Matt Ridge Posted January 11, 2012 Share Posted January 11, 2012 Ok, as far as I know this code should update correctly, but for some reason it's not, and I can't seem to figure out why. Here is the page: http://kaboomlabs.com/testbed/edit.php?id=1 Mind you this is meant to be seen in IE only, so if it looks odd on your browser I haven't gotten to tweaking it yet.... thanks for the help. <?php require_once('../connectvars.php'); echo '<div id="postwrap">' ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>PDI NCMR - Edit</title> <link rel="stylesheet" type="text/css" href="../CSS/postie.css" /> </head> <body> <div id="logo"> <img src="../images/PDI_Logo_2.1.gif" alt="PDI Logo" /> </div> <?php if (isset($_POST['submit'])) { // Connect to the database $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); // Enter data into the database $ab = mysqli_real_escape_string($dbc, trim($_POST['ab'])); $date = mysqli_real_escape_string($dbc, trim(date('Y-m-d',strtotime ($_POST['date'])))); $part = mysqli_real_escape_string($dbc, trim($_POST['part'])); $rev = mysqli_real_escape_string($dbc, trim($_POST['rev'])); $partdesc = mysqli_real_escape_string($dbc, trim($_POST['partdesc'])); $ncmrqty = mysqli_real_escape_string($dbc, trim($_POST['ncmrqty'])); $comp = mysqli_real_escape_string($dbc, trim($_POST['comp'])); $ncmrid = mysqli_real_escape_string($dbc, trim($_POST['ncmrid'])); $rma = mysqli_real_escape_string($dbc, trim($_POST['rma'])); $jno = mysqli_real_escape_string($dbc, trim($_POST['jno'])); $fdt = mysqli_real_escape_string($dbc, trim($_POST['fdt'])); $cof = mysqli_real_escape_string($dbc, trim($_POST['cof'])); $fab1= mysqli_real_escape_string($dbc, trim($_POST['fab1'])); $fab2= mysqli_real_escape_string($dbc, trim($_POST['fab2'])); $fab3= mysqli_real_escape_string($dbc, trim($_POST['fab3'])); $non= mysqli_real_escape_string($dbc, trim($_POST['non'])); $dis= mysqli_real_escape_string($dbc, trim($_POST['dis'])); $comm= mysqli_real_escape_string($dbc, trim($_POST['comm'])); $caad= mysqli_real_escape_string($dbc, trim($_POST['caad'])); $po= mysqli_real_escape_string($dbc, trim($_POST['po'])); $pod = mysqli_real_escape_string($dbc, trim(date('Y-m-d',strtotime($_POST['pod'])))); $dri = mysqli_real_escape_string($dbc, trim(date('Y-m-d',strtotime($_POST['dri'])))); $query = "UPDATE ncmr SET ab = '$ab', date = '$date', part = '$part', rev = '$rev' , partdesc = '$partdesc' , ncmrqty = '$ncmrqty' , comp = '$comp' , ncmrid = '$ncmrid' , rma = '$rma' , jno = '$jno' , fdt = '$fdt' , cof = '$cof' , fab1 = '$fab1' , fab2 = '$fab2' , fab3 = fab3' , non = '$non' , dis = '$dis' , comm = '$comm' , caad = '$caad' , po = '$po' , pod = '$pod' , dri = '$dri' WHERE id = '" . $_GET['id'] . "'"; mysqli_query($dbc, $query); // Clear the form data $ab = ""; $date = ""; $part = ""; $rev = ""; $partdesc = ""; $ncmrqty = ""; $comp = ""; $ncmrid = ""; $rma = ""; $jno = ""; $fdt = ""; $cof = ""; $fab1= ""; $fab2= ""; $fab3= ""; $non= ""; $dis= ""; $comm= ""; $caad= ""; $po= ""; $pod = ""; $dri = ""; // Confirm success with the user echo '<p>If you wish to edit more NCMRs, please <a href="list.php">go to the admin page!</a></p>'; mysqli_close($dbc); } else { // Connect to the database $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); // Grab the profile data from the database if (!isset($_GET['id'])) { $query = "SELECT * FROM ncmr WHERE id = '$id'"; } else { $query = "SELECT * FROM ncmr WHERE id = '" . $_GET['id'] . "'"; } $data = mysqli_query($dbc, $query); if (mysqli_num_rows($data) == 1) { // The user row was found so display the user data $row = mysqli_fetch_array($data); echo'<div id="title"><h3 id="NCMR2">Non-Conforming Materials Report (NCMR: ' . $row['rma'] . ')</h3></div>'; echo "<form action='".$_SERVER['PHP_SELF']."' method='post'>"; echo '<fieldset>'; echo '<div id="box1">'; if (empty($row['ab'])) $row['ab'] = "Empty"; if (empty($row['date'])) $row['date'] = "Empty"; if (empty($row['part'])) $row['part'] = "Empty"; if (empty($row['rev'])) $row['rev'] = "Empty"; if (empty($row['partdesc'])) $row['partdesc'] = "Empty"; if (empty($row['ncmrqty'])) $row['ncmrqty'] = "Empty"; echo '<div id="ab"><span class="b">Added By: </span><input type="text" name="ab" value="' . $row['ab'] . '" /></div>'; echo '<div id="date"><span class="b">Date Filed: </span><input type="text" name="date" value="' . $row['date'] . '" /></div>'; echo '<div id="part"><span class="b">Part Number: </span><input type="text" name="part" value="' . $row['part'] . '" /></div>'; echo '<div id="rev"><span class="b">Part Revision: </span><input type="text" name="rev" value="' . $row['rev'] . '" /></div>'; echo '<div id="partdesc"><span class="b">Part Description: </span><textarea rows="4" cols="22">' . $row['partdesc'] . '</textarea></div>'; echo '<div id="ncmrqty"><span class="b">NCMR Qty: </span><input type="text" name="ncmrqty" value="' . $row['ncmrqty'] . '" /></div>'; echo '</div>'; //Company, Customer NCMR, Internal