Jump to content

Update Button


Icewolf
Go to solution Solved by Ch0cu3r,

Recommended Posts

Hi

I am trying to create a button so the user can update points. I have a button so that it displays what is in the data base but I want another button to update the database.

 

Here is the script for the button

<?php
//create_cat.php
include 'connect.php';
include 'header.php';
include 'timeout.php';

echo '<h2>Review Member Rewards</h2>';
if($_SESSION['signed_in'] == false | $_SESSION['user_level'] != 1 )
{
    //the user is not an admin
    echo 'Sorry, you do not have sufficient rights to access this page.';
}
else
{
     $sql = "select member, cat_name from rewards, users
            where member = user_name";
     $result = mysql_query($sql);
 
     if(!$result)
    {
        //the query failed, uh-oh :-(
        echo 'Error while selecting from database. Please try again later.';
    }
    else
    {
 
        $dropdown = "<select name='mem'>";
        $catdropdown = "<select name='catdp'>";
        while($row = mysql_fetch_assoc($result))
        {
              $dropdown .= "\r\n<option value='{$row['member']}'>{$row['member']}</option>";
            $catdropdown .="\r\n<option value = '{$row['cat_name']} '>{$row['cat_name']}</option>";
        
        
        }
        $dropdown .= "\r\n</select>";
        $catdropdown .="\r\n</select>";

        echo '
        <form action="" method="post">' .
          $dropdown.'
          '. $catdropdown. '
        
          <input type="text" name="max_point_cont" value="" />
          <input type="text" name="points_earn_cont" value="" />
          <input type="submit" value="Get Results">;
          <input type="submit" name="update" value="Update Rewards" onclick="action='updaterew.php'">;
        </form>';
    }

    // only qeury the rewards table when the form above has been submitted
    if(isset($_POST['mem']))
    {  
        $post_sql = "select member, cat_name, point_earn, max_point
        from rewards
        where member = '" . mysql_real_escape_string($_POST['mem']) . "'
        and cat_name = '". mysql_real_escape_string($_POST['catdp']) . "'" ;

        $result_post = mysql_query($post_sql);
    
        if(!$result_post)
        {
            //the query failed, uh-oh :-(
            echo 'Error while selecting rewards from database. Please try again later.';
        }
        else
        {
            echo '<table border="1">
                    <tr>
                      <th>Member</th>
                      <th>Category</th>
                      <th>Points Earned</th>
                      <th>Max Points</th>
                    </tr>';    
                
            while($row = mysql_fetch_assoc($result_post))
            {
                echo '<tr>';
                echo '<td>' . $row['member'] . '</td>';
                echo '<td>' . $row['cat_name'] . '</td>';
                echo '<td>'. $row['point_earn']. '</td>';
                echo '<td>' . $row['max_point']. '</td>';
                
                 echo '</tr>';
            }

            echo '</table>';
        }
        
    }
}

?>

Then here is the update query.

<!DOCTYPE html>
<?php
//create_cat.php
include 'connect.php';
include 'header.php';
include 'timeout.php';

if($_SERVER['REQUEST_METHOD'] != 'POST')
{
	//someone is calling the file directly, which we don't want
	echo 'This file cannot be called directly.';
}
else
{
	//check for sign in status
	if(!$_SESSION['signed_in'])
	{
		echo 'You must be signed in to post a reply.';
	}
	else
	{
		//a real user posted a real reply
		$sql = "UPDATE `rewards` SET `max_point`= `max_point`+ '" . $_POST['max_point_cont'] . "',`point_earn`= `point_earn` + '" . $_POST['points_earn_cont'] . "' WHERE member = '" . mysql_real_escape_string($_POST['mem']) . "'
		and cat_name = '". mysql_real_escape_string($_POST['catdp']) . "'" ;
						
		$result = mysql_query($sql);
						
		if(!$result)
		{
			echo 'Your reply has not been saved, please try again later.';
		}
		else
		{
			echo 'Your rewards have been updated.'
	}
}

include 'footer.php';
?>
	
	
Link to comment
Share on other sites

  • Solution

You need two forms. One form for the drop downs and the other form for setting/updating the rewards.

