When I try to enter data from a form I have made it adds a new entry as i can see from phpmyadmin but does not transfer other details across
I am using a simple form that collects 9 fileds post is to update.php. Here is what I have in update.php
<?php
$realname = $_POST['realname'];
$age = $_POST['age'];
$country = $_POST['country'];
$gamename = $_POST['gamename'];
$gamelevel = $_POST['gamelevel'];
$itemlevel = $_POST['itemlevel'];
$class = $_POST['class'];
$played = $_POST['played'];
$support = $_POST['support'];
mysql_connect ("localhost", "mydb_userid", "MYPASSWORD") or die ('Error: ' . mysql_error());
mysql_select_db ("mydb_recruitment");
$query="INSERT INTO applicants (ID, realname, age, country, gamename, gamelevel, itemlevel, class, played, support)VALUES ('NULL','".$realname."','".$age."','".$country."','".$gamename."','".$gamelevel."','".$itemlevel."','".$class."','".$played."','".$support."')";
mysql_query($query) or die ('Error updating DB');
echo "You have sucessfully sent an application. Your details will be reviewed and someone will get back to you";
?>
Hope someone can help, searching the net seems to sugest something about global variables - but i dont know if i have control of that as its an hosted site.
this is the signup form:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Candidate Registration</title>
</head>
<body>
<form medthod="post" action="update.php">
Real Name:<br />
<input type="text" name="realname" size="50" /><br />
Age:<br />
<input type="text" name="age" size="10" /><br />
Country:<br />
<input type="text" name="country" size="20" /><br />
In Game Name:<br />
<input type="text" name="gamename" size="30" /><br />
In Game Level:<br />
<input type="text" name="gamelevel" size="10" /><br />
In Game Item Level:<br />
<input type="text" name="itemlevel" size="10" /><br />
Class Played:<br />
<input type="text" name="class" size="30" /><br />
How long have you played wow?:<br />
<input type="text" name="played" size="10" /><br />
Please enter a brief statement of why you want to join:<br />
<input type="text" name="support" size="5000" /><br />
<br />
<input type="submit" value="Update DB" />
</form>
</body>
</html>
this is the update.php form
<?php
$realname = $_POST['realname'];
$age = $_POST['age'];
$country = $_POST['country'];
$gamename = $_POST['gamename'];
$gamelevel = $_POST['gamelevel'];
$itemlevel = $_POST['itemlevel'];
$class = $_POST['class'];
$played = $_POST['played'];
$support = $_POST['support'];
mysql_connect ("localhost", "mydb_daniel", "mypwd") or die ('Error: ' . mysql_error());
mysql_select_db ("mydb_recruitment");
$query="INSERT INTO applicants (ID, realname, age, country, gamename, gamelevel, itemlevel, class, played, support)VALUES ('NULL','".$realname."','".$age."','".$country."','".$gamename."','".$gamelevel."','".$itemlevel."','".$class."','".$played."','".$support."')";
mysql_query($query) or die ('Error updating DB');
echo "You have sucessfully sent an application. Your details will be reviewed and someone will get back to you";
?>
I understand peoples concerns about sercurity, but please understand this only for me to mess around with and produce a basic signup form for my guild, i wont be requesting credit card details :)
Is your form method set to POST? - unless you have explicitly added this the variables will be within the $_GET superglobal so your variables would be like this:
$realname = $_GET['realname'];
If it is set to POST - please do a var_dump($_POST) at the top of your script and see if any variables are making it to your script.
Something else that i've seen before is caused when people are redirecting in a .htaccess from domain.com to www.domain.com and they post a script explicity to domain.com/script.php and the script then redirects to www.domain.com/script.php and this empties the POST.
EDIT
You have spelt method wrong in your form tag - if you update this then it should work as your misspelling will be causing the variables to be sent as GET vars.
You can fix your security issues in a basic way like this:
$realname = mysql_real_escape_string($_POST['realname']);
$age = mysql_real_escape_string($_POST['age']);
$country = mysql_real_escape_string($_POST['country']);
$gamename = mysql_real_escape_string($_POST['gamename']);
$gamelevel = mysql_real_escape_string($_POST['gamelevel']);
$itemlevel = mysql_real_escape_string($_POST['itemlevel']);
$class = mysql_real_escape_string($_POST['class']);
$played = mysql_real_escape_string($_POST['played']);
$support = mysql_real_escape_string($_POST['support']);
Whoa, slow down. You've not even escaped this data!
