'.$Detail.'"></td>
</tr>
';
}
?>
</tbody>
</table>
<input type="submit" name="submit" id="submit" value="Submit">
</form>
Then in padSproccess.php you'll receive an array of names, dates, titles and Details, each one keyed by the ID of the row. So that'll change to something like this:
<?php
include "../db.php";
if(isset($_POST['submit'])){
$ids = array_keys($_POST['name']);
foreach ($ids as $id) {
$date = mysqli_real_escape_string($dbh,$_POST['date'][$id]);
$title = mysqli_real_escape_string($dbh,$_POST['title'][$id]);
$name = mysqli_real_escape_string($dbh,$_POST['name'][$id]);
$Detail = mysqli_real_escape_string($dbh,$_POST['Detail'][$id]);
$id = mysqli_real_escape_string($id);
// update data in mysql database
$update = mysqli_query($dbh,"UPDATE ppad SET date='$date', month='$month', name='$name', Detail='$Detail' WHERE id = '$id'");
}
// if successfully updated.
}
Try this. Of course for the database I've not started and it is possible errors.
<?php
include_once('../db.php');
global $db;
$result = mysqli_query($dbh,"SELECT * FROM ppad");
if(!$result) {
die("Database query failed: " . mysqli_error());
}
?>
<form action="padSproccess.php" method="POST">
<?php
while($row = mysqli_fetch_assoc($result)) {
$id=$row['id'];
$name=$row['name'];
$date=$row['date'];
$title=$row['title'];
$Detail=$row['Detail'];
echo '
<table width="100%" border="1">
<tr>
<td width="10%">Date</td>
<td width="14%">Time</td>
<td width="20%">Name(url)</td>
<td width="30%">Detail</td>
</tr>
<tr>
<td width="10%"><input type="text" name="ar['.$id.'][date]" maxlength="2" value="'.$date.'"></td>
<td width="14%"><input type="text" name="ar['.$id.'][title]" maxlength="50" value="'.$title.'"></td>
<td width="20%"><input type="text" name="ar['.$id.'][name]" maxlength="50" value="'.$name.'"></td>
<td width="30%"><input type="text" name="ar['.$id.'][Detail]" maxlength="100" value="'.$Detail.'"></td>
</tr>
</table>
';}
?>
<input type="submit" name="submit" id="submit" value="Submit">
</form>
<?php
include("../db.php");
global $db;
if(isset($_POST['submit'])){
foreach($_POST['ar'] as $id=>$dat){
$date = mysqli_real_escape_string($dbh,$dat['date']);
$title = mysqli_real_escape_string($dbh,$dat['title']);
$name = mysqli_real_escape_string($dbh,$dat['name']);
$Detail = mysqli_real_escape_string($dbh,$dat['Detail']);
$id = mysqli_real_escape_string($dbh,$id]);
// update data in mysql database
$update = mysqli_query($dbh,"UPDATE ppad SET date='$date', month='$month', name='$name', Detail='$Detail' WHERE id = '$id'");
}
// if successfully updated.