RMA, and Job Number echo '<div id="box2">'; if (empty($row['comp'])) $row['comp'] = "Empty"; if (empty($row['ncmrid'])) $row['ncmrid'] = "Empty"; if (empty($row['rma'])) $row['rma'] = "Empty"; if (empty($row['jno'])) $row['jno'] = "Empty"; echo '<div id="comp"><span class="b">Company: </span><input type="text" name="comp" value="' . $row['comp'] . '" /></div>'; echo '<div id="ncmrid"><span class="b">Customer NCMR ID: </span><input type="text" name="ncmrid" value="' . $row['ncmrid'] . '" /></div>'; echo '<div id="rma"><span class="b">Internal RMA #: </span><input type="text" name="rma" value="' . $row['rma'] . '" /></div>'; echo '<div id="jno"><span class="b">Job #: </span><input type="text" name="jno" value="' . $row['jno'] . '" /></div>'; echo '</div>'; //Type of Failure and Class of Failure echo '<div id="box3">'; echo '<h2>Failure</h2>'; echo '<div id="cof"><span class="b">Class of Failure: </span><input type="text" name="cof" size="15" value="' . $row['cof'] . '" /></div>'; echo '<div id="fdt"><span class="b">Failure Due To: </span><input type="text" name="fdt" size="15" value="' . $row['fdt'] . '" /></div>'; echo '</div>'; //Fabricators echo '<div id="box4">'; echo '<h2>Fabricators</h2>'; if ($row['fab1']="--None--") { echo'<div id="fab1">'; $mysqli = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); $mysqli->select_db('user'); $result = $mysqli->query("SELECT * FROM user"); echo "<SELECT name='fab1'>\n"; while($row = $result->fetch_assoc()) { echo "<option value='{$row['user']}'>{$row['user']}</option>\n"; } echo "</select>\n"; echo '</div>'; } else { echo'<div id="fab1">'; $mysqli = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); $mysqli->select_db('user'); $result = $mysqli->query("SELECT * FROM user"); echo "<SELECT name='fab1'>\n"; while($row = $result->fetch_assoc()) { echo "<option value='{$row['user']}'>{$row['user']}</option>\n"; } echo "</select>\n"; echo '</div>'; } if ($row['fab2']="--None--") { echo'<div id="fab2">'; $mysqli = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); $mysqli->select_db('user'); $result = $mysqli->query("SELECT * FROM user"); echo "<SELECT name='fab2'>\n"; while($row = $result->fetch_assoc()) { echo "<option value='{$row['user']}'>{$row['user']}</option>\n"; } echo "</select>\n"; echo '</div>'; } else { echo '<div id="fab2"><span class="b"></span><input type="text" name="fab1" size="20" value="' . $row['fab1'] . '" /></div>'; echo '</div>'; } if ($row['fab3']="--None--") { echo'<div id="fab3">'; $mysqli = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); $mysqli->select_db('user'); $result = $mysqli->query("SELECT * FROM user"); echo "<SELECT name='fab3'>\n"; while($row = $result->fetch_assoc()) { echo "<option value='{$row['user']}'>{$row['user']}</option>\n"; } echo "</select>\n"; echo '</div>'; } else { echo '<div id="fab3"><span class="b"></span><input type="text" name="fab1" size="20" value="' . $row['fab1'] . '" /></div>'; echo '</div>'; } echo '</div>'; //Nonconformity, Disposition, Comments and Comments & Additional Details echo '<div id="box5">'; if (empty($row['non'])) $row['non'] = "Empty"; if (empty($row['dis'])) $row['dis'] = "Empty"; if (empty($row['comm'])) $row['comm'] = "Empty"; if (empty($row['caad'])) $row['caad'] = "Empty"; echo '<div id="non"><span class="b">Nonconformity: </span><textarea rows="4" cols="105">' . $row['non'] . '</textarea></div>'; echo '<div id="dis"><span class="b">Disposition: </span><textarea rows="4" cols="105">' . $row['dis'] . '</textarea></div>'; echo '<div id="comm"><span class="b">Comments: </span><textarea rows="4" cols="105">' . $row['comm'] . '</textarea></div>'; echo '<div id="caad"><span class="b">Comments and/or Additional Details: </span><textarea rows="4" cols="105">' . $row['caad'] . '</textarea></div>'; echo '<div id="podr">'; if (empty($row['po'])) $row['po'] ="Empty"; if (empty($row['pod'])) $row['pod'] ="Empty"; if (empty($row['dir'])) $row['dri'] ="Empty"; echo '<div id="po"><span class="b">PO: </span><input type="text" name="po" size="7" value="' . $row['po'] . '" /></div>'; echo '<div id="pod"><span class="b">PO Date: </span><input type="text" name="pod" size="7" value="' . $row['pod'] . '" /></div>'; echo '<div id="dri"><span class="b">Date Received: </span><input type="text" name="dri" size="7" value="' . $row['dri'] . '" /></div>'; echo '</div>'; echo '<div id="button2"><input type="submit" value="Submit Edits" name="submit" /></div>'; echo '</div>'; echo '</fieldset>'; echo '</form>'; } } echo '</div>'; ?> </body> </html> Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/ Share on other sites More sharing options...
scootstah Posted January 11, 2012 Share Posted January 11, 2012 You have a syntax error in your query. fab2 = '$fab2' , fab3 = fab3' , non = '$non' Should be: fab2 = '$fab2' , fab3 = '$fab3' , non = '$non' Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306506 Share on other sites More sharing options...
