kevinritt Posted August 24, 2009 Share Posted August 24, 2009 I've been struggling with this one for a couple days. I have a text editor installed for my client to update his site. The problem is is that when a change is made it doesn't save in the db. There's a connection because the content is being pulled from the db. Here's what I've got for code for the admin page: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <link href="./css/saugustv2.css" rel="stylesheet" type="text/css" /> <!-- CSS layout was created by Rayzur http://www.rayswoodworks.com/css-demos.html --> <title>Saugus TV</title> <script type="text/javascript" src="editor/jscripts/tiny_mce/tiny_mce.js"></script> <script type="text/javascript"> tinyMCE.init({ // General options mode : "textareas", theme : "advanced", height: "600", plugins : "safari,spellchecker,pagebreak,style,layer,table,save,advhr,advimage,advlink,emotions,iespell,inlinepopups,insertdatetime,preview,media,searchreplace,print,contextmenu,paste,directionality,fullscreen,noneditable,visualchars,nonbreaking,xhtmlxtras,template,imagemanager,filemanager", // Theme options theme_advanced_buttons1 : "save,newdocument,|,bold,italic,underline,strikethrough,|,justifyleft,justifycenter,justifyright,justifyfull,|,styleselect,formatselect,fontselect,fontsizeselect", theme_advanced_buttons2 : "cut,copy,paste,pastetext,pasteword,|,search,replace,|,bullist,numlist,|,outdent,indent,blockquote,|,undo,redo,|,link,unlink,anchor,image,cleanup,help,code,|,insertdate,inserttime,preview,|,forecolor,backcolor", theme_advanced_buttons3 : "tablecontrols,|,hr,removeformat,visualaid,|,sub,sup,|,charmap,emotions,iespell,media,advhr,|,print,|,ltr,rtl,|,fullscreen", theme_advanced_buttons4 : "insertlayer,moveforward,movebackward,absolute,|,styleprops,spellchecker,|,cite,abbr,acronym,del,ins,attribs,|,visualchars,nonbreaking,template,blockquote,pagebreak,|,insertfile,insertimage", theme_advanced_toolbar_location : "top", theme_advanced_toolbar_align : "left", theme_advanced_statusbar_location : "bottom", theme_advanced_resizing : true, // Example content CSS (should be your site CSS) content_css : "css/example.css", // Drop lists for link/image/media/template dialogs template_external_list_url : "js/template_list.js", external_link_list_url : "js/link_list.js", external_image_list_url : "js/image_list.js", media_external_list_url : "js/media_list.js", // Replace values for the template plugin template_replace_values : { username : "Some User", staffid : "991234" } }); </script> </head> <body> <div id="minHeight"></div><!--Opera and IE8 min-height fix--> <div id="wrapper"> <div id="header"> <img class="logo" src="http://saugustv.org/images/logo2.jpg" width="779" height="155" /> </div> <div id="container"> <div id="left-nav"> <div id="menu1"> <h3>Pages</h3> <ul> <?php require("connections/dbconn.php"); $sql = "SELECT id, name FROM nav"; $result = $conn -> query($sql) or die(mysqli_error()); if($result) { while($row = $result->fetch_object()) { echo "<li><a href='admin.php?page={$row->id}'>{$row->name}</a></li>"; } } ?> </ul> </div></div> <div id="content"> <?php if(isset ($_GET['message'])){ echo '<font color="red"><strong>You have successfully updated your page </strong></font>'; } $page = (isset($_GET['page'])) ? $_GET['page'] : "1"; $sql = "SELECT * FROM pages WHERE id='$page'"; $result = $conn->query($sql) or die(mysqli_error()); if($result) { $row = $result->fetch_object(); echo '<form method="post" action="update.php">'; echo '<input type="hidden" name="id" value="'.$row->id.'" />'; echo '<textarea name="content">'; echo $row->content; echo '</textarea>'; echo '<input type="submit" name="editContent" value="Update page" />'; echo '</form>'; } ?> </div> </div><!--end container--> </div><!--end wrapper--> <div id="footer"> 1 PEARCE MEMORIAL DRIVE • SAUGUS, MA 01906<br />PHONE - 781.231.2883 • FAX - 781.233.3433 </div> </body> </html> and here's the update page: <?php if (isset ($_POST['editContent'])) { require ("connections/dbconn.php"); $content = mysqli_real_escape_string($_POST['content']); $id = mysqli_real_escape_string($_POST['id']); $sql = "UPDATE pages SET content='$content' WHERE id='$id'"; $result = $conn->query($sql) or die (mysqli_error()); if ($result){ header("location:admin.php?message=1"); } } ?> Any clues - I have no clue what I'm missing here Thanks Quote Link to comment https://forums.phpfreaks.com/topic/171704-solved-data-not-going-into-database/ Share on other sites More sharing options...
