bellow is the code for a PHP edit script. I am aware it is not protected as it is an example however it doesn't seem to work, from what i can see syntactically it is OK but i may be missing something.
The code:
<?php
$connect = mysql_connect("localhost","root","");
if (!$connect){
die("Connection failed:" . mysql_error());
}
mysql_select_db("test",$connect);
if (isset($_POST['update'])){
$UpdateQuery = "UPDATE tbl_venues SET venue_id='$_POST[id]', venue_name='$_POST[name]', venue_description ='$_POST[desc]', venue_address ='$_POST[address]', venue_type ='$_POST[type]' WHERE venue_id='$_POST[hidden]'";
mysql_query($UpdateQuery, $connect);
};
$sql = "SELECT * FROM tbl_venues ORDER BY venue_id";
$mydata = mysql_query($sql,$connect);
echo "<table border=1>
<tr>
<th>Venue ID</th>
<th>Venue Name</th>
<th>Venue Description</th>
<th>Venue Address</th>
<th>Venue Type</th>
</tr>";
while($record = mysql_fetch_array($mydata)){
echo"<form action=venuelist.php method=post>";
echo "<tr>";
echo "<td><input type='text' name='id' value='" . $record['venue_id'] . "'> </td>";
echo "<td><input type='text' name='name' value='" . $record['venue_name'] . "'> </td>";
echo "<td><input type='text' name='desc' value='" . $record['venue_description'] . "'> </td>";
echo "<td><input type='text' name='address' value='" . $record['venue_adress'] . "'> </td>";
echo "<td><input type='text' name='type' value='" . $record['venue_type'] . "'> </td>";
echo "<td><input type='hidden' name='hidden' value='" . $record['venue_id'] . "'> </td>";
echo "<td><input type='submit' name='update' value='update' " . "'> </td>";
echo "</form>";
}
echo "</table>";
mysql_close($connect);
?>
It displays the data proving its not a connection issue however the data stops showing when a apostrophe is present in the row. The main issue is it refuses to update the field.
Any suggestions? Thanks
If the value includes an apostrophe it will break the html.
e.g. Your rendered html will look something like this:
<input type='hidden' name='hidden' value='it's a problem'>
Most frameworks will automatically prevent issues like this by automatically escaping problematic characters so you don't need to do it manually. (e.g. CakePHP and many others)
Here's a method for escaping single quotes in your output. It uses the php function str_replace.
$myString = "testing 'this' is a problem";
$myString = str_replace('\'', '\\\'', $myString);
echo $myString;
As far as how to remove those single quotes on the way into the database, take a look at prepared statements. It's a reliable way to protect your database from SQL injection. In particular take a look at this canonical question and answer on the topic. Your update statement is not working because single quotes break the SQL query. So you'll have to deal with those some way, and prepared statements is the best practice there.
Related
I have multiple text boxes within a table on my web page which is populated from a form on my website users fill out. I have the feature of being able to delete each row as well as edit each row of data displayed on my website. The problem I'm having with it is only the last row of the table can be edited/deleted. For example, When I click the delete button on the first row of the table, it deletes the last row for some reason and not the first row. Also, it's the same with the update/edit button, only the last row can be modified and not anything above the last row of the table on my website.
More information:
form_id is the primary key within my database.