Matt Ridge Posted January 11, 2012 Author Share Posted January 11, 2012 You have a syntax error in your query. fab2 = '$fab2' , fab3 = fab3' , non = '$non' Should be: fab2 = '$fab2' , fab3 = '$fab3' , non = '$non' Thanks for looking at it, after staring at the same code for so long your mind just goes blah... Ok I just tweaked the edit as you showed, still not posting... any more ideas? Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306517 Share on other sites More sharing options...
scootstah Posted January 11, 2012 Share Posted January 11, 2012 It helps massively to have a good IDE that has code highlighting... much easier to spot little syntax errors like that. Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306519 Share on other sites More sharing options...
mikosiko Posted January 11, 2012 Share Posted January 11, 2012 echo your raw query and look for errors $query = "UPDATE ncmr SET ab = '$ab', date = '$date', part = '$part', rev = '$rev' , partdesc = '$partdesc' , ncmrqty = '$ncmrqty' , comp = '$comp' , ncmrid = '$ncmrid' , rma = '$rma' , jno = '$jno' , fdt = '$fdt' , cof = '$cof' , fab1 = '$fab1' , fab2 = '$fab2' , fab3 = fab3' , non = '$non' , dis = '$dis' , comm = '$comm' , caad = '$caad' , po = '$po' , pod = '$pod' , dri = '$dri' WHERE id = '" . $_GET['id'] . "'"; // echo your raw query and look for obvious errors echo "Query is : " . $query . "<br />"; // and at least use a basic mechanism to trap possibles errors mysqli_query($dbc, $query) or die('Query Error : ' . mysqli_error($dbc)); while in development you should at least enable error reporting and display either globally (in php.ini) or locally in each script using this 2 lines by the beginning of your scripts. error_reporting(E_ALL); ini_set("display_errors", 1); in an additional note, I see that you are connecting/querying/looping 3 times over the table users (once for each "fab?") why?... you can do that only one time, store the values and use them as you need. Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306530 Share on other sites More sharing options...
Matt Ridge Posted January 11, 2012 Author Share Posted January 11, 2012 echo your raw query and look for errors $query = "UPDATE ncmr SET ab = '$ab', date = '$date', part = '$part', rev = '$rev' , partdesc = '$partdesc' , ncmrqty = '$ncmrqty' , comp = '$comp' , ncmrid = '$ncmrid' , rma = '$rma' , jno = '$jno' , fdt = '$fdt' , cof = '$cof' , fab1 = '$fab1' , fab2 = '$fab2' , fab3 = fab3' , non = '$non' , dis = '$dis' , comm = '$comm' , caad = '$caad' , po = '$po' , pod = '$pod' , dri = '$dri' WHERE id = '" . $_GET['id'] . "'"; // echo your raw query and look for obvious errors echo "Query is : " . $query . "<br />"; // and at least use a basic mechanism to trap possibles errors mysqli_query($dbc, $query) or die('Query Error : ' . mysqli_error($dbc)); while in development you should at least enable error reporting and display either globally (in php.ini) or locally in each script using this 2 lines by the beginning of your scripts. error_reporting(E_ALL); ini_set("display_errors", 1); in an additional note, I see that you are connecting/querying/looping 3 times over the table users (once for each "fab?") why?... you can do that only one time, store the values and use them as you need. The first part.. Query is : UPDATE ncmr SET ab = 'Matt Ridge', date = '2012-01-09', part = 'K17212191', rev = '01' , partdesc = '' , ncmrqty = '2' , comp = 'Nexx Systems Inc.' , ncmrid = '1243' , rma = 'Empty' , jno = 'Empty' , fdt = 'none' , cof = 'none' , fab1 = 'Andy Kahl' , fab2 = '--None--' , fab3 = '--None--' , non = '' , dis = '' , comm = '' , caad = '' , po = 'Empty' , pod = '1969-12-31' , dri = '1969-12-31' WHERE id = '' What I see as an issue here is that the Where id = the ID is missing, although it shows the data from it originally. Am I missing something or no? As for your second part, I'm learning as I go so I duplicate what I know, and I didn't know it was possible. Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306532 Share on other sites More sharing options...
mikosiko Posted January 11, 2012 Share Posted January 11, 2012 Am I missing something or no? well... yes... you are missing your $_GET['id'] lets do a little cleaning here: // Grab the profile data from the database if (!isset($_GET['id'])) { // Where are you defining your $id variable?.. this line doesn't make sense considering how your code works // if $_GET['id'] is not set then this script has been called incorrectly... trigger an error. $query = "SELECT * FROM ncmr WHERE id = '$id'"; } else { $query = "SELECT * FROM ncmr WHERE id = '" . $_GET['id'] . "'"; // You are wide open to sql injections here... take the $_GET[] out of here, sanitize it (CASTing it if numeric) // and assign it to a variable using that variable in this query } now... for the UPDATE $query = "UPDATE ncmr SET ab = '$ab', date = '$date', part = '$part', rev = '$rev' , partdesc = '$partdesc' , ncmrqty = '$ncmrqty' , comp = '$comp' , ncmrid = '$ncmrid' , rma = '$rma' , jno = '$jno' , fdt = '$fdt' , cof = '$cof' , fab1 = '$fab1' , fab2 = '$fab2' , fab3 = fab3' , non = '$non' , dis = '$dis' , comm = '$comm' , caad = '$caad' , po = '$po' , pod = '$pod' , dri = '$dri' WHERE id = '" . $_GET['id'] . "'"; again using the $_GET[] directly you are calling for trouble... take that out of there IMMEDIATELY if you care for the data that you have. most likely what do you want here in replacement for the $_GET['id'] is a sanitized variable as you did with the rest of the ones that you are using... just add a hidden input field in your form using $row['id'] as the value before this line, and use that in your update. echo '<div id="button2"><input type="submit" value="Submit Edits" name="submit" /></div>'; work on that and ask if you have further problems. Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306561 Share on other sites More sharing options...