 

So change

        echo '
        <form action="" method="post">' .
          $dropdown.'
          '. $catdropdown. '
        
          <input type="text" name="max_point_cont" value="" />
          <input type="text" name="points_earn_cont" value="" />
          <input type="submit" value="Get Results">;
          <input type="submit" name="update" value="Update Rewards" onclick="action='updaterew.php'">;
        </form>';
    }

    // only qeury the rewards table when the form above has been submitted
    if(isset($_POST['mem']))
    {  
        $post_sql = "select member, cat_name, point_earn, max_point
        from rewards
        where member = '" . mysql_real_escape_string($_POST['mem']) . "'
        and cat_name = '". mysql_real_escape_string($_POST['catdp']) . "'" ;

        $result_post = mysql_query($post_sql);
    
        if(!$result_post)
        {
            //the query failed, uh-oh :-(
            echo 'Error while selecting rewards from database. Please try again later.';
        }
        else
        {
            echo '<table border="1">
                    <tr>
                      <th>Member</th>
                      <th>Category</th>
                      <th>Points Earned</th>
                      <th>Max Points</th>
                    </tr>';    
                
            while($row = mysql_fetch_assoc($result_post))
            {
                echo '<tr>';
                echo '<td>' . $row['member'] . '</td>';
                echo '<td>' . $row['cat_name'] . '</td>';
                echo '<td>'. $row['point_earn']. '</td>';
                echo '<td>' . $row['max_point']. '</td>';
                
                 echo '</tr>';
            }

            echo '</table>';
        }
        
    }

to

        echo '
        <form action="" method="post">' .
          $dropdown.'
          '. $catdropdown. '
          <input type="submit" value="Get Results">
        </form>';
    }

    // only qeury the rewards table when the form above has been submitted
    if(isset($_POST['mem']))
    {  
        $post_sql = "select member, cat_name, point_earn, max_point
        from rewards
        where member = '" . mysql_real_escape_string($_POST['mem']) . "'
        and cat_name = '". mysql_real_escape_string($_POST['catdp']) . "'" ;

        $result_post = mysql_query($post_sql);
    
        if(!$result_post)
        {
            //the query failed, uh-oh :-(
            echo 'Error while selecting rewards from database. Please try again later.';
        }
        else
        {
            // display new form for changing points
            // mem and catdp are hidden form fields
            echo '<form action="updaterew.php" method="post">
          <input type="hidden" name="mem" value="'.$_POST['mem'].'" />
          <input type="hidden" name="catdp" value="'.$_POST['catdp'].'" />
          <input type="text" name="max_point_cont" value="" />
          <input type="text" name="points_earn_cont" value="" />
          <input type="submit" name="update" value="Update Rewards">;
        </form>';

            echo '<table border="1">
                    <tr>
                      <th>Member</th>
                      <th>Category</th>
                      <th>Points Earned</th>
                      <th>Max Points</th>
                    </tr>';    
                
            while($row = mysql_fetch_assoc($result_post))
            {
                echo '<tr>';
                echo '<td>' . $row['member'] . '</td>';
                echo '<td>' . $row['cat_name'] . '</td>';
                echo '<td>'. $row['point_earn']. '</td>';
                echo '<td>' . $row['max_point']. '</td>';
                
                 echo '</tr>';
            }

            echo '</table>';
        }
        
    }

you need to be sanitizing all post fields in your update query

		//a real user posted a real reply
		$sql = "UPDATE `rewards` SET `max_point`= `max_point`+ '" . $_POST['max_point_cont'] . "',`point_earn`= `point_earn` + '" . $_POST['points_earn_cont'] . "' WHERE member = '" . mysql_real_escape_string($_POST['mem']) . "'
		and cat_name = '". mysql_real_escape_string($_POST['catdp']) . "'" ;

Change the above to

        //a real user posted a real reply
        $sql = sprintf("UPDATE `rewards` 
                        SET `max_point`= `max_point`+ '%d',`point_earn`= `point_earn` + '%d' 
                        WHERE member = '%s' AND cat_name = '%s'",
                                                                    (int) $_POST['max_point_cont'],         /* make sure only number */
                                                                    (int) $_POST['points_earn_cont'],       /* make sure only number */
                                                                    mysql_real_escape_string($_POST['mem']),
                                                                    mysql_real_escape_string($_POST['catdp'])
        );
Edited by Ch0cu3r
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.