Update Button

Icewolf · October 21, 2013

Hi

I am trying to create a button so the user can update points. I have a button so that it displays what is in the data base but I want another button to update the database.

Here is the script for the button

<?php
//create_cat.php
include 'connect.php';
include 'header.php';
include 'timeout.php';

echo '<h2>Review Member Rewards</h2>';
if($_SESSION['signed_in'] == false | $_SESSION['user_level'] != 1 )
{
    //the user is not an admin
    echo 'Sorry, you do not have sufficient rights to access this page.';
}
else
{
     $sql = "select member, cat_name from rewards, users
            where member = user_name";
     $result = mysql_query($sql);
 
     if(!$result)
    {
        //the query failed, uh-oh :-(
        echo 'Error while selecting from database. Please try again later.';
    }
    else
    {
 
        $dropdown = "<select name='mem'>";
        $catdropdown = "<select name='catdp'>";
        while($row = mysql_fetch_assoc($result))
        {
              $dropdown .= "\r\n<option value='{$row['member']}'>{$row['member']}</option>";
            $catdropdown .="\r\n<option value = '{$row['cat_name']} '>{$row['cat_name']}</option>";
        
        
        }
        $dropdown .= "\r\n</select>";
        $catdropdown .="\r\n</select>";

        echo '
        <form action="" method="post">' .
          $dropdown.'
          '. $catdropdown. '
        
          <input type="text" name="max_point_cont" value="" />
          <input type="text" name="points_earn_cont" value="" />
          <input type="submit" value="Get Results">;
          <input type="submit" name="update" value="Update Rewards" onclick="action='updaterew.php'">;
        </form>';
    }

    // only qeury the rewards table when the form above has been submitted
    if(isset($_POST['mem']))
    {  
        $post_sql = "select member, cat_name, point_earn, max_point
        from rewards
        where member = '" . mysql_real_escape_string($_POST['mem']) . "'
        and cat_name = '". mysql_real_escape_string($_POST['catdp']) . "'" ;

        $result_post = mysql_query($post_sql);
    
        if(!$result_post)
        {
            //the query failed, uh-oh :-(
            echo 'Error while selecting rewards from database. Please try again later.';
        }
        else
        {
            echo '<table border="1">
                    <tr>
                      <th>Member</th>
                      <th>Category</th>
                      <th>Points Earned</th>
                      <th>Max Points</th>
                    </tr>';    
                
            while($row = mysql_fetch_assoc($result_post))
            {
                echo '<tr>';
                echo '<td>' . $row['member'] . '</td>';
                echo '<td>' . $row['cat_name'] . '</td>';
                echo '<td>'. $row['point_earn']. '</td>';
                echo '<td>' . $row['max_point']. '</td>';
                
                 echo '</tr>';
            }

            echo '</table>';
        }
        
    }
}

?>

Then here is the update query.

<!DOCTYPE html>
<?php
//create_cat.php
include 'connect.php';
include 'header.php';
include 'timeout.php';

if($_SERVER['REQUEST_METHOD'] != 'POST')
{
	//someone is calling the file directly, which we don't want
	echo 'This file cannot be called directly.';
}
else
{
	//check for sign in status
	if(!$_SESSION['signed_in'])
	{
		echo 'You must be signed in to post a reply.';
	}
	else
	{
		//a real user posted a real reply
		$sql = "UPDATE `rewards` SET `max_point`= `max_point`+ '" . $_POST['max_point_cont'] . "',`point_earn`= `point_earn` + '" . $_POST['points_earn_cont'] . "' WHERE member = '" . mysql_real_escape_string($_POST['mem']) . "'
		and cat_name = '". mysql_real_escape_string($_POST['catdp']) . "'" ;
						
		$result = mysql_query($sql);
						
		if(!$result)
		{
			echo 'Your reply has not been saved, please try again later.';
		}
		else
		{
			echo 'Your rewards have been updated.'
	}
}

include 'footer.php';
?>

Ch0cu3r · October 21, 2013

You need two forms. One form for the drop downs and the other form for setting/updating the rewards.