Matt Ridge Posted January 11, 2012 Author Share Posted January 11, 2012 Am I missing something or no? well... yes... you are missing your $_GET['id'] lets do a little cleaning here: // Grab the profile data from the database if (!isset($_GET['id'])) { // Where are you defining your $id variable?.. this line doesn't make sense considering how your code works // if $_GET['id'] is not set then this script has been called incorrectly... trigger an error. $query = "SELECT * FROM ncmr WHERE id = '$id'"; } else { $query = "SELECT * FROM ncmr WHERE id = '" . $_GET['id'] . "'"; // You are wide open to sql injections here... take the $_GET[] out of here, sanitize it (CASTing it if numeric) // and assign it to a variable using that variable in this query } now... for the UPDATE $query = "UPDATE ncmr SET ab = '$ab', date = '$date', part = '$part', rev = '$rev' , partdesc = '$partdesc' , ncmrqty = '$ncmrqty' , comp = '$comp' , ncmrid = '$ncmrid' , rma = '$rma' , jno = '$jno' , fdt = '$fdt' , cof = '$cof' , fab1 = '$fab1' , fab2 = '$fab2' , fab3 = fab3' , non = '$non' , dis = '$dis' , comm = '$comm' , caad = '$caad' , po = '$po' , pod = '$pod' , dri = '$dri' WHERE id = '" . $_GET['id'] . "'"; again using the $_GET[] directly you are calling for trouble... take that out of there IMMEDIATELY if you care for the data that you have. most likely what do you want here in replacement for the $_GET['id'] is a sanitized variable as you did with the rest of the ones that you are using... just add a hidden input field in your form using $row['id'] as the value before this line, and use that in your update. echo '<div id="button2"><input type="submit" value="Submit Edits" name="submit" /></div>'; work on that and ask if you have further problems. Ok, I've been trying to do what you've said and every time I do the scrip gets an error. Can you help me out a little upon how this is meant to work? I have: $id = mysqli_real_escape_string($dbc, trim($_POST['id'])); In there now, but every time I attempt to fix the rest I get an error each spot the change has been made. Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306604 Share on other sites More sharing options...
wolfcry Posted January 11, 2012 Share Posted January 11, 2012 What Mikosiko is suggesting is you use a hidden field for the id in the form itself, which means you'll have to perform a query obtaining the id before the form is submitted and echo that out as the value of the hidden form field. Now, you will still need to sanitize that even if it's hidden because anyone can use certain browser add-ons that allow them to change that and add whatever information they want in it. ALWAYS sanitize data if the user has a way of getting to it. You can use $_GET, just don't use it directly in the query itself, sanitize the data before passing it to the query. The major differences of $_POST compared it $_GET are of course, not having data directly streamed in the URL field, making it "invisible" per se and a bit more secured. Have you tried echoing out your $_GET and $_POST data to see if it's even being populated after submission? For example: $id = $_GET['id']; $id = $_POST['id']; The above depends on your form method of course. If it's not being populated, then you can start debugging "why" and / or "where from" isn't it being populated. Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306616 Share on other sites More sharing options...
Matt Ridge Posted January 11, 2012 Author Share Posted January 11, 2012 Yup, here is the link: http://kaboomlabs.com/testbed/edit.php?id=1 Now it also has a script in there to show what is outputted as well as any errors... you'll see what happens I'm not worried about the data being changed since it doesn't save. As for now though, I am using: $query = "UPDATE ncmr SET ab = '$ab', date = '$date', part = '$part', rev = '$rev' , partdesc = '$partdesc' , ncmrqty = '$ncmrqty' , comp = '$comp' , ncmrid = '$ncmrid' , rma = '$rma' , jno = '$jno' , fdt = '$fdt' , cof = '$cof' , fab1 = '$fab1' , fab2 = '$fab2' , fab3 = '$fab3' , non = '$non' , dis = '$dis' , comm = '$comm' , caad = '$caad' , po = '$po' , pod = '$pod' , dri = '$dri' WHERE id = '" . $_GET['id'] . "'"; Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306617 Share on other sites More sharing options...
wolfcry Posted January 11, 2012 Share Posted January 11, 2012 I clicked the link and sent a test form but I didn't see anything after submitting which tells me you're now using $_POST. Since $_GET only extracts data streamed in the URL, you will want to use $_POST to extract that as well. Change this: '" . $_GET['id'] . "'" to this: '" . $_POST['id'] . "'" If your form method is POST. However, you really, really, REALLY need to get the user input out of the direct query and use a sanitize variable in it's place. If not, you're asking for a whole world of hurt. Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306621 Share on other sites More sharing options...
Matt Ridge Posted January 11, 2012 Author Share Posted January 11, 2012 I clicked the link and sent a test form but I didn't see anything after submitting which tells me you're now using $_POST. Since $_GET only extracts data streamed in the URL, you will want to use $_POST to extract that as well. Change this: '" . $_GET['id'] . "'" to this: '" . $_POST['id'] . "'" If your form method is POST. However, you really, really, REALLY need to get the user input out of the direct query and use a sanitize variable in it's place. If not, you're asking for a whole world of hurt. Ok, I did what you said, and the page doesn't show up at all. As for your second point, how do I do that and still have it post to the right area? Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306624 Share on other sites More sharing options...