$realname = mysql_real_escape_string($_POST['realname']);
Or to escape it all:
$_POST = array_map('mysql_real_escape_string', $_POST);
Note the second solution isn't entirely reliable. Can produce some strange results. It is generally better to run these inputs through a function/class for validation and cleansing.
On your ghost issue, try this and note response after form submit (put right at top):
var_dump($_POST);
exit;
You spelled method attribute wrong in your query, that is why it isn't working.
Related
I'm trying to make a simple message board MySQL database where you can write a review and submit it via an HTML form on one page and view all of the reviews on a separate page once you've submitted your review.
My problem is two of the fields from the HTML form are not being inserted into my MySQL database which results in my view all reviews page to be missing the Name and Title.
Link to what the "Read all Reviews" page looks like.
The code works without any issue when I tested it doing MySQL queries with just PHP but I need my HTML form to work.
HTML form:
<form action ="process.php" method = "post">
<fieldset>
<legend>Review Field</legend>
Reviewer Name: <br />
<input type="text" name "name" id = "name"><br />
Title of Review:<br />
<input type="text" name "title" id = "title"><br />
Enter your review below:
<!--Textbox start-->
<textarea name="body" id = "body" rows="10" cols="100">
</textarea>
<!--Textbox end-->
<br />
<input type="submit" name = "submit" id="submit">
<br />
</fieldset>
</form>
Code for process.php:
<?php // Create a database connection.
$dbhost = "localhost";
$dbuser = "root";
$dbpass = "password";
$dbname = "ya_reviews";
$connection = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname);
//Test if connection occurred.
if (mysqli_connect_errno()) {
die("Database connection failed: " .
mysqli_connect_error() .
" (" . mysqli_connect_errno() . ")"
);
}
//Perform database query
$name = $_POST['name'];
$title = $_POST['title'];
$body = $_POST['body'];
//This function will clean the data and add slashes.
// Since I'm using the newer MySQL v. 5.7.14 I have to addslashes
$name = mysqli_real_escape_string($connection, $name);
$title = mysqli_real_escape_string($connection, $title);
$body = mysqli_real_escape_string($connection, $body);
//This should retrive HTML form data and insert into database
$query = "INSERT INTO reviews (name, title, body)
VALUES ('".$_POST["name"]."','".$_POST["title"]."','".$_POST["body"]."')";
$result = mysqli_query($connection, $query);
//Test if there was a query error
if ($result) {
//SUCCESS
header('Location: activity.php');
} else {
//FAILURE
die("Database query failed. " . mysqli_error($connection));
//last bit is for me, delete when done
}
mysqli_close($connection);
?>
View all Reviews:
<?php
//This will fetch the data from the database
$query = "SELECT * FROM reviews";
$result = mysqli_query($connection, $query);
//Test if there was a query error
if (!$result) {
die("Database query failed.");
}
// This will let me display the data.
// The loop will be spilt so I can format with HTML
while ($row = mysqli_fetch_assoc($result)) {
//output data from each row
?>
Name: <?php echo $row["name"] . "<br />"; ?>
Title: <?php echo $row["title"] . "<br />"; ?>
Review: <?php echo $row["body"] . "<br />";
echo "<hr>"; ?>
<?php
} ?>
Note: I connected to the database with the same code seen in process.php before the above code, I excluded it to save space.
Your HTML attribute syntax is incorrect. Its missing = sign between attribute and value.
Change name "name" to name="name" and name "title" to name="title"
<input type="text" name="name" id = "name"><br />
Title of Review:<br />
<input type="text" name="title" id = "title"><br />
Also during insert you aren't using escaped values.
Use $name instead of $_POST["name"] in insert query. Same goes for title and body values.
The problem is that the name attribute is not correct in HTML.
<input type="text" name="name" id = "name"><br />
<input type="text" name="title" id = "title"><br />
I think you messed up with syntax of HTML
<form action ="process.php" method = "post">
<fieldset>
<legend>Review Field</legend>
Reviewer Name: <br />
<input type="text" name="name" id = "name"><br />
Title of Review:<br />
<input type="text" name="title" id = "title"><br />
Enter your review below:
<!--Textbox start-->
<textarea name="body" id = "body" rows="10" cols="100">
</textarea>
<!--Textbox end-->
<br />
<input type="submit" name = "submit" id="submit">
<br />
</fieldset>
</form>
It will work surely!
Yo, you're just missing some syntax, therefore creating errors when it comes to gathering the data from those elements,
<input type="text" name "title" id = "title">
You're missing the "=" sign from the name parameter
I am currently using mamp in my mac. I have created a file names un.php which has a simple form validation. I want to insert the login/ register information into my table in the local database.
