Alright, so I've been working on this for two days now - my code is somewhat sloppy & jumbled but I've gone over hundreds of questions, websites, etc. etc. looking for an answer or simply an explanation I understood; unfortunately, I still have been unsuccessful in my attempts.
I am build a "Quiz" Game in PHP/HTML - the website references a database, specifically, a tabled labeled "answers" which holds the following information:
- ID: Auto-Increment
- Question: Varchar
- Answer: Varchar
- Comment: Varchar
Now, for a little information on the site - Once a user logs in, he/she can "play" the game; the game is simply an HTML form, which above it displays a random "answers table" question. The form has 4 user inputs but only requires two. Let me get into the code details and then I will ask my question:
My index.php page (which contains the game form) is currently:
<?php # index.php
session_start();
//check session first
if (!isset($_SESSION['email'])){
include ('../includes/header.php');
}else
{
session_start();
include ('../includes/header.php');
require_once ('../../mysql_connect.php');
$query = "SELECT * FROM answers ORDER BY RAND() LIMIT 1";
$result = #mysql_query ($query);
$num = mysql_num_rows($result);
if ($num > 0) { // If it ran OK, display all the records.
while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
?>
<div class="newGame">
<h2>Are you a Question Master?<hr /></h2>
<h3 style="color:#000">Find Out Now!</h3>
</div>
<br />
<div class="newGameContain">
<form action="gameSubmit.php" method="post" autocomplete="off">
<h2><? echo $row["Question"]."<hr />"; ?></h2>
<h3>Enter Player Answers</h3>
<p><input type="text" placeholder="Player 1" name="player1" value="<? echo $_POST['player1']; ?>" /> <input type="text" placeholder="Player 2" name="player2" value="<? echo $_POST['player2']; ?>" /></p>
<p><input type="text" placeholder="Player 3" name="player3" value="<? echo $_POST['player3']; ?>" /> <input type="text" placeholder="Player 4" name="player4" value="<? echo $_POST['player4']; ?>" /></p>
<p><input type="submit" class="submitButton" /> <input type="reset" class="resetButton" value="Reset" /> </p>
<input type="hidden" name="ID" value="<?php echo $row["ID"]; ?>" />
<input type="hidden" name"Answer" value="<?php echo $row['Answer']; ?>" />
<input type="hidden" name="submitted" value="TRUE" />
</form>
<p></p>
</div>
<br />
<?php
} //end while statement
} //end if statement
mysql_close();
//include the footer
include ("../includes/footer.php");
}
?>
Then my gameSubmit.php page (form action) looks like this - I will only give a snapshot, not the whole thing:
<?php # index.php
session_start();
//check session first
if (!isset($_SESSION['email'])){
include ('../includes/header.php');
}else
{
session_start();
include ('../includes/header.php');
require_once ('../../mysql_connect.php');
$query = "SELECT * FROM answers ORDER BY RAND() LIMIT 1";
$result = #mysql_query ($query);
$num = mysql_num_rows($result);
if ($num > 0) { // If it ran OK, display all the records.
while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
?>
<? if (isset($_POST['submitted'])){
$correct1Msg = "<div class='correct1Msg'><p style='color:#000;font-family:Arial, Helvetica, sans-serif;'>Player 1 entered the <span id='answerUnder'>correct answer</span>.</p></div><p></p>";
$correct2Msg = "<div class='correct2Msg'><p style='color:#000;font-family:Arial, Helvetica, sans-serif;'>Player 2 entered the <span id='answerUnder'>correct answer</span>.</p></div><p></p>";
$incorrect1Msg = "<div class='incorrect1Msg'><p style='color:#F00;font-family:Arial, Helvetica, sans-serif;'>Player 1 entered the <span id='answerUnder'>incorrect answer</span>.</p></div><p></p>";
$incorrect2Msg = "<div class='incorrect2Msg'><p style='color:#F00;font-family:Arial, Helvetica, sans-serif;'>Player 2 entered the <span id='answerUnder'>incorrect answer</span>.</p></div><p></p>";
$player1Answer = $_POST['player1'];
$player2Answer = $_POST['player2'];
$player3Answer = $_POST['player3'];
$player4Answer = $_POST['player4'];
$questionID = $row['ID'];
if ($questionID == "1" && $player1Answer != "Red"){
echo $incorrect1Msg;
}elseif ($questionID == "2" && $player1Answer != "4"){
echo $incorrect1Msg;
}else {
echo $correct1Msg;
}
if ($questionID == "1" && $player2Answer == "Red"){
echo $correct2Msg;
}elseif ($questionID == "2" && $player2Answer == "4"){
echo $correct2Msg;
}else{
echo $incorrect2Msg;
}
}
?>
<?php
} //end while statement
} //end if statement
mysql_close();
//include the footer
include ("../includes/footer.php");
}
?>
As a note, the gameSubmit.php page also has identical message and if...elseif... statements for player3Answer & player4Answer.
