Queuing up and then letting through data

[yuckysocks]

I have a form that posts data to a mysql database, which is then pulled out into a table. The form will never be publicly linked, so I didn't bother with logins or anything like that, but I'm wondering

 

1. What's the easiest way to have the data being posted held, then checked by an administrator for accuracy, and then allowed to be displayed on the public page?

 

2. Are there significant risks of running an unsecured form if it's never linked anywhere except from e-mails sent to select people?

 

Thanks a lot for the info,

 

Alex

[ucffool]

I have a form that posts data to a mysql database, which is then pulled out into a table. The form will never be publicly linked, so I didn't bother with logins or anything like that, but I'm wondering

 

1. What's the easiest way to have the data being posted held, then checked by an administrator for accuracy, and then allowed to be displayed on the public page?

 

2. Are there significant risks of running an unsecured form if it's never linked anywhere except from e-mails sent to select people?

 

Thanks a lot for the info,

 

Alex

It is publicly linked when you send the email to someone. Even basic security (require a password to be entered that you check against a variable in a separate file on the server).

To answer question #1, I would simply add a column to the database called 'approved' with a default value of 0, and the page, when getting the info to display on the page, queries SELECT * FROM table WHERE approved=1

Then you have another page for administrators to go to that shows the items that have NOT been approved (=0) and allows you to click a link that updates the database for the entry, updating it to 1.

[yuckysocks]

I like that solution. Before I read it, the basic idea I had come up with was:

 

1. Post all data to a table called "pending"

2. Admin views a (private) page with all "pending" cases.

3. When a button is pressed, it copies the data from "pending" into the public "show" database.

 

Is this a reasonable way to accomplish this also? Is this "expensive" to do, as far as server load goes or anything like that? We are low traffic so it's moot anyhow, but I'd like to only use well-tuned options.

 

Thanks for any critique!

 

 

[ucffool]

On low server load, I don't see a problem with doing it that way, just more complicated than my suggestion. I suppose the question is whether SELECT * FROM table

and

SELECT * FROM table WHERE approved=1

vary much in their execution time. Considering that that query is going to be run the most frequently for the site, you would want it to be the fastest.

[yuckysocks]

Hi!

 

I'm unable to upload/test things right now, but I'm sure there are bugs here that people can work out for me:

 

<?php

// Connecting, selecting database
$link = mysql_connect('localhost', 'neepor', 'energy')
    or die('Could not connect: ' . mysql_error());
mysql_select_db('case_studies') or die('Could not select database');

if(!isset($cmd))
{
// Performing SQL query FOR UNAPPROVED CASES
$query = 'SELECT id, schoolname, schoolcity, state FROM casestudies WHERE approved = 0';
$result = mysql_query($query) or die('Query failed: ' . mysql_error());

// Printing results in HTML
echo "<table class=\"sortable\">\n";
echo "<th>School Name</th> <th>School City</th> <th>State</th> <th>Approval Link</th>";
while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) {
    echo "\t<tr>\n";
    echo "\t\t<td><a href='casestudy.php?id=".$line['id']."'>".$line['schoolname']."- Check me for Accuracy</a></td>\n";
    echo "\t\t<td>".$line['schoolcity']."</td>\n";
    echo "\t\t<td>".$line['state']."</td>\n";
    echo "\t\t<td><a href='admin.php?cmd=approve&id=$id'>Approve the $schoolname case study and make it public</a>";
    echo "\t</tr>\n";
}
echo "</table>\n";
}

if($_GET["cmd"]=="approve")
{
$sql = "UPDATE casestudies SET approved = 1 WHERE id = $id";
// Free resultset
mysql_free_result($result);

// Closing connection
mysql_close($link);
?>

 

I think I'm on the right track, but need to be sure. Thanks!