}
?>
I've got a page showing the contents of my DB in form inputboxes like this:
<?php
while($row = mysql_fetch_array($result))
{
$namn = $row['namn'];
$mandag = $row['mandag'];
$tisdag = $row['tisdag'];
$onsdag = $row['onsdag'];
$torsdag = $row['torsdag'];
$fredag = $row['fredag'];
?>
<td width="100"></td>
<td><?=$namn?><input name="namn[]" type="hidden" value="<?=$namn?>"></td>
</tr>
<tr>
<td width="100">Mandag</td>
<td><input name="mandag[]" type="text" value="<?=$mandag?>"></td>
</tr>
<tr>
<td width="100">Tisdag</td>
<td><input name="tisdag[]" type="text" value="<?=$tisdag?>"></td>
</tr>
<tr>
<td width="100">Onsdag</td>
<td><input name="onsdag[]" type="text" value="<?=$onsdag?>"></td>
</tr>
<tr>
<td width="100">Torsdag</td>
<td><input name="torsdag[]" type="text" value="<?=$torsdag?>"></td>
</tr>
<tr>
<td width="100">Fredag</td>
<td><input name="fredag[]" type="text" value="<?=$fredag?>"></td>
</tr>
<?php } ?>
<tr>
<td width="100"> </td>
<td> </td>
</tr>
<tr>
<td width="100"> </td>
<td>
<input name="update" type="submit" id="update" value="Update">
</td>
</tr>
</table>
</form>
After this I've added code to able to update the different DB entries by changing the content of the inputboxes and pressing the submit button:
<?php
if(isset($_POST['update']))
{
$namnValue = $_POST['namn'];
$mandagValue = $_POST['mandag'];
$tisdagValue = $_POST['tisdag'];
$onsdagValue = $_POST['onsdag'];
$torsdagValue = $_POST['torsdag'];
$fredagValue = $_POST['fredag'];
print_r($mandagValue);
$sql = "UPDATE anstalld SET mandag = '$mandagValue', tisdag = '$tisdagValue', onsdag = '$onsdagValue', torsdag = '$torsdagValue', fredag = '$fredagValue' WHERE namn = '$namnValue'";
echo $sql;
$retval = mysql_query( $sql, $conn );
if(! $retval )
{
die('Could not update data: ' . mysql_error());
}
echo "Updated data successfully\n";
}
mysql_close($conn);
?>
The DB is being updated, however, the problem is that all my
$namnValue = $_POST['namn'];
$mandagValue = $_POST['mandag'];
$tisdagValue = $_POST['tisdag'];
$onsdagValue = $_POST['onsdag'];
$torsdagValue = $_POST['torsdag'];
$fredagValue = $_POST['fredag'];
are returning the result "Array", an not the actual Values from the inputboxes.
Therefore my SQL UPDATE ends up being
"UPDATE anstalld SET mandag = 'Array', tisdag = 'Array', onsdag =
'Array', torsdag = 'Array', fredag = 'Array' WHERE namn = 'Array'"
I'll appreciate any help I can get on this, thanks.
You need to delete [] on our input names:
<td><input name="onsdag" type="text" value="<?=$onsdag?>"></td>
instead of
<td><input name="onsdag[]" type="text" value="<?=$onsdag?>"></td>
^^
Otherwise they are considered as arrays.
Because of the name of your input fields
<input name="onsdag[]" type="text" value="<?=$onsdag?>">
you are sending arrays and not single values.
Change the names as the previous answer suggests
<input name="onsdag" type="text" value="<?=$onsdag?>">
or access them as arrays
$namnValue = $_POST['namn'][0];
$mandagValue = $_POST['mandag'][0];
...
I am running while loop and fetch 3 records from database. and then update it on same page. Every record have submit button. But after edit when i submit the form it catchs the values of last record only and update other rows with the last record values. Please if somebody help me out i'll be very thankful. Remember it catches the exact (id) but the other parameters are only of last row.
<form method="post" action="">
<table width="700" border="1">
<tr><th><?php echo $_SESSION['teamtwo']; ?></th></tr>
<tr>
<th>Player Name</th>
<th>Runs</th>
<th>Edit</th>
<th>Save</th>
</tr>
<?php
$team = new DBConnection();
$condition = "WHERE teamname = '".$_SESSION['teamtwo']."' and datecreated = CURDATE()";
$sel_player = $team->SelectRecord(array("*"),"`match`","$condition");
//$sel_player = mysql_query("SELECT * FROM `match` WHERE teamname = '$team1' and datecreated = CURDATE()") or die(mysql_error());
while($get_player = mysql_fetch_array($sel_player))
{
$totalruns = $get_player['runs_bat'];
$totalballs = $get_player['ball_bat'];
#$strike = $totalruns / $totalballs * 100;
?>
<tr>
<td><input type="text" name="player_name" value="<?php echo $get_player['player_name']; ?>" disabled="disabled" /></td>
<td><input type="text" name="runs" value="<?php echo $get_player['runs_bat']; ?>" size="1" /></td>
<td><button>Edit</button></td>
<td><input type="submit" value="Save" name="team" /></td>
</tr>
<?php
} ?>
</table>
</form>
<?php } ?>
</div>
</div>
</body>
</html>
<?php
if(isset($_POST['team'])){
$runs = $_POST['runs'];
$balls = $_POST['ball'];
$object = new DBConnection();
$arr_Field=array("runs_bat","ball_bat","player_status","how_out","opposite_bowl","opposite_player","sr","overs","bowl_ball","runs_ball","extra","madien");
$arr_Values=array("$runs","$balls","$status","$how_out","$opposite_bowler","$opposite_player","$sr","$over","$bowls","$score","$extra","$madien");
$condition = "WHERE id = '".$_REQUEST['player']."'";
//echo $_REQUEST['player'];
//echo $runs.$balls;
$object->UpdateRecord("`match`",$arr_Field,$arr_Values,"$condition") or die(mysql_error());
//header("Location:extra.php?update");
}
the problem is you are having one form and when you submit the form it will submit the last rows values because you are having same name for all 3 rows inside 1 form.