So my question is...
If a user is logged in and opens the index.php page, he/she is prompted with the "echo $row ["Question"]" (which is a question pulled from the MySQL database using $query = "SELECT * FROM answers ORDER BY RAND() LIMIT 1"; - The user then proceeds to enter an answer in each player's respective text input. Once the user clicks the submit button, the form redirects to gameSubmit.php - once loaded, if(isset($_POST['submitted'])){ launches and cross checks each users answer and displays the respective message.
Currently, my form redirects to gameSubmit.php, however, it doesn't reference the previous question for the correct answer - thus its sheer luck the identical answer appears when "grading" the answers.
What do I need to do/what needs to be corrected in order to achieve input validation on the form action page?
Once again, I simply want to retrieve a question at random and on submit check the inputted answers with the correct answer - I would also like my code to be able to retrieve the correct answer rather than me having to type out each answer, so that way, if a record gets added, I dont have to update the code.
Thank for your time and the help, it is much appreciated! (It's finals week and I couldn't be more stressed)
Rockmandew
Just pass a POST element from index page to gameSubmit.php with the question id.
Add a hidden element in index page like..
<input type="hidden" name="questionId" value="<?php echo $row['id']; ?>">
So, You can get the question id in pageSubmit.php using $_POST['questionId']
Related
I am currently creating a survey where the answers are entered into a database.
I have 2 main tables:
questions, with 2 columns: questionID and questionBody
answers, with 3 columns: answerID, questionID (I want this to be tied to the column in table questions) and answerBody.
On the HTML page I am planning to create there will be multiple questions with multiple text boxes to fill in correlating to each quesiton. Is it possible that when the person submits the form, the answers are inserted into table answers with the questionID being based on what field was filled out?
So for example, If I have questionBody as "What is this Question asking?" and the questionID as 1 in table questions, when I submit the form I want table answers to also have questionID 1 in there.
At the moment this is my code:
//Check if error variables have any values assigned
if (empty($answerError))
{
//Prepare database insert
$sql = "INSERT INTO answers (questionID, answerBody) VALUES (?,?)";
//Check if the statement has the connect and sql variables
if ($statement = mysqli_prepare($connect, $sql))
{
//Add variables to the statement
mysqli_stmt_bind_param($statement, "ss", $paramQuestion, $paramAnswer);
//Set the parameter to the answer
$paramQuestion = getQuestionName($connect);
$paramAnswer = $answer;
//Execute statement with entered variable
if (mysqli_stmt_execute($statement))
{
//Redirect user to success page
header("location: thankyou.php");
}
else
{
echo "Something went wrong. Please try again later.";
}
//Close statement
mysqli_stmt_close($statement);
}
}
and for the function getQuestionName():
function getQuestionName($connect)
{
$query = "SELECT * FROM questions";
$result = mysqli_query($connect, $query);
if ($result)
{
while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC))
{
$questionID = $row['questionID'];
return $questionID;
}
}
}
The code I am using to output the form into a HTML page is:
function getQuestions($connect)
{
$query = "SELECT * FROM questions";
$result = mysqli_query($connect, $query);
if ($result)
{
while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC))
{
$body = $row['questionBody'];
echo '<div class="entry">
<div class="questionTitle"><h3>' . $body . '</h3>
<form action="survey.php" method="POST">
<input type="text" name="answer" size="50" />
<input type="submit" value="Submit" name="submit" />
</form>
</div>
</div>';
}
}
Any help on this would be greatly appreciated :)
Yes it's completely possible. Just put the question ID as a hidden field in the form, and it will be submitted along with the answer data when the form is submitted. Then you can retrieve it from the $_POST data just like the answer, and use it in your SQL query.