KevinM1 Posted January 11, 2012 Share Posted January 11, 2012 As for your second point, how do I do that and still have it post to the right area? You could always re-read this thread. I'm partial to reply #3. Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306626 Share on other sites More sharing options...
Matt Ridge Posted January 11, 2012 Author Share Posted January 11, 2012 As for your second point, how do I do that and still have it post to the right area? You could always re-read this thread. I'm partial to reply #3. I already sanitized it as far as I know... hence why I am asking what else is there to do? hence the: $id = mysqli_real_escape_string($dbc, trim($_POST['id'])); I am asking for help because people keep repeating the same thing over, and over again, when as far as I know I've already done it, so I am asking, beyond this what else is there to do? Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306630 Share on other sites More sharing options...
wolfcry Posted January 11, 2012 Share Posted January 11, 2012 Ah, my bad, upon closer inspection, you're getting id and using that to display the form. To sanitize the value, you first $_GET the value, then place that value into a variable and sanitize the variable itself. Like so: $id = $_GET['id']; Sanitize_Variable_Using_Your_Method_Here($id); $query = "SELECT `id` WHERE `id` = $id"; Something like that. Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306631 Share on other sites More sharing options...
wolfcry Posted January 11, 2012 Share Posted January 11, 2012 I already sanitized it as far as I know... hence why I am asking what else is there to do? I am asking for help because people keep repeating the same thing over, and over again, when as far as I know I've already done it, so I am asking, beyond this what else is there to do? Maybe you have, but you're replies keep showing the same thing such as id = "'. $_GET['id'] .'". To us, that doesn't look sanitized but a direct query request. That's why we keep saying the same thing regarding sanitizing your query data first. But one of your major issues is you're using both POST and GET which will conflict with each other because a POST form will submit data behind the page, meaning it won't stream the data in the URL and GET can ONLY extract data from the url itself. So if you first query the id to show the page, but do not pass it along somehow after submitting POST, you will lose it. What you should do, is like Miko said earlier, is use a hidden form field, then pass that value like you would do with any other value. Here's an example of how to populate a hidden form field. $id = $_GET['id']; <input type="hidden" name="Id" value="<?php echo $id?>"> what will happen is the value of the hidden field will become "1" (or whatever value queried) and this value will be sent via POST which you can then grab using something like the following: $id = $_POST['Id']; You will then want to sanitize the new $id information and use the variable $id in your query AFTER submitting your form. Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306633 Share on other sites More sharing options...
KevinM1 Posted January 11, 2012 Share Posted January 11, 2012 You should check to see that $_POST['id'] is, in fact, an integer (assuming that's what you want). Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306636 Share on other sites More sharing options...
wolfcry Posted January 11, 2012 Share Posted January 11, 2012 You will then want to sanitize the new $id information and use the variable $id in your query AFTER submitting your form. I meant to say, EVEN after submitting your form. It should be sanitized before and after form submission. Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306645 Share on other sites More sharing options...
Matt Ridge Posted January 11, 2012 Author Share Posted January 11, 2012 I already sanitized it as far as I know... hence why I am asking what else is there to do? I am asking for help because people keep repeating the same thing over, and over again, when as far as I know I've already done it, so I am asking, beyond this what else is there to do? Maybe you have, but you're replies keep showing the same thing such as id = "'. $_GET['id'] .'". To us, that doesn't look sanitized but a direct query request. That's why we keep saying the same thing regarding sanitizing your query data first. But one of your major issues is you're using both POST and GET which will conflict with each other because a POST form will submit data behind the page, meaning it won't stream the data in the URL and GET can ONLY extract data from the url itself. So if you first query the id to show the page, but do not pass it along somehow after submitting POST, you will lose it. What you should do, is like Miko said earlier, is use a hidden form field, then pass that value like you would do with any other value. Here's an example of how to populate a hidden form field. $id = $_GET['id']; <input type="hidden" name="Id" value="<?php echo $id?>"> what will happen is the value of the hidden field will become "1" (or whatever value queried) and this value will be sent via POST which you can then grab using something like the following: $id = $_POST['Id']; You will then want to sanitize the new $id information and use the variable $id in your query AFTER submitting your form. I've had two people tell me two different things, to use GET and to use POST... so what should I use? Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306681 Share on other sites More sharing options...
KevinM1 Posted January 12, 2012 Share Posted January 12, 2012 Use GET when retrieving data, POST when inserting or updating data. Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306717 Share on other sites More sharing options...
Matt Ridge Posted January 12, 2012 Author Share Posted January 12, 2012 Use GET when retrieving data, POST when inserting or updating data. So in the case of my script, where am I doing it wrong? Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306741 Share on other sites More sharing options...
wolfcry Posted January 12, 2012 Share Posted January 12, 2012 You're not passing your id value as I stated above.. Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306742 Share on other sites More sharing options...
