I have searched the forums here and while there are similar problems going around, mine is different from what I've seen.
First, I will say that I have yet to do sessions OR injection protection. This is a project for school so those things will come last; the most important thing is that the code works and things work right.
I'm doing a CMS sort of deal with a client listing. The admin can INSERT, DELETE, and UPDATE rows in the database. I'm not sure where I'm going wrong, but this is what I have.
Also I will mention that my teacher is coding things differently than I've seen anywhere else (even different than the book we're using in class is telling us to -- so it's very confusing for me).
Here is the FORM.php code:
<?php
/*session_start();
if ($_POST && !empty($_POST['username'])) {
$_SESSION['username'] = $_POST['username'];
}*/
// Connecting to the database...
include("dbconn.inc.php");
$conn = dbConnect();
$cid = ""; // place holder for product id information
if (isset($_GET['cid'])) { // note that the spelling 'pid' is based on the query string variable name
// product id available, validate the information, then compose a query accordingly to retrieve information.
$cid = $_GET['cid'];
// validate the product id -- check to see if it is a number
if (is_numeric($cid)){
//compose a select query
$sql = "SELECT * FROM tcClient WHERE CID = '$cid'"; // note that the spelling "PID" is based on the field name in my product table.
$rs = mysql_query($sql) or die ("select query failed");
// proceed only if a match is found
if (mysql_num_rows($rs) == 1){
$row = mysql_fetch_array($rs, MYSQL_ASSOC); //since there is only one row being returned, no while loop is necessary
//set up the values to be insert into the form fields
$Last = $row['LName'];
$First = $row['FName'];
$Company = $row['CoName'];
$Address = $row['Address'];
$City = $row['City'];
$State = $row['State'];
$Zip = $row['Zip'];
$Email = $row['Email'];
$Phone = $row['Phone'];
} else {
$errMsg = "<p><b>!</b> Information on the record you requested is not available. If it is an error, please contact the webmaster. Thank you.</p>";
$cid = ""; // reset $pid
}
} else {
// reset $pid
$cid = "";
// compose an error message
$errMsg = "<p><b>!</b> If you are expecting to edit an exiting item, an error has occured in the process. Please contact the webmaster. Thank you.</p>";
}
}
?>
<?php include('../header.php'); ?>
<div id="content">
<? include('include/menu.php'); ?>
<div id="text">
<h1>Client List</h1>
<?= $errMsg ?>
<p>
<div align="center" border="1">
<form action="clients-edit.php" method="POST">
<input type="hidden" name="cid" value=<?=$cid?>>
<table>
<tr><td><strong>Last Name:</strong></td><td><input type="text" name="lname" size="25" value="<?= $Last ?>" /></td></tr>
<tr><td><strong>First Name:</strong></td><td><input type="text" name="fname" size="25" value="<?= $First ?>" /></td></tr>
<tr><td><strong>Company Name:</strong></td><td><input type="text" name="company" size="25" value="<?= $Company ?>" /></td></tr>
<tr><td><strong>Address:</strong></td><td><input type="text" name="address" size="25" value="<?= $Address ?>" /></td></tr>
<tr><td><strong>City:</strong></td><td><input type="text" name="city" size="25" value="<?= $City ?>" /></td></tr>
<tr><td><strong>State:</strong></td><td><input type="text" name="state" size="2" value="<?= $State ?>" /></td></tr>
<tr><td><strong>Zip Code:</strong></td><td><input type="text" name="zip" size="5" value="<?= $Zip ?>" /></td></tr>
<tr><td><strong>Email:</strong></td><td><input type="text" name="email" size="25" value="<?= $Email ?>" /></td></tr>
<tr><td><strong>Phone Number:</strong></td><td><input type="text" name="phone" size="13" value="<?= $Phone ?>" /></td></tr>
<tr><td colspan="2" align="center"><input type="submit" name="submit" value="Submit"></td></tr>
</table>
</form>
</div>
</p>
</div>
<div class="clear"></div>
</div>
<?php include('../footer.php'); ?>
Here is the EDIT.php code:
<?php
// Connecting to the database...
include("dbconn.inc.php");
$conn = dbConnect();
$output = "";
if (isset($_POST['submit'])) {
$required = array("lname", "fname", "company", "address", "city", "state", "zip", "phone");
$expected = array("lname", "fname", "company", "address", "city", "state", "zip", "email", "phone");
$missing = array();
foreach ($expected as $field) {
if (in_array($field, $required) && (!isset($_POST[$field]) || empty($_POST[$field]))) {
array_push ($missing, $field);
} else {
if (!isset($_POST[$field])) {
${$field} = "";
} else {
${$field} = $_POST[$field];
}
}
}
if (empty($missing)){
if (isset($_POST['cid']) && $_POST['cid'] != "") {
$sql = "UPDATE tcClient SET LName = '$lname', FName = '$fname', CoName = '$company', Address = '$address', City = '$city', State = '$state', Zip = '$zip', Email = '$email', Phone = '$phone' WHERE CID = '$cid'";
} else {
$sql = "INSERT tcClient (FName, LName, CoName, Address, City, State, Zip, Email, Phone) VALUES ('$fname', '$lname', '$company', '$address', '$city', '$state', '$zip', '$email', '$phone')";
}
$rs = mysql_query($sql) or die ("insert/update query failed");
if ($rs) {
$output = "<p>The following information has been saved in the database:<br><br>";
foreach($_POST as $key=>$value){
$output .= "<b>$key</b>: $value <br>";
}
$output .= "<p>Back to the <a href='clients.php'>client list</a></p>";
} else {
$output = "<p>Database operation failed. Please contact the webmaster.";
}
} else {
$output = "<p>The following required fields are missing in your form submission. Please check your form again and fill them out. <br>Thank you.<br>\n<ul>";
foreach($missing as $m){
$output .= "<li>$m";
}
$output .= "</ul>";
}
}
?>
<?php include('../header.php'); ?>
<div id="content">
<? include('include/menu.php'); ?>
<div id="text">
<h1>Edit Client</h1>
<p><?= $output ?></p>
</div>
<div class="clear"></div>
</div>
<?php include('../footer.php'); ?>
What Works:
The INSERT string works fine. And when you edit a client's information, it says it works, but nothing actually changes in the information when it loads. I don't get any SQL errors or anything. So I'm completely confused about this.
I don't think it has anything to do with the SQL query I'm using.
Oh, I should mention we had an assignment earlier this semester doing the same thing, but everything on that worked fine. So this code is copied from that assignment, so some of the comments say 'product' instead of client, but it's the same thing.
Thanks in advance for any help! :)