I think there might be some error in the form action keyword. I tried un.php in the form action, I also tried adding the url of the localhost in it, but the same error 500 is showing up.
Thank You
You made many mistakes in your code.
the image describe where there were error.
this image show them off.
errors.
1. the firs if parentheses was not closed.
2. when using mysqli_select_db($a, $b), $a is the 'connection name' and $b is the 'database name'
3. on your $c, many errors were made. these remaks must correct them:
you should not use the minus (-) sign. this is about E-mail. the dash will be considered as a minus sign and will return error.
$_POST[name] is not correct. the correct way is $_POST["name"]. the problem with $_POST["name"] will also cause problem because there was many ("). the best way is to define it in a variable and using it. example: $name = $_POST["name"].
4. the mysqli_query($a, $b) is writen the same as mysqli_select_db($a, $b).
in mysqli_query($a, $b), $a is the connection name, and $b is the query.
5. if(isset($_POST["submit"])), for me it means nothing because 'submit' is a button but not a field. (i am not sure, but i tried and it does not work).
I written the important part of the code only.
I have rewritten the code for you. it works fine with me. it s
<html>
<head>
</head>
<body>
<h2> PHP Form validation Example</h2>
<p><span class="error">* required field.</span></p>
<form method="post" action = "<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" >
Name: <input type="text" name="name" />
<br/>
E-mail: <input type="text" name="Email"/>
<br/>
Website: <input type="text" name="website" />
<br/>
Comment: <textarea name="comment" rows ="5" cols="40"></textarea>
<br/>
<input type="submit" value="submit"/>
</form>
<?php
if(isset($_POST["name"])){
$name = $_POST["name"]; $Email = $_POST["Email"]; $_POST["website"]; $_POST["comment"];
$servername = "localhost";
$username = "root"; $password = "password";
$dbase = "test";
$db = mysqli_connect($servername, $username, $password);
if(!$db) echo "Not connected";
else {
$p = mysqli_select_db($db,$dbase);
if(!$p) echo "Problem";
else {
$c = "INSERT INTO Users(name, Email, website, comment) VALUES ('$name', '$Email', '$website', '$comment')";
if(mysqli_query($db, $c));
}
}
mysqli_close($db);
}
?>
</body>
</html>
It is not inserting the session variables like name, id ,email, number like which is stored in $a,$b,$c,$d in pseller.php
This is my login page where i am checking username and password
login.php
<?php
error_reporting(E_ALL); // to see if there is error in code
include "connect_to_mysql.php";
if(isset($_POST['log']))
{
$user= $_POST['user'];
$pass= md5($_POST['pass']);
$sql=mysql_query( "select * from reg where username= '$user' AND password='$pass' AND category='product seller' LIMIT 1 ") or die( mysql_error());
$data=mysql_num_rows($sql);
if ($data == 1) {
$_SESSION['name']=$name;
$_SESSION['id']=$id;
$_SESSION['phone_no']=$number;
$_SESSION['email_id']=$email;
header("location:pseller.php");
}
else {
header("location:login.php?error");
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title> Log In </title>
<link rel="stylesheet" href="style.css" type="text/css" media="screen" />
</head>
<body>
<div id="mainWrapper">
<div id="pageContent"><br /><br /><br />
<div align="right" style="margin-right:24px; color:#FF0000">
<br /><br />
<form id="form" name="form" method="post" action="login.php">
<h2 style="padding-right:200px;">User Name:</h2>
<input name="user" type="text" id="user" size="40" style="height:30px;" required placeholder="Enter Email"/>
<br /><br />
<h2 style="padding-right:210px;">Password:</h2>
<input name="pass" type="password" id="pass" size="40" style="height:30px;" required/>
<br />
<br />
<br />
<img style="padding-right:190px;" src="generate.php"><br /><br />
<input type="text" name="secure" size="10" required placeholder="Enter The Value" style="padding-right:210px; height:30px;">
<br />
<br />
<br />
<input type="submit" name="log" id="log" value="Log In" style="padding-right:40px;" />
</form>
<p> </p>
</div>
<br />
<br />
<br />
</div>
</div>
</body>
</html>
This is pseller page where I am trying to store session values in variables then inserting in database. but session variables are not inserting data in database and showing the value of v_id v_number as 0.