Solution:-
Create form element inside the while loop and close it inside the while loop itself . Like this you will have 3 forms each for 3 rows.
Code Example:-
while($get_player = mysql_fetch_array($sel_player))
{
$totalruns = $get_player['runs_bat'];
$totalballs = $get_player['ball_bat'];
#$strike = $totalruns / $totalballs * 100;
?>
<form>
<tr>
<td><input type="text" name="player_name" value="<?php echo $get_player['player_name']; ?>" disabled="disabled" /></td>
<td><input type="text" name="runs" value="<?php echo $get_player['runs_bat']; ?>" size="1" /></td>
<td><button>Edit</button></td>
<td><input type="submit" value="Save" name="team" /></td>
</tr>
</form>
<?php
} ?>
1.
you need to make input array in while because name attribute is overwriting in loop
<td><input type="text" name="player_name[<?php echo $get_player['id']?>]" value="<?php echo $get_player['player_name']; ?>" disabled="disabled" /></td>
<td><input type="text" name="runs[<?php echo $get_player['id']?>]" value="<?php echo $get_player['runs_bat']; ?>" size="1" /></td>
2.
you have all text boxes mean if press submit button of one row, then also you will get all textboxes as php side so make hidden variable in form to get which button clicked
//write javascript in your page
<script>
function setPlayerId(id) {
document.getElementById('playerid').value=id;
}
</script>
//take hidden field into form
<input type='hidden' name='playerid' value='0'>
//write down onlick button event
<input type="submit" value="Save" name="team" onClick="setPlayerId('<?php <?php echo $get_player['id']?>?>')"/>
3.
Now in php you will get that as below
echo $_POST['player_name'][$_POST['playerid']];
// same way you can do your insert or update.
this code must work
<form method="post" action="">
<table width="700" border="1">
<tr><th><?php echo $_SESSION['teamtwo']; ?></th></tr>
<tr>
<th>Player Name</th>
<th>Runs</th>
<th>Edit</th>
<th>Save</th>
</tr>
<?php
$team = new DBConnection();
$condition = "WHERE teamname = '".$_SESSION['teamtwo']."' and datecreated = CURDATE()";
$sel_player = $team->SelectRecord(array("*"),"`match`","$condition");
//$sel_player = mysql_query("SELECT * FROM `match` WHERE teamname = '$team1' and datecreated = CURDATE()") or die(mysql_error());
while($get_player = mysql_fetch_array($sel_player))
{
$totalruns = $get_player['runs_bat'];
$totalballs = $get_player['ball_bat'];
#$strike = $totalruns / $totalballs * 100;
?>
<tr>
<td><input type="text" name="player_name" value="<?php echo $get_player['player_name']; ?>" disabled="disabled" /></td>
<td><input type="text" name="runs<?=$get_player['id']?>" value="<?php echo $get_player['runs_bat']; ?>" size="1" /></td>
// you didnt write this i added
<input type="text" name="ball<?=$get_player['id']?>" value="<?php echo $get_player['ball_bat']; ?>" size="1" />
<td><button>Edit</button></td>
<td><input type="submit" value="Save" name="team" /></td>
</tr>
<?php
} ?>
</table>
</form>
<?php } ?>
</div>
</div>
</body>
</html>
<?php
if(isset($_POST['team'])){
$runsname = 'runs'.$_GET['player'];
$ballsname = 'ball'.$_GET['player'];
$runs = $_POST[$runsname];
$balls = $_POST[$ballsname];
$object = new DBConnection();
$arr_Field=array("runs_bat","ball_bat","player_status","how_out","opposite_bowl","opposite_player","sr","overs","bowl_ball","runs_ball","extra","madien");
$arr_Values=array("$runs","$balls","$status","$how_out","$opposite_bowler","$opposite_player","$sr","$over","$bowls","$score","$extra","$madien");
$condition = "WHERE id = '".$_REQUEST['player']."'";
//echo $_REQUEST['player'];
//echo $runs.$balls;
$object->UpdateRecord("`match`",$arr_Field,$arr_Values,"$condition") or die(mysql_error());
//header("Location:extra.php?update");
}
I am trying to update a table in my DB for the past two days. But I am unable to get it to work. Somebody please help me.
