I've got a page showing the contents of my DB in form inputboxes like this:
<?php
while($row = mysql_fetch_array($result))
{
$namn = $row['namn'];
$mandag = $row['mandag'];
$tisdag = $row['tisdag'];
$onsdag = $row['onsdag'];
$torsdag = $row['torsdag'];
$fredag = $row['fredag'];
?>
<td width="100"></td>
<td><?=$namn?><input name="namn[]" type="hidden" value="<?=$namn?>"></td>
</tr>
<tr>
<td width="100">Mandag</td>
<td><input name="mandag[]" type="text" value="<?=$mandag?>"></td>
</tr>
<tr>
<td width="100">Tisdag</td>
<td><input name="tisdag[]" type="text" value="<?=$tisdag?>"></td>
</tr>
<tr>
<td width="100">Onsdag</td>
<td><input name="onsdag[]" type="text" value="<?=$onsdag?>"></td>
</tr>
<tr>
<td width="100">Torsdag</td>
<td><input name="torsdag[]" type="text" value="<?=$torsdag?>"></td>
</tr>
<tr>
<td width="100">Fredag</td>
<td><input name="fredag[]" type="text" value="<?=$fredag?>"></td>
</tr>
<?php } ?>
<tr>
<td width="100"> </td>
<td> </td>
</tr>
<tr>
<td width="100"> </td>
<td>
<input name="update" type="submit" id="update" value="Update">
</td>
</tr>
</table>
</form>
After this I've added code to able to update the different DB entries by changing the content of the inputboxes and pressing the submit button:
<?php
if(isset($_POST['update']))
{
$namnValue = $_POST['namn'];
$mandagValue = $_POST['mandag'];
$tisdagValue = $_POST['tisdag'];
$onsdagValue = $_POST['onsdag'];
$torsdagValue = $_POST['torsdag'];
$fredagValue = $_POST['fredag'];
print_r($mandagValue);
$sql = "UPDATE anstalld SET mandag = '$mandagValue', tisdag = '$tisdagValue', onsdag = '$onsdagValue', torsdag = '$torsdagValue', fredag = '$fredagValue' WHERE namn = '$namnValue'";
echo $sql;
$retval = mysql_query( $sql, $conn );
if(! $retval )
{
die('Could not update data: ' . mysql_error());
}
echo "Updated data successfully\n";
}
mysql_close($conn);
?>
The DB is being updated, however, the problem is that all my
$namnValue = $_POST['namn'];
$mandagValue = $_POST['mandag'];
$tisdagValue = $_POST['tisdag'];
$onsdagValue = $_POST['onsdag'];
$torsdagValue = $_POST['torsdag'];
$fredagValue = $_POST['fredag'];
are returning the result "Array", an not the actual Values from the inputboxes.
Therefore my SQL UPDATE ends up being
"UPDATE anstalld SET mandag = 'Array', tisdag = 'Array', onsdag =
'Array', torsdag = 'Array', fredag = 'Array' WHERE namn = 'Array'"
I'll appreciate any help I can get on this, thanks.
You need to delete [] on our input names:
<td><input name="onsdag" type="text" value="<?=$onsdag?>"></td>
instead of
<td><input name="onsdag[]" type="text" value="<?=$onsdag?>"></td>
^^
Otherwise they are considered as arrays.
Because of the name of your input fields
<input name="onsdag[]" type="text" value="<?=$onsdag?>">
you are sending arrays and not single values.
Change the names as the previous answer suggests
<input name="onsdag" type="text" value="<?=$onsdag?>">
or access them as arrays
$namnValue = $_POST['namn'][0];
$mandagValue = $_POST['mandag'][0];
...
Related
I am currently making a system for a client database management. There are four tables in mySQL for this system, which are; admin, staff, client, and project. The project table has one foreign key from the client table, which is the clientid.
Now, I have made forms for all these tables so that the user can input the data into them. Weirdly, the only form that can be updated successfully is the staff one. Both the client and project forms cannot be updated at all. It returns as successful, but the data are not altered.
Below is the staff update code.