pseller.php
<?php
// Parse the form data and add inventory item to the system
include_once('connect_to_mysql.php');
session_start();
if (isset($_POST['p_name'])) {
$target_dir = "pics/";
$target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
$imageFileType = pathinfo($target_file,PATHINFO_EXTENSION);
move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file) ;
$img_name = $_FILES["fileToUpload"]["name"];
$a=$_SESSION['name'];
$b=$_SESSION['id'];
$c=$_SESSION['phone_no'];
$d=$_SESSION['email_id'];
$product_name = mysql_real_escape_string( $_POST['p_name']);
$price = mysql_real_escape_string($_POST['price']);
$category = mysql_real_escape_string($_POST['category']);
$subcategory = mysql_real_escape_string($_POST['subcategory']);
$category2 = mysql_real_escape_string($_POST['category2']);
$details = mysql_real_escape_string($_POST['details']);
// See if that product name is an identical match to another product in the system
// Add this product into the database now
$sql = mysql_query("INSERT INTO product (p_name, price, details, category, sub_category, category2, img_name, v_id, v_name, v_number, v_email, date) VALUES('$product_name','$price','$details','$category','$subcategory','$category2','$img_name','$b','$a','$c','$d',now())") or die (mysql_error());
}
?>
Please help me to come out from here.
Ok so judging from the question and discussion in the comments, you're lacking proper handling of the user data in login.php.
There are also a couple of other points that are a bit off in your code:
You should not the mysql library as it's deprecated. You should either use mysqli, which is a rather easy switch if you're already used to mysql, or use PDO
Your code is vulnerable to SQL injection. You should use prepared statements when using user input in SQL queries. More info here for example
MD5 is not a very secure option for passwords. You can read more here
Below is a simple example of the PHP part for login.php I threw together based on what information I could gather from your question. It isn't complete for your specific database structure and needs, but should help you forward with your problem:
<?php
// Define database connection using mysqli
$mysqli = new mysqli("localhost", "username", "password", "dbname");
if(isset($_POST['log']))
{
$user= $_POST['user'];
$pass= md5($_POST['pass']); // Should be replaced by secure alternatives
// Define the SQL query string
$sql = "SELECT id, name, phone_no, email FROM reg WHERE email = ? AND password = ? LIMIT 1";
$stmt = $mysqli->prepare($sql); // Prepare the query string
$stmt->bind_param("ss", $user, $pass); // Define prepared statement parameters
// Execute the prepared stament
if ($stmt->execute())
{
$result = $stmt->get_result(); // Get the result
$data = $result->num_rows; // Get number of rows
if ($data == 1)
{
$userdata = $result->fetch_array(MYSQLI_ASSOC); // Get an associative array from the result
$_SESSION['name'] = $userdata['name'];
$_SESSION['id'] = $userdata['id'];
$_SESSION['phone_no'] = $userdata['phone_no'];
$_SESSION['email_id'] = $userdata['email'];
header("location:pseller.php");
}
}
else
{
header("location:login.php?error");
}
}
?>
$_SESSION['id']=$id;
$_SESSION['phone_no']=$number;
only get updated if select with username and password has rowcount 1
Those become variables $b and $c in pseller.php
So if $user and $pass do not get you a row on select from db, you get junk in SESSION.
mysql_num_rows returns number of rows. You are doing LIMIT 3. So if you are 0, 2, or 3, session is in trouble. Why, because your if statement says =1.
Also, you are using a deprecated mysql_* function library and acting directly upon user-supplied values that can render sql injection attacks. Use mysqli or pdo, and see this.
Include session_start(); in yourlogin.php
$sql=mysql_query("select * from reg where username= '$user'
AND password='$pass' AND category='product seller'") or die( mysql_error());
Inside the above query, Please make the changes.
Avoid making column names with spaces category='product seller'
Now echo the values under the SELECT * FROM query and the $a, $b, $c, $d to know if you REALLY are taking the values through to the next page. I am pretty much sure that you were not and also #Drew suggested, shift to msqli/PDO.
EDIT:
In your second page pseller.php try to echo and see what you're getting.
echo $_SESSION['name'];
echo $_SESSION['id'];
echo $_SESSION['phone_no'];
echo $_SESSION['email_id'];
No luck? Okay let's just try it this way and see what happens;
$sql=mysql_query("select * from reg where username= '$user' AND password='$pass'") or die( mysql_error());
if ($sql) {
while($row=mysql_fetch_array($sql))
{
echo $row['name'];
echo $row['id'];
echo $row['phone_no'];
echo $row['email_id'];
}
// header("location:pseller.php");
}
Now put the correct username and password (present in the database) and if you can see the echoed values, use sessions to store and use them later on also uncomment the header(); line and you are good to go.