Matt Ridge Posted January 12, 2012 Author Share Posted January 12, 2012 You're not passing your id value as I stated above.. Right, but get, or post, and where is my questions. Because honestly everyone seems to have different opinions about it. Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306792 Share on other sites More sharing options...
wolfcry Posted January 12, 2012 Share Posted January 12, 2012 Right, but get, or post, and where is my questions. I have already answered your question in my post above. You can use whatever method you want to pass the data along, that's up to you, but remember, there are limits to how much data can be stored in the URL if strictly using GET. The issue, from what I can tell when clicking submit on your form, is you're using POST to send the data correct? Like so: <form action="same.page.php" method="POST"> I'm assuming this because I no longer see the id variable passed in the URL. Then you need to use POST to extract the data after it's been sent. You cannot use GET to extract POST'd data because GET only extracts data that has been streamed in the URL or URI if you want to be extremely technical. Here's a great example of POST and GET methods, it seems you're confused about the two: http://www.tizag.com/phpT/postget.php Ok, so, IF you're using a query to obtain the id at the beginning and attaching that to your URL, which you are, and IF you have your form method set to POST you must pass that along so it can be stored into the global array POST as well because as soon as you click submit, that value is lost. Both GET and POST are simply arrays, if you stored data in array1, you wouldn't try to extract that data by calling array2 would you? Same thought process here. This is where the hidden form field comes into play. IF you were using GET as your method, you'd simply extract it using GET after submission because it'd remain in the URL but so would everything you just did and from how I see your form is set up, you'd most likely have too much data for the URL to hold all that data (again, there is a limit). Simply do as I suggested above about storing the id value into a hidden form field and extract or call, however you want to say it, the data after it's been submitted by using something like this: $id = $_POST['id']; then use that after the form as been set to update your database accordingly. With all that said, I'm going to throw another wrench at you, . You could send the id along a POST form in the URL by echoing the id in the form's action. Like so: <form action="p.php?id=<?php echo $id;?>" method="POST"> That way you can still use GET to extract that from the URL (after submission) and still be able to post via POST the rest of the stuff. The downside is, it will cache on their end in the browser's URL and you will have to refresh the form if you want varying id numbers for each post submitted even by the same person. Hopefully, I didn't confuse you too much lol. In short, do the following if you want to keep it as simple as possible: form method = GET / use $_GET['']; to extract data. form method = POST / use $_POST['']; to extract data. or use a combination of GET and POST if echoing data dynamically in form's action if method is set to POST Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306905 Share on other sites More sharing options...
Matt Ridge Posted January 12, 2012 Author Share Posted January 12, 2012 Right, but get, or post, and where is my questions. I have already answered your question in my post above. You can use whatever method you want to pass the data along, that's up to you, but remember, there are limits to how much data can be stored in the URL if strictly using GET. The issue, from what I can tell when clicking submit on your form, is you're using POST to send the data correct? Like so: <form action="same.page.php" method="POST"> I'm assuming this because I no longer see the id variable passed in the URL. Then you need to use POST to extract the data after it's been sent. You cannot use GET to extract POST'd data because GET only extracts data that has been streamed in the URL or URI if you want to be extremely technical. Here's a great example of POST and GET methods, it seems you're confused about the two: http://www.tizag.com/phpT/postget.php Ok, so, IF you're using a query to obtain the id at the beginning and attaching that to your URL, which you are, and IF you have your form method set to POST you must pass that along so it can be stored into the global array POST as well because as soon as you click submit, that value is lost. Both GET and POST are simply arrays, if you stored data in array1, you wouldn't try to extract that data by calling array2 would you? Same thought process here. This is where the hidden form field comes into play. IF you were using GET as your method, you'd simply extract it using GET after submission because it'd remain in the URL but so would everything you just did and from how I see your form is set up, you'd most likely have too much data for the URL to hold all that data (again, there is a limit). Simply do as I suggested above about storing the id value into a hidden form field and extract or call, however you want to say it, the data after it's been submitted by using something like this: $id = $_POST['id']; then use that after the form as been set to update your database accordingly. With all that said, I'm going to throw another wrench at you, . You could send the id along a POST form in the URL by echoing the id in the form's action. Like so: <form action="p.php?id=<?php echo $id;?