<?php
include 'database.php';
$staffid = $_GET['staffid'];
$sql = "SELECT * FROM staff WHERE staffid='$staffid'";
$result = mysqli_query($conn,$sql);
while ($row=mysqli_fetch_array($result)){
$staffname = $row['staffname'];
$staffemail = $row['staffemail'];
$staffphone = $row['staffphone'];
}
if(isset($_POST['submit'])){
$staffname = $_POST['staffname'];
$staffemail = $_POST['staffemail'];
$staffphone = $_POST['staffphone'];
$sql = "UPDATE staff SET
staffname='$staffname',staffemail='$staffemail',staffphone='$staffphone' WHERE staffid='$staffid'";
$result = mysqli_query($conn,$sql);
if($result){
echo "<table><td><tr><h4>Record has been updated successfully!<br></tr></td></h4></table>";
}
else {
echo "<h4>Record has <b>NOT</b> been updated successfully<br></h4>";
}
}
?>
<form action="" method="post">
<table class ="table1">
<tr>
<td>Staff Name:</td> <td><input type="text" name="staffname" size="50" value="<?php echo $staffname;?>"></td>
</tr>
<tr>
<td>Staff Email:</td> <td><input type="text" name="staffemail" size="50" value="<?php echo $staffemail;?>"></td>
</tr>
<tr>
<td>Staff Phone No:</td> <td><input type="text" name="staffphone" size="50" value="<?php echo $staffphone;?>"></td>
</tr>
<td><input type="submit" value="Update" name="submit"> <input type="button" value="View" name="view" onclick='location.href="viewstaff.php"'></td>
</table>
</form>
Okay now is the update code for the client table.
<?php
include 'database.php';
$clientid = $_GET['clientid'];
$sql = "SELECT * FROM client WHERE clientid='$clientid'";
$result = mysqli_query($conn,$sql) or die ("Error in query: $query. ".mysqli_error());
while ($row=mysqli_fetch_array($result)){
$clientid = $row['clientid'];
$clientname = $row['clientname'];
$clientno = $row['clientno'];
$clientemail = $row['clientemail'];
$clientadd = $row['clientadd'];
}
if(isset($_POST['submit'])){
$clientid = $row['clientid'];
$clientname = $row['clientname'];
$clientno = $row['clientno'];
$clientemail = $row['clientemail'];
$clientadd = $row['clientadd'];
$sql = "UPDATE client SET clientid='$clientid',clientname='$clientname',clientno='$clientno',clientemail='$clientemail',clientadd='$clientadd' WHERE clientid='$clientid'";
$result = mysqli_query($conn,$sql) or die ("Error in query: $query. ".mysqli_error());
if($result){
echo "<table><td><tr><h4>Record has been updated successfully!<br></tr></td></h4></table>";
}
else {
echo "<h4>Record has <b>NOT</b> been updated successfully<br></h4>";
}
}
?>
<form action="" method="post">
<table class ="table1">
<tr>
<td>Client ID:</td> <td><input type="text" name="clientid" size="50" value="<?php echo $clientid;?>"></td>
</tr>
<tr>
<td>Client Name:</td> <td><input type="text" name="clientname" size="50" value="<?php echo $clientname;?>"></td>
</tr>
<tr>
<td>Client Phone No.:</td> <td><input type="text" name="clientno" size="50" value="<?php echo $clientno;?>"></td>
</tr>
<tr>
<td>Client Email:</td> <td><input type="text" name="clientemail" size="50" value="<?php echo $clientemail;?>"></td>
</tr>
<tr>
<td>Client Address:</td> <td><input type="text" name="clientadd" size="50" value="<?php echo $clientadd;?>"></td>
</tr>
<td><input type="submit" value="Update" name="submit"> <input type="button" value="View" name="view" onclick='location.href="viewclient.php"'></td>
</table>
</form>
Maybe I'm stupid or what but I've been trying to figure out the problem for 3 hours and I'm this close to crying lol. Been reading all the threads here about updating form but still, no answer. Hope that anyone here could help me. Thank you.
