unnecessary coding in mysql page editing?

[Darkwoods]

Hey there is no error with this code it works just fine but I would love to know if there is unnecessary coding in it  for example do i have to do the global variables? is there a better way to do mysql editing page?

 

thanks

 

<?php
include "../configdb.php";

$id = $_GET['id'];
if(isset($_POST['submit']))
{
    //global variables
$name = $_POST['name'];
$footer = $_POST['footer'];


//run the query which adds the data gathered from the form into the database		   
$result = mysql_query("UPDATE pages SET name='$name', footer='$footer' WHERE id='$id' ",$connect);
echo "<b>Your Page have been edited successfully";
}
elseif($id)
{
	$result = mysql_query("SELECT * FROM pages WHERE id='$id' ",$connect);
        while($row = mysql_fetch_assoc($result))
		{
			$name = $row['name'];
			$footer = $row['footer']; ?>

<h3>::Edit Page</h3>
<form method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>?id=<?php echo $row['id']?>">
<input type="hidden" name="id" value="<?php echo $row['id']?>">
<input name="name" size="40" maxlength="255" value="<?php echo $name; ?>">
<input name="footer" size="40" maxlength="255" value="<?php echo $footer; ?>">
<input type="submit" name="submit" value="Submit">       

     
      <?php
		}
}

 

[Pikachu2000]

You don't necessarily need to assign the values from the $_POST array to variables, but you should sanitize any form data before using it in a query string, by running it thorough mysql_real_escape_string(), type casting, etc.

 

You should also not use $_SERVER['PHP_SELF'] as a form's action= attribute, as it's a known XSS vulnerability.