For example:
HTML form:
<form action="survey.php" method="POST">
<input type="hidden" name="questionID" value="<?php echo $row["questionID"]; ?>" />
<input type="text" name="answer" size="50" />
<input type="submit" value="Submit" name="submit" />
</form>
survey.php:
$paramQuestion = $_POST["questionID"];
From your question, I will suggest you make use of input with a hidden attribute.
something like this
<input type='text' name='question-id' value="<?php echo $questionId ;?>" hidden>
The user doesn't see the input it get filled from whatever you are providing into it.
Editing your code, you should do something like this.
function getQuestions($connect)
{
$query = "SELECT * FROM questions";
$result = mysqli_query($connect, $query);
if ($result)
{
while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC))
{
$body = $row['questionBody'];
$questionId = $row['questionId'];
echo '<div class="entry">
<div class="questionTitle"><h3>' . $body . '</h3>
<form action="survey.php" method="POST">
<input type="text" name="answer" size="50" />
<input type="number"name="question-id" value="'.$questionId.'" hidden>
<input type="submit" value="Submit" name="submit" />
</form>
</div>
</div>';
}
}
It's all going wrong. I need to output a form onto my website that will do 1 of 2 things:
If the user already has content in the database, provide a form that posts to self to update the existing content.
If the user does not have content in the database, provide a form to let the user add information to the database.
The forms should submit to themselves to keep coding tidy. I'm getting into a right mess. I'll show what I have so far, but I'm getting in a muddle.
//look in db to see if content exists, if it does set variable
$result = mysql_query(
"SELECT * from tbl_profiles
WHERE user_id = $who
");
while($row = mysql_fetch_array($result))
{
$profileText = $row['text'];
}
// Check if user has content in db
$result = mysql_query(
"SELECT * FROM tbl_profiles WHERE user_id='$who'");
if(mysql_fetch_array($result) !== false){
echo
'<form action="../edit/indexUpdate.php" method="post" name="edit">
Comments:<br />
<textarea name="updatedText" id="comments">' .
$profileText .'
</textarea><br />
<input type="submit" value="Submit" />
</form>'
;}
else{
$profileText = $row['text'];
echo
"<form action='../edit/index.php' method='post' name='add'>
Comments:<br />
<textarea name='comments' id='comments'>" .
$profileText
."</textarea><br />
<input type='submit' value='Submit' />
</form>"
;}?>
You've pretty much got the functionality there, just needs tidying up.
Try something like this:
<?php
//look in db to see if content exists, if it does set variable
$profileText="";
if($result = mysql_query("SELECT * from tbl_profiles WHERE user_id = $who")) {
while($row = mysql_fetch_array($result))
{
$profileText .= $row['text'];
}
?>
<form action="../edit/indexUpdate.php" method="post" name="edit">
Comments:<br />
<textarea name="updatedText" id="comments">
<?php echo $profileText; ?>
</textarea><br />
<input type="submit" value="Submit" />
</form>
<?php
} else {
?>
<form action='../edit/index.php' method='post' name='add'>
Comments:<br />
<textarea name='comments' id='comments'>
<?php echo $profileText; ?>
</textarea><br />
<input type='submit' value='Submit' />
</form>
<?php
}
?>
The basic idea is to add a record if new and update if not. What you can do is use an id to represent the record or -1 if it's a new entry
Something along the lines of:
//Defaults
$recordid=-1;
$name='';
$comments='';
//look in db to see if content exists, if it does set variable
$result = mysql_query(
"SELECT * from tbl_profiles
WHERE user_id = $who
");
// Check if user has content in db
$result = mysql_query(
"SELECT * FROM tbl_profiles WHERE user_id='$who'");
if(mysql_fetch_array($result) !== false){
//Yes. Get the id
$recordid = $result->id;
//Get the values
$name= $result->name;
$comments= $result->name;
}
<form action="../edit/index.php" method="post" name="formdata">
<input type="hidden" name="recordid" value="<? echo htmlspecialchars($recordid) ?>">
<input type="hidden" name="name" value="<? echo htmlspecialchars($name) ?>">
<textarea name="comments" id="comments"><? echo htmlspecialchars($comments) ?></textarea>
<input type="submit" value="submit"/>
</form>
This way a new form will have a -1 but an existing will have an id.
