I've created a form that allows users to edit data from a database. On a previous page, they select what they want to edit and it takes them to this page. This page isn't secure as it's not done with PDO. I've been able to update all the other pages to PDO, but not this. I'm stuck and the examples I've read on the internet haven't been much help. Any ideas on how I could adjust this code to make it more secure?
<?php
/*
EDIT.PHP
Allows user to edit specific entry in database
*/
// creates the edit record form
// since this form is used multiple times in this file, I have made it a function that is easily reusable
function renderForm($id, $program, $airdate, $description, $production, $promotion, $community, $web, $error)
{
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Edit Record</title>
</head>
<body>
<?php
// if there are any errors, display them
if ($error != '')
{
echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>';
}
?>
}
<form action="" method="post">
<input type="hidden" name="id" value="<?php echo $id; ?>"/>
<div>
<p><strong>ID:</strong> <?php echo $id; ?></p>
<strong>Program:</strong> <input type="text" name="program" value="<?php echo $program; ?>"/><br/>
<strong>Date of Content: </strong> <input type="text" name="airdate" value="<?php echo $airdate; ?>"/><br/>
<strong>Description:</strong> <input type="text" name="description" value="<?php echo $description; ?>"/><br/>
<strong>On-Air:</strong> <input type="text" name="production" value="<?php echo $production; ?>"/><br/>
<strong>Promotion:</strong> <input type="text" name="promotion" value="<?php echo $promotion; ?>"/><br/>
<strong>Community:</strong> <input type="text" name="community" value="<?php echo $community; ?>"/><br/>
<strong>Web:</strong> <input type="text" name="web" value="<?php echo $web; ?>"/><br/>
<input type="submit" name="submit" value="Submit">
</div>
</form>
</body>
</html>
<?php
}
// connect to the database
include('connect-db.php');
// check if the form has been submitted. If it has, process the form and save it to the database
if (isset($_POST['submit']))
{
// confirm that the 'id' value is a valid integer before getting the form data
if (is_numeric($_POST['id']))
{
// get form data, making sure it is valid
$id = $_POST['id'];
$program = mysql_real_escape_string(htmlspecialchars($_POST['program']));
$airdate = mysql_real_escape_string(htmlspecialchars($_POST['airdate']));
$description = mysql_real_escape_string(htmlspecialchars($_POST['description']));
$production = mysql_real_escape_string(htmlspecialchars($_POST['production']));
$promotion = mysql_real_escape_string(htmlspecialchars($_POST['promotion']));
$community = mysql_real_escape_string(htmlspecialchars($_POST['community']));
$web = mysql_real_escape_string(htmlspecialchars($_POST['web']));
// check that firstname/lastname fields are both filled in
if ($production == '' || $airdate == '' )
{
// generate error message
$error = 'ERROR: Please fill in all required fields!';
//error, display form
renderForm($id, $program, $airdate, $description, $production, $promotion, $community, $web, $error);
}
else
{
// save the data to the database
mysql_query("UPDATE calendar SET program='$program', airdate='$airdate', description='$description', production='$production', promotion='$promotion', community='$community', web='$web' WHERE id='$id'")
or die(mysql_error());
<?php
/*
EDIT.PHP
Allows user to edit specific entry in database
*/
// creates the edit record form
// since this form is used multiple times in this file, I have made it a function that is easily reusable
function renderForm($id, $program, $airdate, $description, $production, $promotion, $community, $web, $error)
{
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Edit Record</title>
</head>
<body>
<?php
// if there are any errors, display them
if ($error != '')
{
echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>';
}
?>
}
<form action="" method="post">
<input type="hidden" name="id" value="<?php echo $id; ?>"/>
<div>
<p><strong>ID:</strong> <?php echo $id; ?></p>
<strong>Program:</strong> <input type="text" name="program" value="<?php echo $program; ?>"/><br/>
<strong>Date of Content: </strong> <input type="text" name="airdate" value="<?php echo $airdate; ?>"/><br/>
<strong>Description:</strong> <input type="text" name="description" value="<?php echo $description; ?>"/><br/>
<strong>On-Air:</strong> <input type="text" name="production" value="<?php echo $production; ?>"/><br/>
<strong>Promotion:</strong> <input type="text" name="promotion" value="<?php echo $promotion; ?>"/><br/>
<strong>Community:</strong> <input type="text" name="community" value="<?php echo $community; ?>"/><br/>
<strong>Web:</strong> <input type="text" name="web" value="<?php echo $web; ?>"/><br/>
<input type="submit" name="submit" value="Submit">
</div>
</form>
</body>
</html>
<?php
}
// connect to the database
include('connect-db.php');
// check if the form has been submitted. If it has, process the form and save it to the database
if (isset($_POST['submit']))
{
// confirm that the 'id' value is a valid integer before getting the form data
if (is_numeric($_POST['id']))
{
// get form data, making sure it is valid
$id = $_POST['id'];
$program = mysql_real_escape_string(htmlspecialchars($_POST['program']));
$airdate = mysql_real_escape_string(htmlspecialchars($_POST['airdate']));
$description = mysql_real_escape_string(htmlspecialchars($_POST['description']));
$production = mysql_real_escape_string(htmlspecialchars($_POST['production']));
$promotion = mysql_real_escape_string(htmlspecialchars($_POST['promotion']));
$community = mysql_real_escape_string(htmlspecialchars($_POST['community']));
$web = mysql_real_escape_string(htmlspecialchars($_POST['web']));
// check that firstname/lastname fields are both filled in
if ($production == '' || $airdate == '' )
{
// generate error message
$error = 'ERROR: Please fill in all required fields!';
//error, display form
renderForm($id, $program, $airdate, $description, $production, $promotion, $community, $web, $error);
}
else
{
// save the data to the database
mysql_query("UPDATE calendar SET program='$program', airdate='$airdate', description='$description', production='$production', promotion='$promotion', community='$community', web='$web' WHERE id='$id'")
or die(mysql_error());
// once saved, redirect back to the view page
header("Location: view.php");
}
}
else
{
// if the 'id' isn't valid, display an error
echo 'Error!';
}
}
else
// if the form hasn't been submitted, get the data from the db and display the form
{
// get the 'id' value from the URL (if it exists), making sure that it is valid (checing that it is numeric/larger than 0)
if (isset($_GET['id']) && is_numeric($_GET['id']) && $_GET['id'] > 0)
{
// query db
$id = $_GET['id'];
$result = mysql_query("SELECT * FROM calendar WHERE id=$id")
or die(mysql_error());
$row = mysql_fetch_array($result);
// check that the 'id' matches up with a row in the databse
if($row)
{
// get data from db
$program = $row['program'];
$airdate = $row['airdate'];
$description = $row['description'];
$production = $row['production'];
$community = $row['community'];
$promotion = $row['promotion'];
$web = $row['web'];
// show form
renderForm($id, $program, $airdate, $description, $production, $promotion, $community, $web, '');
}
else
// if no match, display result
{
echo "No results!";
}
}
else
// if the 'id' in the URL isn't valid, or if there is no 'id' value, display an error
{
echo 'Error!';
}
}
?>