php update

Status
Not open for further replies.
K

Keewee6

New Member
very close to finishing my cms - got login to work trying to to the update script i can get it to pull the data in but not update

here is the code:

<?php
// Connect to the database
$cnx = mysql_connect("localhost", "*******", "*******")
OR die("Unable to connect to database!");
mysql_select_db("squarebar_db1", $cnx);

if ($_POST['submit_form'] == 1) {
// Save to the database
$data = mysql_real_escape_string(trim($_POST['fcktext']));
$res = mysql_query("UPDATE news SET data = '".$data."' WHERE id = $id");

if (!$res)
die("Error saving the record! Mysql said: ".mysql_error());

// Redirect to self to get rid of the POST
header("Location: select.php");
}

include_once "fckeditor/fckeditor.php";
?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Test FCKeditor</title>
</head>
<body>

<h1><font size="2" face="Arial, Helvetica, sans-serif"> FCK Editor</font></h1>

<form action="select.php" method="post">
<?php
// Get data from the database
$query = mysql_query("SELECT data FROM news WHERE id = $id");
$data = mysql_fetch_array($query);

// Configure and output editor
$oFCKeditor = new FCKeditor('fcktext');
$oFCKeditor->BasePath = "fckeditor/";
$oFCKeditor->Value = $data["data"];
$oFCKeditor->Width = 540;
$oFCKeditor->Height = 400;
echo $oFCKeditor->CreateHtml();
?>
<br />
<input type="hidden" name="submit_form" value="1" />
<input type="submit" value="Save Form" />
</form>

</body>
</html>


<?php
// Close the database connection
mysql_close($cnx);
?>
 
K

Keewee6

New Member
<?php
// Connect to the database
$cnx = mysql_connect("localhost", "squarebar", "square462")
OR die("Unable to connect to database!");
mysql_select_db("squarebar_db1", $cnx);
if ($_POST['submit_form'] == 1) {
// Save to the database
$data = mysql_real_escape_string(trim($_POST['fcktext']));
$res = mysql_query("UPDATE news SET data = '".$data."' WHERE id = $id");
if (!$res)
die("Error saving the record! Mysql said: ".mysql_error());
// Redirect to self to get rid of the POST
header("Location: select.php");
}
include_once "fckeditor/fckeditor.php";
?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="XHTML namespace" xml:lang="en" lang="en">
<head>
<title>Test FCKeditor</title>
</head>
<body>
<h1><font size="2" face="Arial, Helvetica, sans-serif"> FCK Editor</font></h1>
<form action="select.php" method="post">
<input type="hidden" name="id" value="<?php echo $_session['id'];?>">
<?php
// Get data from the database
$query = mysql_query("SELECT data FROM news WHERE id = $id");
$data = mysql_fetch_array($query);
// Configure and output editor
$oFCKeditor = new FCKeditor('fcktext');
$oFCKeditor->BasePath = "fckeditor/";
$oFCKeditor->Value = $data["data"];
$oFCKeditor->Width = 540;
$oFCKeditor->Height = 400;
echo $oFCKeditor->CreateHtml();
?>
<br />
<input type="hidden" name="submit_form" value="1" />
<input type="submit" value="Save Form" />
</form>
</body>
</html>

<?php
// Close the database connection
mysql_close($cnx);
?>

tried to add hidden value in bold here
 
php.allstar

php.allstar

New Member
Hi,

Based on the previous posters comments, you need to assign a value to the $id variable....