As an additional point it is very important to sanitize your inputs for SQL and what you output in HTML to stop SQL Injections. For your reference on this:
SQL
Little Bobby Tables
Cross Site Scripting
I am trying to do a php search into mySQL database. the following code works funny, it detect very well when I only entered 3 letter..eg i have a product name 'deepbluehealth omega' if i type 'ome' it picked up, if i type 'ega' it picked up, if i type 'omega' no result shown, also if i type 'deepbluehealth' it pick up no problem.
<?php
error_reporting(E_ALL);
ini_set('display_errors', '1');
$search_output = "";
if(isset($_POST['searchquery']) && $_POST['searchquery'] != ""){
$searchquery = $_POST['searchquery'];
if($_POST['filter1'] == "Whole Site"){
$sqlCommand = "(SELECT id, product_name FROM products WHERE product_name LIKE '%$searchquery%' OR details LIKE '%$searchquery%') ";
}
require_once("storescripts/connect_to_mysqli.php");
$query = mysqli_query($myConnection,$sqlCommand) or die(mysqli_error($myConnection));
$count = mysqli_num_rows($query);
if($count > 1){
$search_output .= "<hr />$count results for <strong>$searchquery</strong><hr />$sqlCommand<hr />";
while($row = mysqli_fetch_array($query)){
$id=$row["id"];
$product_name = $row["product_name"];
$details= $row["details"];
$category=$row["category"];
$subcategory=$row["subcategory"];
$search_output .= "ID: $id <br/> Name: $product_name -<br/>$details<br />$category<br/>$subcategory<br/>
<a href='product.php?id=$id'>link</a><br/>
";
} // close while
} else {
$search_output = "<hr />0 results for <strong>$searchquery</strong><hr />$sqlCommand";
}
}
?>
<html>
<head>
</head>
<body>
<h2>Search the Exercise Tables</h2>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
Search For:
<input name="searchquery" type="text" size="44" maxlength="88">
Within:
<select name="filter1">
<option value="Whole Site">Whole Site</option>
</select>
<input name="myBtn" type="submit">
<br />
</form>
<div>
<?php echo $search_output; ?>
</div>
</body>
</html>
Here's your problem:
if($count > 1){
This needs to be:
if($count > 0){
To account for the case where there is exactly one result. Probably this is the only product that matched "omega" but in every other case, another product happened to match.
Nice random feature which I can not explain on the basis of the code only, could you give us the table structure / with indexes and some example data?
Extra tips
Don't use $_SERVER['PHP_SELF'] if you want to post to the same page because off the cross side scripting attacks that could happen now, or should use
<form action="" method="post">
Yes you should leave the action empty
And
Run $search_output when you echo through the function htmlentities to countermeasue against to most cross side scripting attacks.
thanks now I have a error code HY093 Invalid parameter number after using the renameit SUBMIT button. Any idea why? thanks
Any help would be appreciated. Thanks a lot.
<?php
// init
include("db_con1.php");
require("menu.php");
// modify distribution list name
if(is_numeric($_GET['gid'])) {
$g_id=$_GET['gid'];
$one = $pdo->prepare('SELECT * FROM contactgroups WHERE id=:gid');
$one->bindParam(':gid', $g_id, PDO::PARAM_INT);
if( $one->execute(array(':gid' => $_GET['gid'])) ) {
$result = $one->fetch();
}
}
// distribution list query
$queryl = $pdo->prepare('SELECT id, gr_name FROM contactgroups WHERE status=1 ORDER BY gr_name ASC');
$queryl->execute();
// Members list query
if (isset($_GET['gid'])) {
$g_id=$_GET['gid'];
$querym = $pdo->prepare('SELECT STRAIGHT_JOIN gm.linktype, if( gm.linktype = "group", cg.gr_name, cm.contact_sur ) mname FROM groupmembers gm LEFT JOIN contactgroups cg ON gm.link_id = cg.id LEFT JOIN contactmain cm ON gm.link_id = cm.id WHERE gm.group_id =:gid ORDER BY mname ASC');
$querym->bindParam(':gid', $g_id, PDO::PARAM_INT);
$querym->execute();
}
// distribution list query
$queryr = $pdo->prepare('SELECT * FROM contactmain WHERE status=1 ORDER BY contact_sur ASC');
$queryr->execute();
This is what should but does not work...
if (isset($_POST['renameit'])) {
$ren = htmlspecialchars($_POST['rename']);
$g_id = $_GET['gid'];
if ($g_id !== '' && is_numeric($g_id)) { // Change that first to == if gid != 0 as well
$sqlren = "UPDATE contactgroups SET gr_name = :rename WHERE id = :gid";
$sqlren = $pdo->prepare($sqlren);
$sqlren->bindValue(':rname', $ren); // <<< Is this supposed to be :ren?