The code you use for the client table update uses this code:
if(isset($_POST['submit'])){
$clientid = $row['clientid']; // $row should be $_POST
$clientname = $row['clientname']; // $row should be $_POST
$clientno = $row['clientno']; // $row should be $_POST
$clientemail = $row['clientemail']; // $row should be $_POST
$clientadd = $row['clientadd']; // $row should be $_POST
But those $rows should be $_POST, else the updated data will be the same as the previous data (since $row is the result from the query SELECT * FROM client WHERE clientid='$clientid'). You do it correctly in the staff table update code:
if(isset($_POST['submit'])){
$staffname = $_POST['staffname'];
$staffemail = $_POST['staffemail'];
$staffphone = $_POST['staffphone'];
Please note that your your script is at risk of SQL Injection Attack. Have a look at what happened to Little Bobby Tables. Even if you are escaping inputs, its not safe!. Use prepared parameterized statements instead.
I want insert employee attendance. when I checked more then one checkbox it take two checkbox value 1 and other checkbox value 0 .so how can i solve this please help me. this is my form code
<form action="coll.php" method="post" name="create_grading" id="create_grading">
<table width="30%" border="0" cellpadding="2" cellspacing="3" class="mainTable">
<tr>
<th><input type="checkbox" id="selectall" /></th>
<th>name</th>
</tr>
<?php
$sql = "select * from employee";
$query = mysqli_query($con, $sql);
while ($row = mysqli_fetch_array($query)) {
?>
<tr>
<td><input type="hidden" name="eid[]" value="<?php echo $row['eid']; ?>"/>
<input name="status[]" class="case" type="checkbox" value="1" /><input name="status[]" class="case" type="hidden" value="0" /></td>
<td align="center"><?php echo $row['employee_name'] ?></td>
</tr>
<?php }; ?>
<tr>
<td></td>
<td><input type="submit" name="Submit" id="Submit" value="Submit" /></td>
</tr>
</table>
</form>
this is my insert code
$host = "localhost";
$user = "root";
$pass = "";
$db = "multiple_row_insert";
$con = mysqli_connect($host, $user, $pass, $db);
if (isset($_POST['Submit'])) {
$eid = $_POST['eid'];
$count = count($eid);
for ($i = 0; $i < $count; $i++) {
$status = $_POST['status'][$i];
$eid2 = $_POST['eid'][$i];
$query = "INSERT INTO time(eid,status) VALUES ('$eid2','$status')";
$query = mysqli_query($con, $query);
}
}
if(isset($_POST['checkbox']))
//then is checked...
else
//is not checked
So basically you only need 1 checkbox, you can change the name of your inputs. And then in your backend use something like:
$_POST['status_'.$i]
On each case and detect if its checked with the "isset" for this $_POST.
Edited:
Your code should look something like this (not tested, sorry if there is any syntax error, you can fix them anyways):
$host = "localhost";
$user = "root";
$pass = "";
$db = "multiple_row_insert";
$con = mysqli_connect($host, $user, $pass, $db);
if (isset($_POST['Submit'])) {
$eid = $_POST['eid'];
$count = count($eid);
for ($i = 0; $i < $count; $i++) {
$status = 0;
if(isset($_POST['status_'.$i])) //check if checkbox is setted (value 1 / checked)
$status = 1;
$eid2 = $_POST['eid'][$i];
$query = "INSERT INTO time(eid,status) VALUES ('$eid2','$status')";
$query = mysqli_query($con, $query);
}
}
And your frontend code:
<form action="coll.php" method="post" name="create_grading" id="create_grading">
<table width="30%" border="0" cellpadding="2" cellspacing="3" class="mainTable">
<tr>
<th><input type="checkbox" id="selectall" /></th>
<th>name</th>
</tr>
<?php
$sql = "select * from employee";