I could connect to my database, see my table fields perfectly. Posted values from the form could be read perfectly from the destined PHP file.
MySQL query doesn't seen to return any error.
But I dont understand why the values are not getting updated into the table.
//form.html
<form name="account" action="test.php" method="post">
<td align="left" valign="top" class="labelstyle" width="25%">First Name</td>
<td align="left" valign="top" class="labeltextstyle" width="75%"><input type="text" name="fname" value="" /></td>
<td align="left" valign="top" class="labelstyle" width="25%">Last Name</td>
<td align="left" valign="top" class="labeltextstyle" width="75%"><input type="text" name="lname" value="" /></td>
<td align="left" valign="top" class="labelstyle" width="25%">Email</td>
<td align="left" valign="top" class="labeltextstyle" width="75%"><input type="text" name="email" value="" /></td>
<td align="left" valign="top" class="labeltextstyle"><input type="submit" name="submit" value="Save" /></td>
</form>
// test.php
<?php
$dbhost = "localhost";
$dbname = "test";
$dbuser = "";
$dbpass = "";
mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());
session_start();
if(isset($_REQUEST['submit'])){
// $query = "select * from form";
// $result = mysql_query($query);
// $numcolumn = mysql_num_fields($result);
// for ( $i = 0; $i < $numcolumn; $i++ ) {
// $columnnames = mysql_field_name($result, $i);
// echo $columnnames;
// }
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$email = $_POST['email'];
echo $fname ;
echo $lname ;
echo $email ;
$query = "update test set
fname = $fname,
lname = $lname,
email = $email
where 1 ";
$result = mysql_query($query);
if ($query = 1) {
echo "IT WORKED";
} else {
echo "DIDNT WORK";
}
}else{
echo "NOT SUBMITTED";
}
?>
//form.html
<form name="account" action="test.php" method="post">
<td align="left" valign="top" class="labelstyle" width="25%">First Name</td>
<td align="left" valign="top" class="labeltextstyle" width="75%"><input type="text" name="fname" value="" /></td>
<td align="left" valign="top" class="labelstyle" width="25%">Last Name</td>
<td align="left" valign="top" class="labeltextstyle" width="75%"><input type="text" name="lname" value="" /></td>
<td align="left" valign="top" class="labelstyle" width="25%">Email</td>
<td align="left" valign="top" class="labeltextstyle" width="75%"><input type="text" name="email" value="" /></td>
<td align="left" valign="top" class="labeltextstyle"><input type="submit" name="submit" value="Save" /></td>
</form>
When i fill the form with values A, B and C and submit the form, I get the following output.
fnamelnameemailABCIT WORKED
please help me soon.
There is no id in the where clause to indicate which row must be updated. This will update all the rows in the table. It should look like this:
$query = "update test set
fname = $fname,
lname = $lname,
email = $email
where id = 1";
I assume that a row is created beforehand so that you know which row to update. If not then rather use an INSERT statement should be used.