$sqlren->bindValue(':gid', $g_id);
if ($sqlren->execute()) {
echo "<meta http-equiv=\"refresh\" content=\"0;URL=groups.php\">";
} else {
//Query failed.
$errorcode = $sqlren->errorCode();
echo $errorcode;
}
} else {
echo 'gid not provided'; // Or something
}
}
?>
and this is the HTML bit:
<form id="group-in" method="post" action="groups.php">
Add new Distribution group: <input type="text" name="newgroup" placeholder="name..."> <input type="submit" name="createit" value="Create new">
Rename groupname: <input type="text" name="rename" value="<?php echo $result['gr_name']; ?>"> <input type="submit" name="renameit" value="Rename">
</form>
<!-- Distribution list -->
<div id="left"><label class="header">Distribution list</label>
<ul>
<?php foreach ($queryl as $i => $rowl) { ?>
<li >
<?php if ($i)?>
<input name="checkbox1_add[]" id="dist_<?php echo $i ?>" type="checkbox" value="<? echo $rowl['id']; ?>" />
<label for="groups_<?php echo $i ?>">
<a href="groups.php?gid=<?php echo $rowl['id']; ?>" <?php $g_id=$_GET['gid']; if ($g_id==$rowl['id']) echo 'class="bold"'; ?> >
<?php echo $rowl['gr_name']; ?>
</a></label>
</li>
<?php } ?>
</ul>
</div>
sorry for the long code but I think I loose this $_GET somehow after selecting the distribution item.
Shouldn't you be doing something like this?
if (isset($_POST['renameit'])) {
$ren = htmlspecialchars($_POST['rename']);
$g_id = $_GET['gid'];
if ($g_id !== '' && is_numeric($g_id)) { // Change that first to == if gid != 0 as well
$sqlren = "UPDATE contactgroups SET gr_name = :ren WHERE id = :gid";
$sqlren = $pdo->prepare($sqlren);
$sqlren->bindValue(':rname', $ren); // <<< Is this supposed to be :ren?
$sqlren->bindValue(':gid', $g_id);
if ($sqlren->execute()) {
echo "<meta http-equiv=\"refresh\" content=\"0;URL=groups.php\">";
} else {
//Query failed.
$errorcode = $sqlren->errorCode();
echo $errorcode;
}
} else {
echo 'gid not provided'; // Or something
}
}
Also, if it's always going to be an integer, you could use:
$g_id = (int)$_GET['gid'];
But you would need to be careful with things that evaluate to 0 and check for it in your if statement:
if ($g_id > 0) {
Assuming 0 is not a valid gid value.
EDIT
Looking at your markup and form, this all seems confused.
For instance, your PHP code is using GET, but your code here is not including the gid in the ACTION attribute. (Also, you really should use two different forms for this, IMO.)
<form id="group-in" method="post" action="groups.php?gid=<?php echo $g_id;?>">
Add new Distribution group:
<input type="text" name="newgroup" placeholder="name...">
<input type="submit" name="createit" value="Create new">
</form>
<form id="group-in" method="post" action="groups.php?gid=<?php echo $g_id;?>">
Rename groupname:
<input type="text" name="rename" value="<?php echo $result['gr_name']; ?>">
<input type="submit" name="renameit" value="Rename">
</form>
However, your comment seems to suggest that multiple checkboxes can be checked to rename a group? But then you don't have a FORM tag around it:
<!-- Distribution list -->
<div id="left"><label class="header">Distribution list</label>
<form id="group-in" method="post" action="groups.php">
<ul>
<?php foreach ($queryl as $i => $rowl) { ?>
<li >
<?php if ($i)?>
<input name="checkbox1_add[]" id="dist_<?php echo $i ?>" type="checkbox" value="<? echo $rowl['id']; ?>" />
<label for="groups_<?php echo $i ?>">
<a href="groups.php?gid=<?php echo $rowl['id']; ?>" <?php $g_id=$_GET['gid']; if ($g_id==$rowl['id']) echo 'class="bold"'; ?> >
<?php echo $rowl['gr_name']; ?>
</a></label>
</li>
<?php } ?>
</ul>
</form>
</div>
The challenge that you're going to have here is that you need to loop through that $_POST['gid'] array, whereas the first single group rename you key off of the gid in the GET. I would suggest organizing your code into a Group/Groups object(s) and use a Model/View/Controller (MVC) pattern to organize your code.