$query = mysqli_query($con, $sql);
$i = 0;
while ($row = mysqli_fetch_array($query)) {
?>
<tr>
<td><input type="hidden" name="eid[]" value="<?php echo $row['eid']; ?>"/>
<input name="status_<?php echo $i; ?>" class="case" type="checkbox" value="0" /></td>
<td align="center"><?php echo $row['employee_name']; ?></td>
</tr>
<?php $i++; } ?>
<tr>
<td></td>
<td><input type="submit" name="Submit" id="Submit" value="Submit" /></td>
</tr>
</table>
</form>
I have a problem with my PHP-Fusion infusion (plugin). I created a POST form, but when I try to call those POST variables they do not echo (I plan adding them to a database). My code:
$id_ucznia = $_GET["id"];
$result2 = dbquery("SELECT id,imiona,nazwiska,dom,punkty FROM ".DB_ZAPISY." WHERE (funkcja = 'Student') AND (id = '".$id_ucznia."')");
if (dbrows($result2)) {
while ($data2 = dbarray($result2)) {
echo '<form method="POST" action="">
<input type="hidden" name="uczen_id" value="'.$id_ucznia.'">
<table border="0" align="center">
<tr><td align="right">Imiona ucznia: </td> <td align="left"><input type="text" class="input" name="imiona" value="'.$data2["imiona"].'" disabled></td></tr>
<tr><td align="right">Nazwiska ucznia: </td> <td align="left"><input type="text" class="input" name="nazwiska" value="'.$data2["nazwiska"].'" disabled></td></tr>
<tr><td align="right">Dom ucznia: </td> <td align="left"><input type="text" class="input" name="dom" value="'.$data2["dom"].'" disabled></td></tr>
<tr><td align="right">Aktualne punkty: </td> <td align="left"><input type="text" class="input" name="punkty_start" value="'.$data2["punkty"].'" disabled></td></tr>
<tr><td align="right">Punkty do dodania: </td> <td align="left"><input type="text" class="input" name="ile"></td></tr>
<tr><td align="right">Uzasadnienie: </td> <td align="left"><input type="text" class="input" name="zaco" maxlength="500"></td></tr>
<tr><td colspan="2" align="center"><input type="submit" class="button" name="dodaj_punkty" value="Dodaj punkty"></td></tr>
</table>
</form>
';
}
}
if (isset($_POST['dodaj_punkty'])) {
$imiona = $_POST["imiona"];
$nazwiska = $_POST['nazwiska'];
$dom = $_POST['dom'];
$punkty_start = $_POST['punkty_start'];
$ile = $_POST['ile'];
$zaco = $_POST['zaco'];
$punkty_uczen_end = $punkty_start + $ile;
$kto_akcja = $userdata['user_name'];
$kto_id = $userdata['user_id'];
$komu = ''.$imiona.' '.$nazwiska.'';
$dzis = date("Y-m-d H:i:s");
$result3 = dbquery("SELECT id,nazwa,punkty FROM ".DB_DOMY." WHERE `nazwa` = '".$dom."'");
if (dbrows($result3)) {
while ($data3 = dbarray($result3)) {
$id_domu = $data3["id"];
$nazwa = $data3["nazwa"];
$punkty_dom_start = $data3["punkty"];
}
}
$punkty_dom_end = $punkty_dom_start + $ile;
echo 'Dla ucznia ('.$imiona.$nazwiska.') dodano: '.$punkty_uczen_end.' a dla domu ('.$id_domu.$nazwa.'): '.$punkty_domu_end.' ';
$resulta = dbquery("UPDATE ".DB_DOMY." SET punkty = '{$punkty_dom_end}' WHERE id = '{$id_domu}';");
$resultb = dbquery("INSERT INTO ".DB_RANKING_DOMOW." (ile, akcja, kto, komu, opis) VALUES ('{$ile}','+','{$kto_akcja}','{$komu}','{$zaco}');");
$resultc = dbquery("UPDATE ".DB_ZAPISY." SET punkty = '{$punkty_uczen_end}' WHERE id = '{$uczen_id}';");
$resultd = dbquery("INSERT INTO ".DB_RU." (kiedy, kto_dane, kto_id, komu, ile, zaco, co) VALUES ('{$dzis}','{$kto_akcja}','{$kto_id}','{$komu}','{$ile}', '{$zaco}', '+');");
redirect(FUSION_SELF.$aidlink."&wykonane");
}
HTML form input elements are set to disabled thus their values will not be submitted. Maybe a readonly or hidden -attribute was intended.