<?php
// Connect to the database
$cnx = mysql_connect("localhost", "squarebar", "square462")
OR die("Unable to connect to database!");
mysql_select_db("squarebar_db1", $cnx);
if ($_POST['submit_form'] == 1) {
$id = mysql_real_escape_string($_POST['id']);
// Save to the database
$data = mysql_real_escape_string(trim($_POST['fcktext']));
$res = mysql_query("UPDATE news SET data = '".$data."' WHERE id = $id");
if (!$res)
die("Error saving the record! Mysql said: ".mysql_error());
// Redirect to self to get rid of the POST
header("Location: select.php");
}
include_once "fckeditor/fckeditor.php";
?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="XHTML namespace" xml:lang="en" lang="en">
<head>
<title>Test FCKeditor</title>
</head>
<body>
<h1><font size="2" face="Arial, Helvetica, sans-serif"> FCK Editor</font></h1>
<form action="select.php" method="post">
<input type="hidden" name="id" value="<?php echo $_session['id'];?>">
<?php
// Get data from the database
$query = mysql_query("SELECT data FROM news WHERE id = $id");
$data = mysql_fetch_array($query);
// Configure and output editor
$oFCKeditor = new FCKeditor('fcktext');
$oFCKeditor->BasePath = "fckeditor/";
$oFCKeditor->Value = $data["data"];
$oFCKeditor->Width = 540;
$oFCKeditor->Height = 400;
echo $oFCKeditor->CreateHtml();
?>
<br />
<input type="hidden" name="submit_form" value="1" />
<input type="submit" value="Save Form" />
</form>
</body>
</html>

<?php
// Close the database connection
mysql_close($cnx);
?>

So now any mention of $id will be parsed as the value of $_POST['id']

By the way, if this form is not locked down to admin users, and open to the public, a hacker could easily edit the value of you hidden id input field to edit any news item on your site! Best not to use hidden input fields.

Also please ensure that you chnage your mysql password and username now as you hid it in your first post but you have shown it in your last post! ;)
 
K

Keewee6

New Member
changed it - nothing

<?php
// Connect to the database
$cnx = mysql_connect("localhost", "*******", "******")
OR die("Unable to connect to database!");
mysql_select_db("squarebar_db1", $cnx);
if ($_POST['submit_form'] == 1) {
$id = mysql_real_escape_string($_POST['id']);
// Save to the database
$data = mysql_real_escape_string(trim($_POST['fcktext']));
$res = mysql_query("UPDATE news SET data = '".$data."' WHERE id = $id");
if (!$res)
die("Error saving the record! Mysql said: ".mysql_error());
// Redirect to self to get rid of the POST
header("Location: select.php");
}
include_once "fckeditor/fckeditor.php";
?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="XHTML namespace" xml:lang="en" lang="en">
<head>
<title>Test FCKeditor</title>
</head>
<body>
<h1><font size="2" face="Arial, Helvetica, sans-serif"> FCK Editor</font></h1>
<form action="select.php" method="post">
<input type="hidden" name="id" value="<?php echo $_session['id'];?>">
<?php
// Get data from the database
$query = mysql_query("SELECT data FROM news WHERE id = $id");
$data = mysql_fetch_array($query);
// Configure and output editor
$oFCKeditor = new FCKeditor('fcktext');
$oFCKeditor->BasePath = "fckeditor/";
$oFCKeditor->Value = $data["data"];
$oFCKeditor->Width = 540;
$oFCKeditor->Height = 400;
echo $oFCKeditor->CreateHtml();
?>
<br />
<input type="hidden" name="submit_form" value="1" />
<input type="submit" value="Save Form" />
</form>
</body>
</html>
<?php
// Close the database connection
mysql_close($cnx);
?>
 
php.allstar

php.allstar

New Member
what value have you assigned to <?php echo $_session['id'];?>?

You'll also have to specify a value for $id in...

<?php
// Get data from the database
$query = mysql_query("SELECT data FROM news WHERE id = $id");
$data = mysql_fetch_array($query);
 
L

louie

New Member
You are trying to update a table that contains some data.
Each record in the table has an unique ID, so when you go to add, edit or remove the record, you need to pass the ID either in the URL or store it as a SESSION otherwise you are going to do more damage to your DB then you could think of.
 
L

louie

New Member
passing the id in the URL is simple:

page_update_details.php?id=12345

then you use GET to set the value
$id = $_GET['id'];

having this value set, now you can use the form action to post the data to the same page using the same URL including the query string or set it as a hidden field in the form itself.

This type of action should be made safe somehow (admin area or based on login form)

If you can't get the hang of something so simple, you should leave it to someone that knows what he's doing, for security reasons.
 
Status
Not open for further replies.
Top