Help with Editing MySQL with Form

Question

Squidge 101 Newbie Poster

14 Years Ago

Hello evryone. I am new to PHP and MySQL.

I have created an admin area for where selected people can add, delete, and edit data from a database.

I have managed to get the add, and delete to work, but I am stuck with the editing.

Can you help?

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
	
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
	<title>Admin | RTB</title>	
	<link href="../stylesheets/styleadmin.css" rel="stylesheet" type="text/css" />
    <script type="text/javascript" src="../tiny_mce/tiny_mce.js"></script>
<script type="text/javascript">
tinyMCE.init({
	// General options
	mode : "textareas",
	save_onsavecallback : "Editor_Save",
	theme : "advanced",
	plugins : "safari,spellchecker,pagebreak,style,layer,table,save,advhr,advimage,advlink,emotions,iespell,inlinepopups,insertdatetime,preview,media,searchreplace,print,contextmenu,paste,directionality,fullscreen,noneditable,visualchars,nonbreaking,xhtmlxtras,template,imagemanager,filemanager",

	// Theme options
	theme_advanced_buttons1 : "save,newdocument,|,bold,italic,underline,strikethrough,|,justifyleft,justifycenter,justifyright,justifyfull,|,styleselect,formatselect,fontselect,fontsizeselect",
	theme_advanced_buttons2 : "cut,copy,paste,pastetext,pasteword,|,search,replace,|,bullist,numlist,|,outdent,indent,blockquote,|,undo,redo,|,link,unlink,anchor,image,cleanup,help,code,|,insertdate,inserttime,preview,|,forecolor,backcolor",
	theme_advanced_buttons3 : "tablecontrols,|,hr,removeformat,visualaid,|,sub,sup,|,charmap,emotions,iespell,media,advhr,|,print,|,ltr,rtl,|,fullscreen",
	theme_advanced_buttons4 : "insertlayer,moveforward,movebackward,absolute,|,styleprops,spellchecker,|,cite,abbr,acronym,del,ins,attribs,|,visualchars,nonbreaking,template,blockquote,pagebreak,|,insertfile,insertimage",
	theme_advanced_toolbar_location : "top",
	theme_advanced_toolbar_align : "left",
	theme_advanced_statusbar_location : "bottom",
	theme_advanced_resizing : true,

	// Example content CSS (should be your site CSS)
	content_css : "css/example.css",

	// Drop lists for link/image/media/template dialogs
	template_external_list_url : "js/template_list.js",
	external_link_list_url : "js/link_list.js",
	external_image_list_url : "js/image_list.js",
	media_external_list_url : "js/media_list.js",

	// Replace values for the template plugin
	template_replace_values : {
		username : "Some User",
		staffid : "991234"
	}
});
</script>
<script type="text/javascript">
     function Editor_Save() {
          document.updateform.action = "testimonials2.php?action=save";
          document.updateform.submit();
     };
</script>
	
</head>

<body class="Declarations">
<div id="content">
	<div id="intro">
<h1>Administration System</h1>
<p>RTB Admin System.</p>
</div>
	
<div id="antiintro"><div id="ai2">
<h2 id="c1">

<?
  if (isset($_GET['addtest'])): // If the user wants to add a joke
?>

<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
<p>Type your Testimonial here:<br />
<textarea name="testtext" rows="10" cols="40" wrap>
</textarea><br />
<input type="submit" name="submittest" value="SUBMIT" />
</p>
</form>

<?
  else: // Default page display

include("dbinfo.inc.php");
mysql_connect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");

    // If a Testimonial has been submitted,
    // add it to the database.
    if (isset($_POST['submittest'])) {
      $testtext = $_POST['testtext'];
      $sql = "INSERT INTO Testimonials SET
              TestText='$testtext'
			  ";
      if (@mysql_query($sql)) {
        echo('<p>Your Testimonial has been added.</p>'); 
      } else {
        echo('<p>Error adding Testimonial: ' .
             mysql_error() . '</p>');
      }
    }
	