Provided code has some variables (redundantly) copied before use. Concerning content management system uses this practice to save a sanitized copy of form-posted data (to prevent SQL injection).
I want to display all rows by a php query and update all by a submit button in sql. I this way below a can display all row and update particular row by its own submit button. But I want to update all by a single submit button.
So for do it, I thank, I want to loop for update. But I cannot understand how to do it in this case.
Here is my code:
<?php
include_once('../db.php');
global $db;
$result = mysqli_query($dbh,"SELECT * FROM ppad");
if(!$result) {
die("Database query failed: " . mysqli_error());
}
while($row = mysqli_fetch_assoc($result)) {
$id=$row['id'];
$name=$row['name'];
$date=$row['date'];
$title=$row['title'];
$Detail=$row['Detail'];
echo '<form action="padSproccess.php" method="POST">
<table width="100%" border="1">
<tr>
<td width="10%">Date</td>
<td width="14%">Time</td>
<td width="20%">Name(url)</td>
<td width="30%">Detail</td>
</tr>
<tr>
<td width="10%"><input type="text" name="date" maxlength="2" value="'.$date.'"></td>
<td width="14%"><input type="text" name="title" maxlength="50" value="'.$title.'"></td>
<td width="20%"><input type="text" name="name" maxlength="50" value="'.$name.'"></td>
<td width="30%"><input type="text" name="Detail" maxlength="100" value="'.$Detail.'"></td>
<input type="hidden" name="id" value="'.$id.'">
</tr>
</table>
<input type="submit" name="submit" id="submit" value="Submit">
</form>';}
?>
padSproccess.php
include("../db.php");
global $db;
if(isset($_POST['submit'])){
$date = mysqli_real_escape_string($dbh,$_POST['date']);
$title = mysqli_real_escape_string($dbh,$_POST['title']);
$name = mysqli_real_escape_string($dbh,$_POST['name']);
$Detail = mysqli_real_escape_string($dbh,$_POST['Detail']);
$id = mysqli_real_escape_string($dbh,$_POST['id']);
// update data in mysql database
$update = mysqli_query($dbh,"UPDATE ppad SET date='$date', month='$month', name='$name', Detail='$Detail' WHERE id = '$id'");
// if successfully updated.
}
For this you need to update your code into
<?php
include_once('../db.php');
global $db;
$result = mysqli_query($dbh,"SELECT * FROM ppad");
if(!$result) {
die("Database query failed: " . mysqli_error());
}?>
<form action="padSproccess.php" method="POST">
<table width="100%" border="1">
<tr>
<td width="10%">Date</td>
<td width="14%">Time</td>
<td width="20%">Name(url)</td>
<td width="30%">Detail</td>
</tr>
<?php
while($row = mysqli_fetch_assoc($result)) {
$id=$row['id'];
$name=$row['name'];
$date=$row['date'];
$title=$row['title'];
$Detail=$row['Detail'];
echo '<tr>
<td width="10%"><input type="text" name="date[]" maxlength="2" value="'.$date.'"></td>
<td width="14%"><input type="text" name="title[]" maxlength="50" value="'.$title.'"></td>
<td width="20%"><input type="text" name="name[]" maxlength="50" value="'.$name.'"></td>
<td width="30%"><input type="text" name="Detail[]" maxlength="100" value="'.$Detail.'"></td>
<input type="hidden" name="id[]" value="'.$id.'">
</tr>';
}?>
</table>
<input type="submit" name="submit" id="submit" value="Submit">
</form>
Now within your padSproccess.php you'll receive an array of results within your variables which'll be updated using foreach loop
What you need to do first is have an overall form, not a form for each (unless you want to throw in javascript to fire off ajax calls). So what you'll need to do is make sure each row can be associated with a specific id:
<?php
include_once '../db.php';
$result = mysqli_query($dbh, "SELECT * FROM ppad");
if(!$result) {
die("Database query failed: " . mysqli_error());
}
?>
<form action="padSproccess.php" method="POST">
<table width="100%" border="1">
<thead>
<tr>
<td width="10%">Date</td>
<td width="14%">Time</td>
<td width="20%">Name(url)</td>
<td width="30%">Detail</td>
</tr>
</thead>
<tbody>
<?php
while($row = mysqli_fetch_assoc($result)) {
$id = $row['id'];
$name = $row['name'];
$date = $row['date'];
$title = $row['title'];
$Detail = $row['Detail'];
echo '
<tr>
<td width="10%"><input type="text" name="date[' . $id . ']" maxlength="2" value="'.$date.'"></td>
<td width="14%"><input type="text" name="title[' . $id . ']" maxlength="50" value="'.$title.'"></td>
<td width="20%"><input type="text" name="name[' . $id . ']" maxlength="50" value="'.$name.'"></td>
<td width="30%"><input type="text" name="Detail[' . $id . ']" maxlength="100" value="'.$Detail.'"></td>
</tr>
';
}
?>
</tbody>
</table>
<input type="submit" name="submit" id="submit" value="Submit">
</form>
Then in padSproccess.php you'll receive an array of names, dates, titles and Details, each one keyed by the ID of the row. So that'll change to something like this:
<?php
include "../db.php";
if(isset($_POST['submit'])){
$ids = array_keys($_POST['name']);
foreach ($ids as $id) {
$date = mysqli_real_escape_string($dbh,$_POST['date'][$id]);
$title = mysqli_real_escape_string($dbh,$_POST['title'][$id]);
$name = mysqli_real_escape_string($dbh,$_POST['name'][$id]);
$Detail = mysqli_real_escape_string($dbh,$_POST['Detail'][$id]);
$id = mysqli_real_escape_string($id);
// update data in mysql database
$update = mysqli_query($dbh,"UPDATE ppad SET date='$date', month='$month', name='$name', Detail='$Detail' WHERE id = '$id'");
}
// if successfully updated.
}
Try this. Of course for the database I've not started and it is possible errors.
<?php
include_once('../db.php');
global $db;
$result = mysqli_query($dbh,"SELECT * FROM ppad");
if(!$result) {
die("Database query failed: " . mysqli_error());
}
?>
<form action="padSproccess.php" method="POST">
<?php
while($row = mysqli_fetch_assoc($result)) {
$id=$row['id'];
$name=$row['name'];
$date=$row['date'];
$title=$row['title'];
$Detail=$row['Detail'];
echo '
<table width="100%" border="1">
<tr>
<td width="10%">Date</td>
<td width="14%">Time</td>
<td width="20%">Name(url)</td>
<td width="30%">Detail</td>
</tr>
<tr>
<td width="10%"><input type="text" name="ar['.$id.'][date]" maxlength="2" value="'.$date.'"></td>
<td width="14%"><input type="text" name="ar['.$id.'][title]" maxlength="50" value="'.$title.'"></td>
<td width="20%"><input type="text" name="ar['.$id.'][name]" maxlength="50" value="'.$name.'"></td>
<td width="30%"><input type="text" name="ar['.$id.'][Detail]" maxlength="100" value="'.$Detail.'"></td>
</tr>
</table>
';}
?>
<input type="submit" name="submit" id="submit" value="Submit">
</form>
<?php
include("../db.php");
global $db;
if(isset($_POST['submit'])){
foreach($_POST['ar'] as $id=>$dat){
$date = mysqli_real_escape_string($dbh,$dat['date']);
$title = mysqli_real_escape_string($dbh,$dat['title']);
$name = mysqli_real_escape_string($dbh,$dat['name']);
$Detail = mysqli_real_escape_string($dbh,$dat['Detail']);
$id = mysqli_real_escape_string($dbh,$id]);
// update data in mysql database
$update = mysqli_query($dbh,"UPDATE ppad SET date='$date', month='$month', name='$name', Detail='$Detail' WHERE id = '$id'");
}
// if successfully updated.