So change

        echo '
        <form action="" method="post">' .
          $dropdown.'
          '. $catdropdown. '
        
          <input type="text" name="max_point_cont" value="" />
          <input type="text" name="points_earn_cont" value="" />
          <input type="submit" value="Get Results">;
          <input type="submit" name="update" value="Update Rewards" onclick="action='updaterew.php'">;
        </form>';
    }

    // only qeury the rewards table when the form above has been submitted
    if(isset($_POST['mem']))
    {  
        $post_sql = "select member, cat_name, point_earn, max_point
        from rewards
        where member = '" . mysql_real_escape_string($_POST['mem']) . "'
        and cat_name = '". mysql_real_escape_string($_POST['catdp']) . "'" ;

        $result_post = mysql_query($post_sql);
    
        if(!$result_post)
        {
            //the query failed, uh-oh :-(
            echo 'Error while selecting rewards from database. Please try again later.';
        }
        else
        {
            echo '<table border="1">
                    <tr>
                      <th>Member</th>
                      <th>Category</th>
                      <th>Points Earned</th>
                      <th>Max Points</th>
                    </tr>';    
                
            while($row = mysql_fetch_assoc($result_post))
            {
                echo '<tr>';
                echo '<td>' . $row['member'] . '</td>';
                echo '<td>' . $row['cat_name'] . '</td>';
                echo '<td>'. $row['point_earn']. '</td>';
                echo '<td>' . $row['max_point']. '</td>';
                
                 echo '</tr>';
            }

            echo '</table>';
        }
        
    }

to

        echo '
        <form action="" method="post">' .
          $dropdown.'
          '. $catdropdown. '
          <input type="submit" value="Get Results">
        </form>';
    }

    // only qeury the rewards table when the form above has been submitted
    if(isset($_POST['mem']))
    {  
        $post_sql = "select member, cat_name, point_earn, max_point
        from rewards
        where member = '" . mysql_real_escape_string($_POST['mem']) . "'
        and cat_name = '". mysql_real_escape_string($_POST['catdp']) . "'" ;

        $result_post = mysql_query($post_sql);
    
        if(!$result_post)
        {
            //the query failed, uh-oh :-(
            echo 'Error while selecting rewards from database. Please try again later.';
        }
        else
        {
            // display new form for changing points
            // mem and catdp are hidden form fields
            echo '<form action="updaterew.php" method="post">
          <input type="hidden" name="mem" value="'.$_POST['mem'].'" />
          <input type="hidden" name="catdp" value="'.$_POST['catdp'].'" />
          <input type="text" name="max_point_cont" value="" />
          <input type="text" name="points_earn_cont" value="" />
          <input type="submit" name="update" value="Update Rewards">;
        </form>';

            echo '<table border="1">
                    <tr>
                      <th>Member</th>
                      <th>Category</th>
                      <th>Points Earned</th>
                      <th>Max Points</th>
                    </tr>';    
                
            while($row = mysql_fetch_assoc($result_post))
            {
                echo '<tr>';
                echo '<td>' . $row['member'] . '</td>';
                echo '<td>' . $row['cat_name'] . '</td>';
                echo '<td>'. $row['point_earn']. '</td>';
                echo '<td>' . $row['max_point']. '</td>';
                
                 echo '</tr>';
            }

            echo '</table>';
        }
        
    }

you need to be sanitizing all post fields in your update query

		//a real user posted a real reply
		$sql = "UPDATE `rewards` SET `max_point`= `max_point`+ '" . $_POST['max_point_cont'] . "',`point_earn`= `point_earn` + '" . $_POST['points_earn_cont'] . "' WHERE member = '" . mysql_real_escape_string($_POST['mem']) . "'
		and cat_name = '". mysql_real_escape_string($_POST['catdp']) . "'" ;

Change the above to

        //a real user posted a real reply
        $sql = sprintf("UPDATE `rewards` 
                        SET `max_point`= `max_point`+ '%d',`point_earn`= `point_earn` + '%d' 
                        WHERE member = '%s' AND cat_name = '%s'",
                                                                    (int) $_POST['max_point_cont'],         /* make sure only number */
                                                                    (int) $_POST['points_earn_cont'],       /* make sure only number */
                                                                    mysql_real_escape_string($_POST['mem']),
                                                                    mysql_real_escape_string($_POST['catdp'])
        );

Edited October 21, 2013 by Ch0cu3r

Icewolf · October 26, 2013

Thanks alot that worked

Sign In

Update Button

Recommended Posts

Icewolf

Link to comment

Share on other sites

Ch0cu3r

Link to comment

Share on other sites

Icewolf

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information