Are you saying that you can't get $_GET['gid'] after you submit the group-in form?
Because if that's the case, what you have to do is create a hidden input with your gid value so it can be available in $_POST.
Without putting much thought to what you're trying to do, I can tell you that you simply can't have code using $_GET and $_POST simultaneously.
Update: I don't think you understood what I meant. But Jared is already doing a better job explaining what is wrong with your code, so I guess I won't repeat it.
UPDATE: I narrowed it down, when I got rid of this tag in the header.php file it all works, can someone please explain this.
<script src="#" type="text/javascript"></script>
Hi I'm having quite an annoying issue with my php code. I am trying to update a php database, from a form, when I do this however the fields in the data base become empty after submitting. Please Help! You can view it in action here http://andcreate.com/shoelace/admin/edit1.php click on the lists on the right to edit them and see what happens.
<?php
include("header.php");
echo "<h2>Edit Posts</h2>";
echo "<div id='editNav'>";
echo "<p>Choose Post to Edit</p>";
//////////GET ALL RECORDS AND BUILD A NAV SYSTEM FROM THEM////////
$results = mysql_query("SELECT * FROM shoeData ");
while($row = mysql_fetch_array($results)){
$id = $row['id'];
$name = $row['name'];
$about = $row['about'];
echo "$date " . substr($name, 0, 40) . " <br/> ";
}
$thisID = $_GET['id'];
if(!isset($thisID)){
$thisID = 22;
}
//////////FINISH ALL RECORDS AND BUILD A NAV SYSTEM FROM THEM////////
echo "</div>";
///////IF USER SUBMITS CHANGES UPDATE THE DATABASE//////////
//has user pressed the button
$update = $_GET['update'];
if($update == "yes") {
$name = $_POST['name'];
$about = $_POST['about'];
$company = $_POST['company'];
$buy = $_POST['buy'];
//update data for this record
$sql = "UPDATE shoeData SET
name = \"$name\",
about = \"$about\",
company = \"$company\",
buy = \"$buy\"
WHERE id= $thisID";
$thisUpdate = mysql_query($sql) or die(mysql_error());
}
///////END IF USER SUBMITS CHANGES UPDATE THE DATABASE//////////
/////////// HERE WE GET THE INFO FOR ONE RECORD ONLY////////
$results = mysql_query("SELECT * FROM shoeData WHERE id=$thisID");
while($row = mysql_fetch_array($results)){
$name = $row['name'];
$about = $row['about'];
$company = $row['company'];
$buy = $row['buy'];
}
//////////////FINISH GETTING INFO FOR ONE RECORD ONLY/////////////
?>
<form name="formS" method="post" action="<?php echo $_SERVER['PHP_SELF']."?id=$thisID&update=yes";?>">
Name
<p>
<input type="text" name="name" id="name" value="<?php echo $name;?>" />
</p>
About
<p>
<input type="text" name="about" id="about" value="<?php echo $about;?>" />
</p>
Company
<p>
<input type="text" name="company" id="company" value="<?php echo $company;?>" />
</p>
Name
<p>
<input type="text" name="buy" id="buy" value="<?php echo $buy;?>" />
</p>
<p>
<input type="submit" name="submit" id="submit" />
</p>
</form>
<p><a class="delete" href="delete.php?id=<?php echo $thisID;?>">Delete this post</a></p>
<?php
include("footer.php");
?>
You have $update = $_GET['update'];, but then right after that, you're using $_POST. A given request is either GET or POST, not both - thus whenever $_GET['update'] is set to "yes", there aren't going to be any POST vars set, and thus the update will be done with all of the values it's setting blank.
Chances are you actually meant to use either $_GET or $_POST in both places - since your updates are going through, but are blank, it sounds like you want to use $_GET (though for form submission/updates, you should probably really be using POST instead).
This may seem silly, but are you confusing $_GET and $_POST variables? You use one to check whether to enter the loop, and another to populate the string.
Also, as a minor aside, your SELECT statement towards the end of the snippet can be optimized by adding LIMIT 1 to the end of it, as presumably you're only going to be recalling one entry per id, no?