HoTDaWg Posted August 24, 2009 Share Posted August 24, 2009 put up connections/dbconn.php the script itself looks fine as far as my understanding goes. Quote Link to comment https://forums.phpfreaks.com/topic/171704-solved-data-not-going-into-database/#findComment-905425 Share on other sites More sharing options...
the182guy Posted August 24, 2009 Share Posted August 24, 2009 mysqli_real_escape_string() might be having trouble with the content of the TinyMCE editor - e.g. lots of quotes in the HTML to deal with. I would echo out the UPDATE SQL and copy+paste it into phpMyAdmin to execute it and see if any error comes back. You can use MySQLi Prepared Statements to avoid escaping strings yourself as this will do them for you. See here: http://devzone.zend.com/article/686 http://www.usphp.com/function.mysqli-prepare.html Also... you are putting a unescaped variable into your SQL which means you're vulnerable to SQL Injection at this point: $page = (isset($_GET['page'])) ? $_GET['page'] : "1"; $sql = "SELECT * FROM pages WHERE id='$page'"; Change it to: $page = (isset($_GET['page'])) ? (int)$_GET['page'] : 1; $sql = "SELECT * FROM pages WHERE id='$page'"; That will just cast the variable as an integer, so if it contains a string it will be casted as 0 and thus protect you from SQL Injection. Quote Link to comment https://forums.phpfreaks.com/topic/171704-solved-data-not-going-into-database/#findComment-905432 Share on other sites More sharing options...
kevinritt Posted August 25, 2009 Author Share Posted August 25, 2009 mysqli_real_escape_string() might be having trouble with the content of the TinyMCE editor - e.g. lots of quotes in the HTML to deal with. It did not work correctly before I put the mysqli_real_escape_string() in there. Here's the dbconn.php: $conn = new MySQLi("localhost", "root", "", "suagustv") or die (mysqli_error()); there is no password on my localhost for my home pc. I can update content in PHPMyAdmin and it will show correctly. But if I try to edit using TinyMCE - it doesn't save it to the db. All the content is stored in the db Quote Link to comment https://forums.phpfreaks.com/topic/171704-solved-data-not-going-into-database/#findComment-905828 Share on other sites More sharing options...
Bricktop Posted August 25, 2009 Share Posted August 25, 2009 Hi kevinritt, Just out of interest, try changing: $sql = "UPDATE pages SET content='$content' WHERE id='$id'"; to: $sql = mysql_query("UPDATE pages SET content = '".$content."' WHERE id = '".$id."' LIMIT 1"); Quote Link to comment https://forums.phpfreaks.com/topic/171704-solved-data-not-going-into-database/#findComment-905883 Share on other sites More sharing options...
kevinritt Posted August 25, 2009 Author Share Posted August 25, 2009 I get this now: Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\wamp\www\saugustv_test\update.php on line 4 Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\wamp\www\saugustv_test\update.php on line 5 Warning: mysql_query() [function.mysql-query]: Access denied for user 'ODBC'@'localhost' (using password: NO) in C:\wamp\www\saugustv_test\update.php on line 6 Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in C:\wamp\www\saugustv_test\update.php on line 6 Warning: mysqli::query() [mysqli.query]: Empty query in C:\wamp\www\saugustv_test\update.php on line 7 Warning: mysqli_error() expects exactly 1 parameter, 0 given in C:\wamp\www\saugustv_test\update.php on line 7 Quote Link to comment https://forums.phpfreaks.com/topic/171704-solved-data-not-going-into-database/#findComment-905894 Share on other sites More sharing options...
Bricktop Posted August 25, 2009 Share Posted August 25, 2009 mysqli_real_escape_string requires two parameters, one of them is the string and one of them is the database connection info. So, for example: $content = mysqli_real_escape_string($_POST['content']); Needs to be: $content = mysqli_real_escape_string($conn,$_POST['content']); Do the same for the $id. $conn is the database connection variable defined in dbconn.php. Change your update code back to what it was and give this a go. Quote Link to comment https://forums.phpfreaks.com/topic/171704-solved-data-not-going-into-database/#findComment-905897 Share on other sites More sharing options...
kevinritt Posted August 25, 2009 Author Share Posted August 25, 2009 three days later - it's fixed. Thank you very much. I don't recall having to add the connection variable in with the $_POST variables before. Why does that need to be included if the $conn variable was already defined? Quote Link to comment https://forums.phpfreaks.com/topic/171704-solved-data-not-going-into-database/#findComment-905908 Share on other sites More sharing options...
Bricktop Posted August 25, 2009 Share Posted August 25, 2009 Hi kevinritt, It's because you're using mysqli_real_escape_string instead of mysql_real_escape_string. They have subtle differences. More info: http://us2.php.net/manual/en/mysqli.real-escape-string.php http://us2.php.net/manual/en/function.mysql-real-escape-string.php Quote Link to comment https://forums.phpfreaks.com/topic/171704-solved-data-not-going-into-database/#findComment-905910 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.