I am very new to PHP & MySQL. Just designing websites for friends as a hobby, so any help is greatly appreciated. When I have a simple contact form on my page I keep getting error messages when submitting the information. Here is the PHP:
<?php
$con = mysql_connect("localhost","user","password");
if (!$con)) {
die('Could not connect: ' . mysql_error());
}
mysql_select_db("database_name", $con);
$sql="INSERT INTO contact (first_name, last_name, email, phone, message)
VALUES
('$_POST[first_name]','$_POST[last_name]','$_POST[email]','$_POST[phone]','$_POST[message])";
if (!mysql_query($sql,$con)) {
die('Error: ' . mysql_error());
}
echo "1 record added";
mysql_close($con);
?>
I put in my username & password where necessary, but I keep "localhost" there. Is this correct? I have hosting through webhostingpad. I also insert my database name above. Here is my HTML:
<!--Start of order form-->
<form id="contactform" method="POST" action="http://www.talephotography.com/insert.php">
<p><label>First Name:<br />
<input type="text" name="first_name" class="textfield" value="" />
</label></p>
<p><label>Last Name:<br />
<input type="text" name="last_name" class="textfield" value="" />
</label></p>
<p><label>Email: <br />
<input type="text" name="email" class="textfield" value="" />
</label></p>
<p><label>Phone: <br />
<input type="text" name="phone" class="textfield" value="" />
</label></p>
<p><label>Message: <br />
<textarea name="message" class="textarea" cols="45" rows="5"></textarea>
</label></p>
<p><input type="submit" name="submit" class="button" value="Submit" /></p>
</form>
<!--End of order form-->
I can elaborate anywhere necessary.
Changed some of the code, it's only posting the email address to the database however.
mysql_select_db("databasename", $con);
$first = mysql_real_escape_string($_POST['first']);
$last = mysql_real_escape_string($_POST['last']);
$email = strip_tags(mysql_real_escape_string($_POST['email']));
$number = preg_replace('/[^0-9]/', '', $_POST['number']);
$number = (int) $number;
$sql="INSERT INTO contact (first, last, email, phone);
VALUES
('$first','$last','$email','$number')";
There's my code, however when I check my database the only info listed is the email address.
localhost is correct if the database server is on the same machine as the web server. When you set up the database it should have told you somewhere what you need to connect to.
That aside, escape your -----------ing inputs!!!!
Seriously, take those variables and wash them thoroughly with mysql_real_escape_string and then concatenate them into the query. You'll thank me later.
You have an extra ) in your if statement:
if (!$con)) {
should be
if (!$con) {
if (!$con)) it is wrong one extra ')' present here, remove ')' and then execute
for example
if (!$con){
//do something
}
Its query that is wrong, you have a ; that is in the middle of your query.
$sql="INSERT INTO contact (first, last, email, phone);
VALUES
('$first','$last','$email','$number')";
Notice it on the end of first line. Change this to:
$sql="INSERT INTO contact VALUES
('$first','$last','$email','$number')";
The problem is with your third line
$con = mysql_connect("localhost","user","password");
if (!$con)) {
die('Could not connect: ' . mysql_error());
}
there is an extra closing bracket ) in your third line. Remove it and then voilĂ !
hope this helps.
I am working on adding a edit and delete feature to my basic blog app. I am struggling with having the my edit.php code and delete.php code process correctly.
When a person clicks on the delete or edit button the code in the correlating php file does not process.