My code:
<?php
$con = #mysql_connect("localhost","root","");
if (!$con){
die("Can not connect: " . mysql_error());
}
mysql_select_db("formsystem", $con);
if(isset($_POST['update'])){
$UpdateQuery = "UPDATE form SET form_name='$_POST[name]', form_description='$_POST[description]' WHERE form_id='$_POST[hidden]'";
mysql_query($UpdateQuery, $con);
};
if(isset($_POST['delete'])){
$DeleteQuery = "DELETE FROM form WHERE form_id='$_POST[hidden]'";
mysql_query($DeleteQuery, $con);
};
$sql = "SELECT * FROM form";
$myData = mysql_query($sql,$con);
echo "<table>
<tr>
<th>Title</th>
<th>Description</th>
<th></th>
<th></th>
<th></th>
</tr>";
while($record = mysql_fetch_array($myData)){
echo "<form action=findGroup.php method=post>";
echo "<tr>";
echo "<td>" ."<input type=text name=name value='" . $record['form_name'] . "'/> </td>";
echo "<td>" ."<input type=text name=description value='" . $record['form_description'] . "'/> </td>";
echo "<td>" ."<input type=hidden name=hidden value='" . $record['form_id'] . "'/></td>";
echo "<td>" ."<input type=submit name=update value='update" . "'/> </td>";
echo "<td>" ."<input type=submit name=delete value='delete" . "'/> </td>";
echo "</tr>";
}
echo "</table>";
?>
Update
Enclose the form element properly:
<?php
$con = #mysql_connect("localhost","root","");
if (!$con){
die("Can not connect: " . mysql_error());
}
mysql_select_db("formsystem", $con);
if(isset($_POST['update'])){
$UpdateQuery = "UPDATE form SET form_name='".$_POST['name']."', form_description='".$_POST['description']."' WHERE form_id='".$_POST['hidden']."';";
mysql_query($UpdateQuery, $con);
};
if(isset($_POST['delete'])){
$DeleteQuery = "DELETE FROM form WHERE form_id='".$_POST['hidden']."';";
mysql_query($DeleteQuery, $con);
};
$sql = "SELECT * FROM form";
$myData = mysql_query($sql,$con);
echo "<table>
<tr>
<th>Title</th>
<th>Description</th>
<th></th>
<th></th>
<th></th>
</tr>";
while($record = mysql_fetch_array($myData)){
echo "<form action=findGroup.php method=post>";
echo "<tr>";
echo "<td>" ."<input type=text name=name value='" . $record['form_name'] . "'/> </td>";
echo "<td>" ."<input type=text name=description value='" . $record['form_description'] . "'/> </td>";
echo "<td>" ."<input type=hidden name=hidden value='" . $record['form_id'] . "'/></td>";
echo "<td>" ."<input type=submit name=update value='update" . "'/> </td>";
echo "<td>" ."<input type=submit name=delete value='delete" . "'/> </td>";
echo "</tr>"
echo "</form>";
}
echo "</table>";
?>
And for security issue, it's better to wrap variable using mysqli_real_escape_string, for example:
"DELETE FROM form WHERE form_id='".mysqli_real_escape_string($_POST['hidden'])."';";
But this is another question, here is the thread.
First off, check these potential issues:
You are connecting as root. Not recommended. You should connect as a MySQL user with M.A.D rights on that table (modify, add, delete).
Have you checked the MySQL & system/PHP logs to see if any errors are being reported? Then you can adjust your code based on those errors.
Have you attempted to run the delete statement manually to confirm that it deletes the desired row?
In your code, have you tried using the $sql = DELETE... syntax on your delete statement?
I want to make radiobutton with mysql
MY CODE
But it isn't make sense (SERVER ERROR:500)
Beacause of html form tag!
So I want to ask you!
"How can I make radiobutton with mysql value?"
I don't know what you are trying to achieve but I think I know what you mean. You want to create a radio button giving it a value from your database.
You don't create a form for each radio button. Instead, create the radio buttons within a single form tag.
Something like this:
echo "<form name='' action='index.php' method='post'>";
while($row=mysqli_fetch_array($res)){
echo "<input type='radio' name='" .$q . "' value='".$q ."'>" .$q . "<br />";
echo "<input type='radio' name='" .$a1 . "' value='".$a1 ."'>" .$a1 . "<br />";
echo "<input type='radio' name='" .$a2 . "' value='".$a2 ."'>" .$a2 . "<br />";
echo "<input type='radio' name='" .$a3 . "' value='".$a3 ."'>" .$a3 . "<br />";
}
echo "</form>";
In your echo statement change the parameter " to '.
Try this it will be defiantly works.
Try like this,
while ($row = mysqli_fetch_array($res))
{
$q = $row['q'];
echo "<tr>
<td>
<form name='' action='index.php' method='post'>
<input type='radio' name='q' value='".$q."'
