phpnewbfreak

I've created a form that allows users to edit data from a database. On a previous page, they select what they want to edit and it takes them to this page. This page isn't secure as it's not done with PDO. I've been able to update all the other pages to PDO, but not this. I'm stuck and the examples I've read on the internet haven't been much help. Any ideas on how I could adjust this code to make it more secure? <?php /* EDIT.PHP Allows user to edit specific entry in database */ // creates the edit record form // since this form is used multiple times in this file, I have made it a function that is easily reusable function renderForm($id, $program, $airdate, $description, $production, $promotion, $community, $web, $error) { ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <title>Edit Record</title> </head> <body> <?php // if there are any errors, display them if ($error != '') { echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>'; } ?> } <form action="" method="post"> <input type="hidden" name="id" value="<?php echo $id; ?>"/> <div> <p><strong>ID:</strong> <?php echo $id; ?></p> <strong>Program:</strong> <input type="text" name="program" value="<?php echo $program; ?>"/><br/> <strong>Date of Content: </strong> <input type="text" name="airdate" value="<?php echo $airdate; ?>"/><br/> <strong>Description:</strong> <input type="text" name="description" value="<?php echo $description; ?>"/><br/> <strong>On-Air:</strong> <input type="text" name="production" value="<?php echo $production; ?>"/><br/> <strong>Promotion:</strong> <input type="text" name="promotion" value="<?php echo $promotion; ?>"/><br/> <strong>Community:</strong> <input type="text" name="community" value="<?php echo $community; ?>"/><br/> <strong>Web:</strong> <input type="text" name="web" value="<?php echo $web; ?>"/><br/> <input type="submit" name="submit" value="Submit"> </div> </form> </body> </html> <?php } // connect to the database include('connect-db.php'); // check if the form has been submitted. If it has, process the form and save it to the database if (isset($_POST['submit'])) { // confirm that the 'id' value is a valid integer before getting the form data if (is_numeric($_POST['id'])) { // get form data, making sure it is valid $id = $_POST['id']; $program = mysql_real_escape_string(htmlspecialchars($_POST['program'])); $airdate = mysql_real_escape_string(htmlspecialchars($_POST['airdate'])); $description = mysql_real_escape_string(htmlspecialchars($_POST['description'])); $production = mysql_real_escape_string(htmlspecialchars($_POST['production'])); $promotion = mysql_real_escape_string(htmlspecialchars($_POST['promotion'])); $community = mysql_real_escape_string(htmlspecialchars($_POST['community'])); $web = mysql_real_escape_string(htmlspecialchars($_POST['web'])); // check that firstname/lastname fields are both filled in if ($production == '' || $airdate == '' ) { // generate error message $error = 'ERROR: Please fill in all required fields!'; //error, display form renderForm($id, $program, $airdate, $description, $production, $promotion, $community, $web, $error); } else { // save the data to the database mysql_query("UPDATE calendar SET program='$program', airdate='$airdate', description='$description', production='$production', promotion='$promotion', community='$community', web='$web' WHERE id='$id'") or die(mysql_error()); <?php /* EDIT.PHP Allows user to edit specific entry in database */ // creates the edit record form // since this form is used multiple times in this file, I have made it a function that is easily reusable function renderForm($id, $program, $airdate, $description, $production, $promotion, $community, $web, $error) { ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <title>Edit Record</title> </head> <body> <?php // if there are any errors, display them if ($error != '') { echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>'; } ?> } <form action="" method="post"> <input type="hidden" name="id" value="<?php echo $id; ?>"/> <div> <p><strong>ID:</strong> <?php echo $id; ?></p> <strong>Program:</strong> <input type="text" name="program" value="<?php echo $program; ?>"/><br/> <strong>Date of Content: </strong> <input type="text" name="airdate" value="<?php echo $airdate; ?>"/><br/> <strong>Description:</strong> <input type="text" name="description" value="<?php echo $description; ?>"/><br/> <strong>On-Air:</strong> <input type="text" name="production" value="<?php echo $production; ?>"/><br/> <strong>Promotion:</strong> <input type="text" name="promotion" value="<?php echo $promotion; ?>"/><br/> <strong>Community:</strong> <input type="text" name="community" value="<?php echo $community; ?>"/><br/> <strong>Web:</strong> <input type="text" name="web" value="<?php echo $web; ?>"/><br/> <input type="submit" name="submit" value="Submit"> </div> </form> </body> </html> <?php } // connect to the database include('connect-db.php'); // check if the form has been submitted. If it has, process the form and save it to the database if (isset($_POST['submit'])) { // confirm that the 'id' value is a valid integer before getting the form data if (is_numeric($_POST['id'])) { // get form data, making sure it is valid $id = $_POST['id']; $program = mysql_real_escape_string(htmlspecialchars($_POST['program'])); $airdate = mysql_real_escape_string(htmlspecialchars($_POST['airdate'])); $description = mysql_real_escape_string(htmlspecialchars($_POST['description'])); $production = mysql_real_escape_string(htmlspecialchars($_POST['production'])); $promotion = mysql_real_escape_string(htmlspecialchars($_POST['promotion'])); $community = mysql_real_escape_string(htmlspecialchars($_POST['community'])); $web = mysql_real_escape_string(htmlspecialchars($_POST['web'])); // check that firstname/lastname fields are both filled in if ($production == '' || $airdate == '' ) { // generate error message $error = 'ERROR: Please fill in all required fields!'; //error, display form renderForm($id, $program, $airdate, $description, $production, $promotion, $community, $web, $error); } else { // save the data to the database mysql_query("UPDATE calendar SET program='$program', airdate='$airdate', description='$description', production='$production', promotion='$promotion', community='$community', web='$web' WHERE id='$id'") or die(mysql_error()); // once saved, redirect back to the view page header("Location: view.php"); } } else { // if the 'id' isn't valid, display an error echo 'Error!'; } } else // if the form hasn't been submitted, get the data from the db and display the form { // get the 'id' value from the URL (if it exists), making sure that it is valid (checing that it is numeric/larger than 0) if (isset($_GET['id']) && is_numeric($_GET['id']) && $_GET['id'] > 0) { // query db $id = $_GET['id']; $result = mysql_query("SELECT * FROM calendar WHERE id=$id") or die(mysql_error()); $row = mysql_fetch_array($result); // check that the 'id' matches up with a row in the databse if($row) { // get data from db $program = $row['program']; $airdate = $row['airdate']; $description = $row['description']; $production = $row['production']; $community = $row['community']; $promotion = $row['promotion']; $web = $row['web']; // show form renderForm($id, $program, $airdate, $description, $production, $promotion, $community, $web, ''); } else // if no match, display result { echo "No results!"; } } else // if the 'id' in the URL isn't valid, or if there is no 'id' value, display an error { echo 'Error!'; } } ?>