    // If a Testimonial has been deleted,
    // remove it from the database.
    if (isset($_GET['deletetest'])) {
      $testid = $_GET['deletetest'];
      $sql = "DELETE FROM Testimonials
              WHERE ID=$testid";
      if (@mysql_query($sql)) {
        echo('<p>The Testimonial has been deleted.</p>');
      } else {
        echo('<p>Error deleting Testimonial: ' .
             mysql_error() . '</p>');
      }
    }
    // When clicked, this link will load this page
    // with the Testimonial submission form displayed.
    echo('<p><a href="' . $_SERVER['PHP_SELF'] .
	     '?addtest=1">Add a Testimonial</a></p>');
	
    echo('<p> Here are all the Testimonials in our database: </p>');



?>
</h2>

<?
    // Request the ID and text of all the Testimonials
    $result = @mysql_query('SELECT ID, TestText FROM Testimonials');
    if (!$result) {
      die('<p>Error performing query: ' .
          mysql_error() . '</p>');
    }

    // Display the text of each Testimonial in a paragraph
    // with a "Delete" link next to each.
    while ( $row = mysql_fetch_array($result) ) {
      $testid = $row['ID'];
      $testtext = $row['TestText'];
      echo('<p>' . $testtext .
           '<code><a href="' . $_SERVER['PHP_SELF'] .
           '?deletetest=' . $testid . '">' .
           'Delete</a></code></p>');
    }

  endif;
?>

</div>
</div>
</div>
<!--close content-->
<div id="nav">
<ul>
<li class="jelly">
<a href="index.php" >Menu</a>
<ul>
  <li></li>
<li><a href="home.php">Home Page</a></li>
<li><a href="testimonials.php">Testimonials</a></li>
<li><a href="where.php">Where I cover</a></li>
			<ul>
			  <li></li>
          </ul>

</li>
<li><a href="#">CSS Advanced</a></li>
      </ul>
</li>

<li class="jelly"></li>
</ul>
</div>
</body>
</html>

Please help a newbie

mysql php

3 Contributors
4 Replies
145 Views
1 Day Discussion Span
Latest Post 14 Years Ago Latest Post by diafol

diafol

14 Years Ago

BTW, as an additional precaution, deleting an item with just a value in the querystring is asking for trouble. If an user can see this when they press a button/link (a subset of records on the page) etc. They could start messing with records in the table that you don't want them to delete.
To avoid this, use a confirmation code that uses the 'id' integer hashed along with a 'salt'.

e.g.
In your record display loop

//$id is the record number (Primary Key)
//create a "salted hash" as a confirmation parameter:
$confirm = md5("mysaltysaltwhatever" . $id); 
$querystring = "id=$id&conf=$confirm"; 
$link = "<a href=\"db_change.php?$querystring\">DELETE</a>";
//just display the records with a DELETE link next to them

When the link is pressed, the db_change.php will receive the querystring parameters, thus:

$id = $_GET['id'];
$conf = $_GET['conf'];
if($_GET['conf'] == md5("mysaltysaltwhatever" . $id){
//confirm delete code OK - now do something like a javascript confirm popup to delete or cancel
}else{
//somebody's up to no good!
}

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Fa11en 0 Newbie Poster · Answer 1 · 2009-12-02T19:58:50+00:00

To modify use this SQL query:

$result=mysql_query("UPDATE Testimonials SET TestText='$some_var' WHERE id='$some_id'");

Fa11en 0 Newbie Poster · Answer 2 · 2009-12-02T20:05:48+00:00

And this is a vuln:

$testid = $_GET['deletetest'];
$sql = "DELETE FROM Testimonials WHERE ID=$testid";

Use mysql_real_escape_string($some_var);
eg:

$testid = mysql_real_escape_string($_GET['deletetest']);
$sql = "DELETE FROM Testimonials WHERE ID='$testid'";

or
use (int) function
eg:

$testid = (int)$_GET['deletetest'];
if($testid=='0'){
die("Bad ID");
}
else{
$sql = "DELETE FROM Testimonials WHERE ID='$testid'";
}

Squidge 101 Newbie Poster · Answer 3 · 2009-12-03T01:45:40+00:00

Squidge 101 Newbie Poster

14 Years Ago

Thank you. I will give it a go