</form>
</td>
</tr>";
}
Are you properly able to establish a connection to the server? Just var_dump or print_r to see what you are getting from the database.
if (isset($_POST['update'])){
$UpdateQuery = "UPDATE eventcalendar SET Title='$_POST[title]', Detail='$_POST[detail]' WHERE ID='$_GET[ID]'";
mysql_query($UpdateQuery, $con);
}
$sql = "SELECT * FROM eventcalendar";
$myData = mysql_query($sql,$con);
echo "<table border=1'>
<tr>
<th>Id</th>
<th>Title</th>
<th>Detail</th>
<th>Event Date</th>
<th>Date Added</th>
</tr>";
while($row = mysql_fetch_array($myData)){
echo "<form action=details.php method=post>";
echo "<tr>";
echo "<td>" . $row['ID'] . "</td>";
echo "<td>" . "<input type=text name=title value=" . $row['Title'] . " </td>";
echo "<td>" . "<input type=text name=detail value=" . $row['Detail'] . " </td>";
echo "<td>" . $row['eventDate'] . "</td>";
echo "<td>" . $row['dateAdded'] . "</td>";
echo "<td>" . "<input type=submit name=update value=update" . " </td>";
echo "</tr>";
echo "</form>";
}
echo "</table>";
mysql_close($con);
This is my code, yet when i try to execute it, it execute all my rows in my table instead of the only 1 I edited. I've searched for like 2 hours but still can't find it. Does any of you know maybe how I can fix this?
Looks like you need to include the ID in the form action.
echo '<form action="details.php?ID='.$row['ID'].'" method="post">';
This will allow the use of the $_GET['ID'] value in your update query.
Alternatively, add the ID as a hidden field in your form like
echo '<input type="hidden" name="ID" value="'.$row['ID'].'">';
And change the SQL query to use $_POST['ID'] instead of $_GET['ID'].
$UpdateQuery = "UPDATE eventcalendar SET Title='$_POST[title]', Detail='$_POST[detail]' WHERE ID='$_POST[ID]'";
Something you also need to look into is escaping the input that you're using with your SQL statement.
Aside from the SQL Injection issues, your problem is that:
You're using $_GET[ID] in your query, instead of $_POST[ID]
You aren't posting the ID back to the form at all. Try adding this:
echo "<input type='hidden' name='ID' value='{$row[ID]}'>";
Your $_POST[title], $_POST[detail] and $_GET[ID]are interpreted as plain strings, not as the evaluated value, to get the evaluated value, you have to make use of concatenation.
Update this part :
if (isset($_POST['update'])){
$UpdateQuery = "UPDATE eventcalendar SET Title='$_POST[title]', Detail='$_POST[detail]' WHERE ID='$_GET[ID]'";
mysql_query($UpdateQuery, $con);
}
to this:
if (isset($_POST['update']))
{
$UpdateQuery = "UPDATE eventcalendar SET Title='". $_POST['title']. "', Detail='". $_POST['detail']. "' WHERE ID='". $_POST['ID']. "'";
mysql_query($UpdateQuery, $con);
}
<?php
include('common/connect.class.php');
include('common/admin.class.php');
session_start();
$user = $_SESSION['user'];
$con2 = new connection();
$con = $con2->connect();
$sql = "SELECT * FROM xam_category"; //Select Query
$myData = mysql_query($sql,$con) or die(mysql_error());;
echo "<table align='center'>
<tr>
<th>Category name</th>
<th>Category Description</th>
</tr>";
while($record = mysql_fetch_array($myData))
{
echo "<form action=user_book.php method=post>";
echo "<tr>";
echo "<td>" . "<input type=text size=10 readonly='true' name=usrname value=" . $record['category_name'] . " </td>";
echo "<td>" . "<input type=text size=15 readonly='true' name=usrmail value=" . $record['category_desc'] . " </td>";
echo "<td>" . "<input type=submit name=delete value=DELETE" . " </td>";
echo "<td>" . "<input type=submit name=update value=UPDATE" . " </td>";
echo "</tr>";
echo "</form>";
}
mysql_close($con);
echo "</table>";
?>
My SELECT query and data fetching is working fine. But, while i echo the fetched data, it only shows the first word "Computer" where it's actual value is "Computer Science".