$query = "insert into test (fname,lname,email) VALUES ($fname,$lname,$email);
fname, lname and email are strings, which have to be escaped in the SQL query:
$query = "update test set
fname = '$fname',
lname = '$lname',
email = '$email'
where 1";
You probably can leave the where 1 as well.
i looking some help and nice attention here..
i bought some php script many years ago and now no suport anymore... i just want to add md5 to password field..
here my form:
<?php
$SQL = "SELECT * from USERS WHERE USERNAME = '$_SESSION[username]'"; $result = #mysql_query( $SQL ); $row = #mysql_fetch_array( $result );
include 'menu.php';
?>
<FORM METHOD="post" ACTION="?page=query_client">
<INPUT TYPE="hidden" NAME="controller" VALUE="USERS~update~account_details&up=1~<?php echo $row[ID]; ?>">
<TABLE CLASS="basictable">
<TR>
<TD CLASS="tdmenu" WIDTH="40%">Username</TD>
<TD CLASS="tdmenu" WIDTH="60%">
<b><?php echo $row[USERNAME]; ?></b>
</TD>
</TR>
<TR>
<TD CLASS="tdmenu" WIDTH="40%">Password *</TD>
<TD CLASS="tdmenu" WIDTH="60%">
<INPUT TYPE="PASSWORD" NAME="PASSWORD" SIZE="40" VALUE="<?php echo $row[PASSWORD]; ?>">
</TD>
</TR>
<TR>
<TD CLASS="tdmenu" WIDTH="40%">Email Address *</TD>
<TD CLASS="tdmenu" WIDTH="60%">
<INPUT TYPE="text" NAME="EMAIL" SIZE="40" VALUE="<?php echo $row[EMAIL]; ?>">
</TD>
</TR>
<TR>
<TD CLASS="tdmenu" WIDTH="40%">Full Name *</TD>
<TD CLASS="tdmenu" WIDTH="60%">
<INPUT TYPE="text" NAME="FULLNAME" SIZE="40" VALUE="<?php echo $row[FULLNAME]; ?>">
</TD>
<TR>
<TD CLASS="tdmenu" WIDTH="40%">Address *</TD>
<TD CLASS="tdmenu" WIDTH="60%">
<INPUT TYPE="text" NAME="ADDRESS1" SIZE="40" VALUE="<?php echo $row[ADDRESS1]; ?>">
</TD>
</TR>
<BR>
<TABLE CLASS="basictable">
<TR>
<TD CLASS="tdhead2" >
<DIV ALIGN="CENTER"><B>
<INPUT TYPE="submit" NAME="Submit" VALUE="Submit">
</B></DIV>
</TD>
</TR>
</TABLE>
</FORM>
and the
it self as query_client.php inside look like:
<?PHP
#session_start();
$controller = $_POST['controller'];
$pieces = explode("~", $controller);
$table = $pieces[0];
$qt = $pieces[1];
$return = $pieces[2];
$id = $pieces[3];
$hack = $pieces[4];
if ($qt == insert) $qt = 'INSERT INTO';
if ($qt == update) { $qt = 'UPDATE'; $end = "WHERE ID = '$id'"; }
$pre = array_keys( $_POST );
mysql_query ("CREATE TABLE IF NOT EXISTS `$table` (`ID` INT NOT NULL AUTO_INCREMENT , PRIMARY KEY ( `id` ) )");
$count = count($pre); $count = $count - 2;
$sql = "$qt $table SET";
for ($i=0; $i < $count; $i++)
{
$x=$i+1;
$y = $_POST[$pre[$x]];
$d = $y;
mysql_query ("ALTER TABLE `$table` ADD `$pre[$x]` TEXT NOT NULL");
$sql .= " `$pre[$x]` = '$d',";
}
$sql .= " ID = '$id' $end";
$query = mysql_query($sql) or die("$sql_error" . mysql_error());
if (empty($hack)) { } else {
$pieces = explode("/", $hack);
$h0 = $pieces[0];
$h1 = $pieces[1];
$h2 = $pieces[2];
$h3 = $pieces[3];
$h4 = $pieces[4];
$h5 = $pieces[5];
mysql_query ("ALTER TABLE `$table` $h0 $h1 $h2 $h3 $h4 $h5");
$query = mysql_query($sql) or die("$sql_error" . mysql_error());
}
if (isset($_GET[inc])) include "$_GET[inc].php";
?>
so please help me how to add md5 in PASSWORD field?
thanks in advance..
Best to use a salt also - hashing and verification should be done at server - see secure hash and salt for PHP
Some links on writing secure code:
OWASP Top 10 for 2010
PHP Security: Fortifying Your Website
Writing Secure PHP