}
?>
i looking some help and nice attention here..
i bought some php script many years ago and now no suport anymore... i just want to add md5 to password field..
here my form:
<?php
$SQL = "SELECT * from USERS WHERE USERNAME = '$_SESSION[username]'"; $result = #mysql_query( $SQL ); $row = #mysql_fetch_array( $result );
include 'menu.php';
?>
<FORM METHOD="post" ACTION="?page=query_client">
<INPUT TYPE="hidden" NAME="controller" VALUE="USERS~update~account_details&up=1~<?php echo $row[ID]; ?>">
<TABLE CLASS="basictable">
<TR>
<TD CLASS="tdmenu" WIDTH="40%">Username</TD>
<TD CLASS="tdmenu" WIDTH="60%">
<b><?php echo $row[USERNAME]; ?></b>
</TD>
</TR>
<TR>
<TD CLASS="tdmenu" WIDTH="40%">Password *</TD>
<TD CLASS="tdmenu" WIDTH="60%">
<INPUT TYPE="PASSWORD" NAME="PASSWORD" SIZE="40" VALUE="<?php echo $row[PASSWORD]; ?>">
</TD>
</TR>
<TR>
<TD CLASS="tdmenu" WIDTH="40%">Email Address *</TD>
<TD CLASS="tdmenu" WIDTH="60%">
<INPUT TYPE="text" NAME="EMAIL" SIZE="40" VALUE="<?php echo $row[EMAIL]; ?>">
</TD>
</TR>
<TR>
<TD CLASS="tdmenu" WIDTH="40%">Full Name *</TD>
<TD CLASS="tdmenu" WIDTH="60%">
<INPUT TYPE="text" NAME="FULLNAME" SIZE="40" VALUE="<?php echo $row[FULLNAME]; ?>">
</TD>
<TR>
<TD CLASS="tdmenu" WIDTH="40%">Address *</TD>
<TD CLASS="tdmenu" WIDTH="60%">
<INPUT TYPE="text" NAME="ADDRESS1" SIZE="40" VALUE="<?php echo $row[ADDRESS1]; ?>">
</TD>
</TR>
<BR>
<TABLE CLASS="basictable">
<TR>
<TD CLASS="tdhead2" >
<DIV ALIGN="CENTER"><B>
<INPUT TYPE="submit" NAME="Submit" VALUE="Submit">
</B></DIV>
</TD>
</TR>
</TABLE>
</FORM>
and the
it self as query_client.php inside look like:
<?PHP
#session_start();
$controller = $_POST['controller'];
$pieces = explode("~", $controller);
$table = $pieces[0];
$qt = $pieces[1];
$return = $pieces[2];
$id = $pieces[3];
$hack = $pieces[4];
if ($qt == insert) $qt = 'INSERT INTO';
if ($qt == update) { $qt = 'UPDATE'; $end = "WHERE ID = '$id'"; }
$pre = array_keys( $_POST );
mysql_query ("CREATE TABLE IF NOT EXISTS `$table` (`ID` INT NOT NULL AUTO_INCREMENT , PRIMARY KEY ( `id` ) )");
$count = count($pre); $count = $count - 2;
$sql = "$qt $table SET";
for ($i=0; $i < $count; $i++)
{
$x=$i+1;
$y = $_POST[$pre[$x]];
$d = $y;
mysql_query ("ALTER TABLE `$table` ADD `$pre[$x]` TEXT NOT NULL");
$sql .= " `$pre[$x]` = '$d',";
}
$sql .= " ID = '$id' $end";
$query = mysql_query($sql) or die("$sql_error" . mysql_error());
if (empty($hack)) { } else {
$pieces = explode("/", $hack);
$h0 = $pieces[0];
$h1 = $pieces[1];
$h2 = $pieces[2];
$h3 = $pieces[3];
$h4 = $pieces[4];
$h5 = $pieces[5];
mysql_query ("ALTER TABLE `$table` $h0 $h1 $h2 $h3 $h4 $h5");
$query = mysql_query($sql) or die("$sql_error" . mysql_error());
}
if (isset($_GET[inc])) include "$_GET[inc].php";
?>
so please help me how to add md5 in PASSWORD field?
thanks in advance..
Best to use a salt also - hashing and verification should be done at server - see secure hash and salt for PHP
Some links on writing secure code:
OWASP Top 10 for 2010
PHP Security: Fortifying Your Website
Writing Secure PHP