The data stored in database viewed through PhpMyAdmin seems ok. But,
The data shown in the .php page is different and not ok.
I'm Stuck.
How to display the right string from MySQL database on the PHP page?
Note: I'm using html inside echo to loop & display all data. Sorry, I have to use mysql() functions could'nt do msqli(). I also viewed other same type questions in StackOveflow. But, Couldn't find a solution.
If you have a value with a space in it, you must enclose that value within quotes in your HTML. Try with
echo "<td><input type=text size=10 readonly='true' name='usrname' value='".$record['category_name']."'</td>";
Try to use mysql_fetch_assoc instead of mysql_fetch_array if you would like to access to variable like $record['category_name'].
Please read this article: mysql_fetch_row() vs mysql_fetch_assoc() vs mysql_fetch_array()
so I have this code that other Stack members have helped me fine tune and correct some errors, the code all works as it should but there is one small detail, after successfully editing one record and clicking the update button ALL of the existing records that are in the database load into the page. Here is my code below:
<?php
$con = mysql_connect("localhost", "root", "M1q2w3e4r");
if (!$con) {
die("Can not connect: " . mysql_error());
}
mysql_select_db("inventory",$con);
if (isset($_POST['update'])){
$UpdateQuery = "UPDATE invoice SET `inv_number`='$_POST[inv_number]', `from_date`='$_POST[from_date]', `to_date`='$_POST[to_date]',`date_type`='$_POST[date_type]', `notes`='$_POST[notes]' WHERE id='$_POST[id]'";
mysql_query($UpdateQuery, $con);
};
$where = '';
if(!empty($_GET) && !empty($_GET['edit'])) {
$where = ' where id='.$_GET['edit'];
}
$sql = "SELECT * FROM invoice".$where;
$myData = mysql_query($sql,$con);
echo "<table border=1>
<tr>
<th>Inv #</th>
<th>From</th>
<th>To</th>
<th>Type</th>
<th>Notes</th>
</tr>";
while($record = mysql_fetch_array($myData)){
echo "<form action='edit.php' method='post'>";
echo "<tr>";
echo "<td>" . "<input type='text' name='inv_number' value='" . $record['inv_number'] . "'> </td>";
echo "<td>" . "<input type='text' id='from' name='from_date' value='" . $record['from_date'] . "'> </td>";
echo "<td>" . "<input type='text' id='to' name='to_date' value='" . $record['to_date'] . "'> </td>";
echo "<td>" . "<input type='text' name='date_type' value='" . $record['date_type'] . "'> </td>";
echo "<td>" . "<input type='text' name='notes' value='" . $record['notes'] . "'> </td>";
echo "<td>" . "<input type='hidden' name='id' value='" . $record['id'] . "'> </td>";
echo "<td>" . "<input type='hidden' name='hidden' value='" . $record['id'] . "'> </td>";
echo "<td>" . "<input type='submit' name='update' value='update'>" . " </td>";
echo "</tr>";
echo "</form>";
}
echo "</table>";
mysql_close($con);
?>
I know it has to do with the form action="edit.php", as it refreshes the page the id number in the url is pulled out. So I tried this:
echo "<form action='edit.php?edit=<?php echo $_REQUEST["id"]; ?>' method='post'>";
but this only led to my edit.php to display as a blank page. If anyone can help me figure out how to prevent all the database records from being displayed in the page after clicking the update button it would really help.
I might do this, for example, if I just wanted to show the record that was just updated:
if (isset($_POST['update'])){
$UpdateQuery = "UPDATE invoice SET `inv_number`='$_POST[inv_number]', `from_date`='$_POST[from_date]', `to_date`='$_POST[to_date]',`date_type`='$_POST[date_type]', `notes`='$_POST[notes]' WHERE id='$_POST[id]'";
mysql_query($UpdateQuery, $con);
$where = ' where id='.$_POST[id];
}
else {
$where = '';
if(!empty($_GET) && !empty($_GET['edit'])) {
$where = ' where id='.$_GET['edit'];
}
}
You could also use REQUEST instead of GET and make a hidden input field with the name "edit" in your form.