>" method="POST"> That way you can still use GET to extract that from the URL (after submission) and still be able to post via POST the rest of the stuff. The downside is, it will cache on their end in the browser's URL and you will have to refresh the form if you want varying id numbers for each post submitted even by the same person. Hopefully, I didn't confuse you too much lol. In short, do the following if you want to keep it as simple as possible: form method = GET / use $_GET['']; to extract data. form method = POST / use $_POST['']; to extract data. or use a combination of GET and POST if echoing data dynamically in form's action if method is set to POST Ok, then knowing how I have the form now, and what I need to change, the data itself is asking for the data from a database, so instead of using: echo "<form action='".$_SERVER['PHP_SELF']."' method='post'>"; I could use: <form action="edit.php?id=<?php echo $id;?>" method="POST"> Now my confusion comes down to this: I use this code to sanitize the id. $id = mysqli_real_escape_string($dbc, trim($_GET['id'])); The rest of the sanitation I have is $_POST, should it be? Now I have this code in the script: if (!isset($_GET['id'])) { $query = "SELECT * FROM ncmr WHERE id = '$id'"; } else { $query = "SELECT * FROM ncmr WHERE id = '" . $_GET['id'] . "'"; } Where am I not doing it correctly? The only place i am seeing an issue perhaps is here: $query = "UPDATE ncmr SET ab = '$ab', date = '$date', part = '$part', rev = '$rev' , partdesc = '$partdesc' , ncmrqty = '$ncmrqty' , comp = '$comp' , ncmrid = '$ncmrid' , rma = '$rma' , jno = '$jno' , fdt = '$fdt' , cof = '$cof' , fab1 = '$fab1' , fab2 = '$fab2' , fab3 = fab3' , non = '$non' , dis = '$dis' , comm = '$comm' , caad = '$caad' , po = '$po' , pod = '$pod' , dri = '$dri' WHERE id = '"$id"'"; Am I wrong? If not, then what do I need to solve this issue? Here is the code as it stands now: <?php require_once('../connectvars.php'); echo '<div id="postwrap">' ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>PDI NCMR - Edit</title> <link rel="stylesheet" type="text/css" href="../CSS/postie.css" /> </head> <body> <div id="logo"> <img src="../images/PDI_Logo_2.1.gif" alt="PDI Logo" /> </div> <?php if (isset($_POST['submit'])) { // Connect to the database $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); // Enter data into the database $id = mysqli_real_escape_string($dbc, trim($_GET['id'])); $ab = mysqli_real_escape_string($dbc, trim($_POST['ab'])); $date = mysqli_real_escape_string($dbc, trim(date('Y-m-d',strtotime ($_POST['date'])))); $part = mysqli_real_escape_string($dbc, trim($_POST['part'])); $rev = mysqli_real_escape_string($dbc, trim($_POST['rev'])); $partdesc = mysqli_real_escape_string($dbc, trim($_POST['partdesc'])); $ncmrqty = mysqli_real_escape_string($dbc, trim($_POST['ncmrqty'])); $comp = mysqli_real_escape_string($dbc, trim($_POST['comp'])); $ncmrid = mysqli_real_escape_string($dbc, trim($_POST['ncmrid'])); $rma = mysqli_real_escape_string($dbc, trim($_POST['rma'])); $jno = mysqli_real_escape_string($dbc, trim($_POST['jno'])); $fdt = mysqli_real_escape_string($dbc, trim($_POST['fdt'])); $cof = mysqli_real_escape_string($dbc, trim($_POST['cof'])); $fab1= mysqli_real_escape_string($dbc, trim($_POST['fab1'])); $fab2= mysqli_real_escape_string($dbc, trim($_POST['fab2'])); $fab3= mysqli_real_escape_string($dbc, trim($_POST['fab3'])); $non= mysqli_real_escape_string($dbc, trim($_POST['non'])); $dis= mysqli_real_escape_string($dbc, trim($_POST['dis'])); $comm= mysqli_real_escape_string($dbc, trim($_POST['comm'])); $caad= mysqli_real_escape_string($dbc, trim($_POST['caad'])); $po= mysqli_real_escape_string($dbc, trim($_POST['po'])); $pod = mysqli_real_escape_string($dbc, trim(date('Y-m-d',strtotime($_POST['pod'])))); $dri = mysqli_real_escape_string($dbc, trim(date('Y-m-d',strtotime($_POST['dri'])))); $query = "UPDATE ncmr SET ab = '$ab', date = '$date', part = '$part', rev = '$rev' , partdesc = '$partdesc' , ncmrqty = '$ncmrqty' , comp = '$comp' , ncmrid = '$ncmrid' , rma = '$rma' , jno = '$jno' , fdt = '$fdt' , cof = '$cof' , fab1 = '$fab1' , fab2 = '$fab2' , fab3 = fab3' , non = '$non' , dis = '$dis' , comm = '$comm' , caad = '$caad' , po = '$po' , pod = '$pod' , dri = '$dri' WHERE id = '"$id"'"; // echo your raw query and look for obvious errors echo "Query is : " . $query . "<br />"; // and at least use a basic mechanism to trap possibles errors mysqli_query($dbc, $query) or die('Query Error : ' . mysqli_error($dbc)); // Clear the form data $id = ""; $ab = ""; $date = ""; $part = ""; $rev = ""; $partdesc = ""; $ncmrqty = ""; $comp = ""; $ncmrid = ""; $rma = ""; $jno = ""; $fdt = ""; $cof = ""; $fab1= ""; $fab2= ""; $fab3= ""; $non= ""; $dis= ""; $comm= ""; $caad= ""; $po= ""; $pod = ""; $dri = ""; // Confirm success with the user echo '<p>If you wish to edit more NCMRs, please <a href="list.php">go to the admin page!</a></p>'; mysqli_close($dbc); } else { // Connect to the database $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); // Grab the profile data from the database if (!isset($_GET['id'])) { $query = "SELECT * FROM ncmr WHERE id = '$id'"; } else { $query = "SELECT * FROM ncmr WHERE id = '" . $_GET['id'] . "'"; } $data = mysqli_query($dbc, $query); if (mysqli_num_rows($data) == 1) { // The user row was found so display the user data $row = mysqli_fetch_array($data); echo'<div id="title"><h3 id="NCMR2">Non-Conforming Materials Report (NCMR: ' . $row['rma'] . ')</h3></div>'; echo '<form action="p.php?id=<?php echo $id;?