Putting a blank value into MySQL?

[RaythMistwalker]

<?php
$PostID = mysql_escape_string($_GET['postid']);
?>
<?php
If ($_GET['CODE'] == '0') {
    $GetPostData = "SELECT * FROM ".FORUM_POSTS." WHERE post_id='{$PostID}'";
    $GetPostRes = mysql_query($GetPostData, $db);
    $PostText = mysql_result($GetPostRes, 0, 'post_text');
    $AuthorID = mysql_result($GetPostRes, 0, 'user_id');
    
    If ($memid == $AuthorID || $MemLevel >= 1000) {
?>  
<div class="maintitle" align="left"><img src="./images/nav_m.gif" width="8" height="8"> Editing Post</div>
<form action="index.php?act=edit&postid=<?php echo $PostID; ?>&CODE=1" method="POST">
<table width="100%" cellspacing="1" cellpadding="4">
    <tr>
        <td class="titlemedium" colspan="2">Make changes below.</td>
    </tr>
    <tr>
        <td class="row2" align="right" width="15%" valign="top">Post Text:</td>
        <td class="row2" align="left" width="85%">
            <textarea cols="80" rows="20" name="posttext"><?php echo $PostText; ?></textarea>
        </td>
    </tr>
    <tr><td class="row2" colspan="2" align="center"><input type="submit" value="Post" /></td></tr>
</table>
</form>
<?php
}
Else {
?>
<div class="maintitle" align="left"><img src="./images/nav_m.gif" width="8" height="8"> Error</div>
<table width="100%" cellspacing="1" cellpadding="4">
    <tr><td class="row2">You do not have the permission to edit this post.<br>If you believe this is an error please contact an administrator.</td></tr>
</table>
<?php
}
}
If ($_GET['CODE'] == '1') {
    //Gather Information
    $PostText = mysql_escape_string($_POST['posttext']);
    $PostText = htmlentities($PostText);
    $PostID = mysql_escape_string($_GET['postid']);
    
    //Update Database
    $EditQry = "UPDATE ".FORUM_POSTS." SET post_text='{$PostText}' WHERE post_id='{$PostID}'";
    $EditRes = mysql_query($EditQry, $db);
    //Check Data went in
    If (!$EditRes) {
?>
<div class="maintitle" align="left"><img src="./images/nav_m.gif" width="8" height="8"> Error</div>
<table width="100%" cellspacing="1" cellpadding="4">
    <tr><td class="row2">Could not modify database. Please contact administrator.</td></tr>
</table>
<?php
    }
    Else {
?>
<div class="maintitle" align="left"><img src="./images/nav_m.gif" width="8" height="8"> Success</div>
<table width="100%" cellspacing="1" cellpadding="4">
    <tr><td class="row2">Post modified. Please go back to the thread to see it.</td></tr>
</table>
<?php
    }
}
?>
</div>

 

This is my page for editing a post.

 

However, whenever this form actually goes through, the query for some reason makes post_text in the database blank with no text in it whatsoever.

 

I have tried echoing the query to see what it says and it has a perfectly fine query and I can copy/paste it manually to put it into the mysql but I don't get why this isn't adding it.

[freelance84]

Without studying your script.

 

You say the query is absolutely fine however nothing is being inserted... are the fields in your db correct?

[KevinM1]

How are you accessing this page?  Your mixing of POST and GET should be setting off alarms in your head....

[PFMaBiSmAd]

FYI - You should be using mysql_real_escape_string not mysql_escape_string

 

Just a guess, but if your browser is requesting the page twice (I seem to recall a previous thread of yours concerning an INSERT query running twice, once with data and once without), the first time with $_POST data and the second time without $_POST data, the second time would UPDATE an empty value into the post_text column that would replace the actual text that was just UPDATEd.

 

And I know that I asked this in one of your previous threads, but why are you not validating that a form was submitted and that $_POST['posttext'] is not empty?

[RaythMistwalker]

freelance84: Yes fields are fine. as I said I can echo the query and copy it manually perfectly fine.

 

Nightslyr: Get is only for CODE and postid because page is accessed as index.php?act=edit&postid=X&CODE=Y

 

X = id of post

Y = 0 or 1 (1 sends form through)

 

I've not had problems on any other pages using that format (works fine for index.php?act=reply&threadid=X)

 

 

 

PFMaBiSmAd: Thanks again. Validating the input stopped it. Completely forgot to check that blank value isn't going through.

[KevinM1]

Nightslyr: Get is only for CODE and postid because page is accessed as index.php?act=edit&postid=X&CODE=Y

 

X = id of post

Y = 0 or 1 (1 sends form through)

 

I've not had problems on any other pages using that format (works fine for index.php?act=reply&threadid=X)

 

That's still a sloppy way to do it.  GET and POST, despite working similarly, have different meanings.  GET is for retrieving data, and since parameters can be passed in via address bar, the results of the request can be bookmarked.  POST is for inserting/updating data.  Keeping them separate like this will greatly simplify what you need to do.

 

For example, you could have an edit.php file which accepts the id and code as hidden inputs.  Similarly, you could have a reply.php file that accepts the threadid as a hidden input as well.

 

There's also the matter of PRG (POST/REDIRECT/GET) issues: http://en.wikipedia.org/wiki/Post/Redirect/Get    http://stackoverflow.com/questions/2146431/back-button-re-submit-form-data-post