Hey all, I'm trying to edit database data and I keep getting this error Fatal error: Call to a member function prepare() on a non-object on line 4 which is $result = $db->prepare("SELECT * FROM calendar WHERE id= :userid"); Any ideas? <?php include('connect-db.php'); $id=$_GET['id']; $result = $db->prepare("SELECT * FROM calendar WHERE id= :userid"); $result->bindParam(':userid', $id); $result->execute(); for($i=0; $row = $result->fetch(); $i++){ ?> <form action="edit.php" method="POST"> <input type="hidden" name="id" value="<?php echo $id; ?>"/> <div> <p><strong>ID:</strong> <?php echo $id; ?></p> <strong>Program:</strong> <input type="text" name="program" value="<?php echo $program; ?>"/><br/> <strong>Date of Content: </strong> <input type="text" name="airdate" value="<?php echo $airdate; ?>"/><br/> <strong>Description:</strong> <input type="text" name="description" value="<?php echo $description; ?>"/><br/> <strong>On-Air:</strong> <input type="text" name="production" value="<?php echo $production; ?>"/><br/> <strong>Promotion:</strong> <input type="text" name="promotion" value="<?php echo $promotion; ?>"/><br/> <strong>Community:</strong> <input type="text" name="community" value="<?php echo $community; ?>"/><br/> <strong>Web:</strong> <input type="text" name="web" value="<?php echo $web; ?>"/><br/> <input type="submit" name="submit" value="Submit"> <?php } ?>

So I have some data in a database that I want to write out with php. The problem is it spits it out as Year-Month-Day and I want it Month-Day-Year So I wrote some code, but now it spits everything out as May 1, 1970. ??? It spits it out in the right order, but it's the wrong date (and the same date) for each entry. $result = mysql_query("SELECT * FROM `friend` ORDER BY bday") or die($myQuery."<br/><br/>".mysql_error()); $given = ['bday']; $parseit = date("m-d-Y", strtotime($given)); while($row = mysql_fetch_array($result)){ $program = $row['ID']; echo "<h2>" . $row['firstname'] . "</h2>"; echo "<h3>" . $parseit . "</h3>"; e require_once("db_connx_close.php"); ?>