>" method="POST">' echo '<fieldset>'; echo '<div id="box1">'; if (empty($row['ab'])) $row['ab'] = "Empty"; if (empty($row['date'])) $row['date'] = "Empty"; if (empty($row['part'])) $row['part'] = "Empty"; if (empty($row['rev'])) $row['rev'] = "Empty"; if (empty($row['partdesc'])) $row['partdesc'] = "Empty"; if (empty($row['ncmrqty'])) $row['ncmrqty'] = "Empty"; echo '<div id="ab"><span class="b">Added By: </span><input type="text" name="ab" value="' . $row['ab'] . '" /></div>'; echo '<div id="date"><span class="b">Date Filed: </span><input type="text" name="date" value="' . $row['date'] . '" /></div>'; echo '<div id="part"><span class="b">Part Number: </span><input type="text" name="part" value="' . $row['part'] . '" /></div>'; echo '<div id="rev"><span class="b">Part Revision: </span><input type="text" name="rev" value="' . $row['rev'] . '" /></div>'; echo '<div id="partdesc"><span class="b">Part Description: </span><textarea rows="4" cols="22">' . $row['partdesc'] . '</textarea></div>'; echo '<div id="ncmrqty"><span class="b">NCMR Qty: </span><input type="text" name="ncmrqty" value="' . $row['ncmrqty'] . '" /></div>'; echo '</div>'; //Company, Customer NCMR, Internal RMA, and Job Number echo '<div id="box2">'; if (empty($row['comp'])) $row['comp'] = "Empty"; if (empty($row['ncmrid'])) $row['ncmrid'] = "Empty"; if (empty($row['rma'])) $row['rma'] = "Empty"; if (empty($row['jno'])) $row['jno'] = "Empty"; echo '<div id="comp"><span class="b">Company: </span><input type="text" name="comp" value="' . $row['comp'] . '" /></div>'; echo '<div id="ncmrid"><span class="b">Customer NCMR ID: </span><input type="text" name="ncmrid" value="' . $row['ncmrid'] . '" /></div>'; echo '<div id="rma"><span class="b">Internal RMA #: </span><input type="text" name="rma" value="' . $row['rma'] . '" /></div>'; echo '<div id="jno"><span class="b">Job #: </span><input type="text" name="jno" value="' . $row['jno'] . '" /></div>'; echo '</div>'; //Type of Failure and Class of Failure echo '<div id="box3">'; echo '<h2>Failure</h2>'; echo '<div id="cof"><span class="b">Class of Failure: </span><input type="text" name="cof" size="15" value="' . $row['cof'] . '" /></div>'; echo '<div id="fdt"><span class="b">Failure Due To: </span><input type="text" name="fdt" size="15" value="' . $row['fdt'] . '" /></div>'; echo '</div>'; //Fabricators echo '<div id="box4">'; echo '<h2>Fabricators</h2>'; if ($row['fab1']="--None--") { echo'<div id="fab1">'; $mysqli = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); $mysqli->select_db('user'); $result = $mysqli->query("SELECT * FROM user"); echo "<SELECT name='fab1'>\n"; while($row = $result->fetch_assoc()) { echo "<option value='{$row['user']}'>{$row['user']}</option>\n"; } echo "</select>\n"; echo '</div>'; } else { echo'<div id="fab1">'; $mysqli = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); $mysqli->select_db('user'); $result = $mysqli->query("SELECT * FROM user"); echo "<SELECT name='fab1'>\n"; while($row = $result->fetch_assoc()) { echo "<option value='{$row['user']}'>{$row['user']}</option>\n"; } echo "</select>\n"; echo '</div>'; } if ($row['fab2']="--None--") { echo'<div id="fab2">'; $mysqli = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); $mysqli->select_db('user'); $result = $mysqli->query("SELECT * FROM user"); echo "<SELECT name='fab2'>\n"; while($row = $result->fetch_assoc()) { echo "<option value='{$row['user']}'>{$row['user']}</option>\n"; } echo "</select>\n"; echo '</div>'; } else { echo '<div id="fab2"><span class="b"></span><input type="text" name="fab1" size="20" value="' . $row['fab1'] . '" /></div>'; echo '</div>'; } if ($row['fab3']="--None--") { echo'<div id="fab3">'; $mysqli = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); $mysqli->select_db('user'); $result = $mysqli->query("SELECT * FROM user"); echo "<SELECT name='fab3'>\n"; while($row = $result->fetch_assoc()) { echo "<option value='{$row['user']}'>{$row['user']}</option>\n"; } echo "</select>\n"; echo '</div>'; } else { echo '<div id="fab3"><span class="b"></span><input type="text" name="fab1" size="20" value="' . $row['fab1'] . '" /></div>'; echo '</div>'; } echo '</div>'; //Nonconformity, Disposition, Comments and Comments & Additional Details echo '<div id="box5">'; if (empty($row['non'])) $row['non'] = "Empty"; if (empty($row['dis'])) $row['dis'] = "Empty"; if (empty($row['comm'])) $row['comm'] = "Empty"; if (empty($row['caad'])) $row['caad'] = "Empty"; echo '<div id="non"><span class="b">Nonconformity: </span><textarea rows="4" cols="105">' . $row['non'] . '</textarea></div>'; echo '<div id="dis"><span class="b">Disposition: </span><textarea rows="4" cols="105">' . $row['dis'] . '</textarea></div>'; echo '<div id="comm"><span class="b">Comments: </span><textarea rows="4" cols="105">' . $row['comm'] . '</textarea></div>'; echo '<div id="caad"><span class="b">Comments and/or Additional Details: </span><textarea rows="4" cols="105">' . $row['caad'] . '</textarea></div>'; echo '<div id="podr">'; if (empty($row['po'])) $row['po'] ="Empty"; if (empty($row['pod'])) $row['pod'] ="Empty"; if (empty($row['dir'])) $row['dri'] ="Empty"; echo '<div id="po"><span class="b">PO: </span><input type="text" name="po" size="7" value="' . $row['po'] . '" /></div>'; echo '<div id="pod"><span class="b">PO Date: </span><input type="text" name="pod" size="7" value="' . $row['pod'] . '" /></div>'; echo '<div id="dri"><span class="b">Date Received: </span><input type="text" name="dri" size="7" value="' . $row['dri'] . '" /></div>'; echo '</div>'; echo '<div id="button2"><input type="submit" value="Submit Edits" name="submit" /></div>'; echo '</div>'; echo '</fieldset>'; echo '</form>'; } } echo '</div>'; ?> </body> </html> Quote Link to comment https://forums.phpfreaks.com/topic/254806-code-posts-correctly-but-when-updating-it-doesnt-can-someone-help-solve-this/#findComment-1306988 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.