Main PHP file:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>
<body>
<div id="container">
<h1>Lay Down Your Thoughts</h1>
<div id="boxtop"></div>
<div id="content">
<!-- form to leave a message -->
<form action="<?php $self ?>" method="post">
<h2>Post your thought!</h2>
<div class="fname"><label for="name"><p>Name:</p></label><input name="name" type="text" cols="20" /></div>
<div class="femail"><label for="email"><p>Email:</p></label><input name="email" type="text" cols="20" /></div>
<label for="message"><p>Message:</p></label>
<textarea name="post" rows="5" cols="40"></textarea>
<input name="send" type="hidden" />
<p><input type="submit" value="send" /></p>
</form>
<?php
$self = $_SERVER['PHP_SELF']; //the $self variable equals this file
$ipaddress = ("$_SERVER[REMOTE_ADDR]"); //the $ipaddress var equals users IP
include ('db.php');
// checks the POST to see if something has been submitted
if(isset($_POST['send']))
if(empty($_POST['name']) || empty($_POST['email']) || empty($_POST['post'])) {
echo('<p class="error">You did not fill in a required field.</p>');
} else {
// if there are no empty fields, insert into the database:
//validate through htmlspecialchars()
// eliminates the user from submitting harmful html
// also runs through mysql_real_escape_string()
// stops users sending SQL code to infiltrate the db
$name = htmlspecialchars(mysql_real_escape_string($_POST['name']));
$email = htmlspecialchars(mysql_real_escape_string($_POST['email']));
$post = htmlspecialchars(mysql_real_escape_string($_POST['post']));
// this is our SQL string to insert shouts into db
$sql = "INSERT INTO messages SET name='$name', email='$email', post='$post', ipaddress='$ipaddress';";
// run the SQL string
// if it succeeds, display message
if (#mysql_query($sql)) {
echo('<p class="success">message has been posted</p>');
} else {
// if error, send message
echo('<p class="error">There was an unexpected error when posting your message.</p>');
}
}
// display 8 latest messages
$query = "SELECT * FROM messages ORDER BY `id` DESC LIMIT 8;";
// run query if it fails display fail
$result = #mysql_query("$query") or die('<p class="error">There was an unexpected error collecting messages.</p>');
?><ul><?
// display the rows from the post
while ($row = mysql_fetch_array($result)) {
$ename = stripslashes($row['name']);
$eemail = stripslashes($row['email']);
$epost = stripslashes($row['post']);
// gravatar image
$grav_url = "http://www.gravatar.com/avatar.php?gravatar_id=".md5(strtolower($eemail))."&size=70";
echo('<li><div class="meta"><img src="'.$grav_url.'" alt="Gravatar" /><p>'.$ename.'</p></div><div class="message"><p>'.$epost.'</p></div></li>');
echo ('<form action="messageME_final_delete.php" method="post"><input name="delete" type="hidden" /> <p><input type="submit" value="delete" /></p></form>');
echo('<form action="messageME_final_update.php" method="post"><input name="edit" type="hidden" /> <p><input type="submit" value="edit" /></p></form>');
}
?></ul><?
?>
</div><!--/content-->
<div id="boxbot"></div>
</div><!--/container-->
</body>
</html>
Here is the Edit php file:
<form action="messageME_final_update.php" method="post">
<h2>Edit this Thought!</h2>
<div class="fname"><label for="name"><p>Name:</p></label><input name="name" type="text" cols="20" /></div>
<div class="femail"><label for="email"><p>Email:</p></label><input name="email" type="text" cols="20" /></div>
<label for="message"><p>Message:</p></label>
<textarea name="post" rows="5" cols="40"></textarea>
<input name="send" type="hidden" />
<p><input type="submit" value="send" /></p>
</form>
<?
include ('db.php');
$query="UPDATE messages SET name='name', email='email', post='post' WHERE id='ID'";
mysql_query($query);
echo "Record Updated";
mysql_close();
?>
finally here is the delete php code:
<?php
include ('db.php');
$sql = "DELETE FROM `messages` WHERE `ID` =" ." mysql_real_escape_string ( $_GET['ID'] )";
mysql_select_db ( $database, $connect );
if ( #mysql_query ( $sql ) )
{
echo 'Article ID = ' . $_POST['ID'];
echo ' was deleted successfully';
}
else {
die ( mysql_error () );
}
?>
Your update page has no code related to identifying what post the user wants to edit at all. It just presents a new form and tries to update a row with an ID of the string 'ID'.
Your delete page tries to access both $_GET['ID'] and $_POST['ID'], which won't ever both be set since an HTTP request is always of a single method (GET, or POST, or HEAD, etc). You also fail to concatenate the string with a function correctly, instead sending the literal text "mysql_real_escape_string(..." as part of the query, which will not run.
$sql = "DELETE FROM messages WHERE ID = " . (int)$_POST['ID'];
...is closer to what you want, except that your form on the post list does not contain an element named ID. You should create one, and populate it with the ID of the post that row corresponds to.
<input type="hidden" name="ID" value="<?php echo $row['ID']; ?>" />
Do the same for the form pointing to the edit page, and use $_POST['ID'] to look up the post and populate the form fields for editing.
Suggested reading, which will walk you through building all aspects of a CMS in PHP/MySQL:
http://www.amazon.com/Build-Database-Driven-Using-MySQL/dp/0980576814/ref=dp_ob_title_bk