Jump to content

Update Button


Icewolf

Recommended Posts

Hi

I am trying to create a button so the user can update points. I have a button so that it displays what is in the data base but I want another button to update the database.

 

Here is the script for the button

<?php
//create_cat.php
include 'connect.php';
include 'header.php';
include 'timeout.php';

echo '<h2>Review Member Rewards</h2>';
if($_SESSION['signed_in'] == false | $_SESSION['user_level'] != 1 )
{
    //the user is not an admin
    echo 'Sorry, you do not have sufficient rights to access this page.';
}
else
{
     $sql = "select member, cat_name from rewards, users
            where member = user_name";
     $result = mysql_query($sql);
 
     if(!$result)
    {
        //the query failed, uh-oh :-(
        echo 'Error while selecting from database. Please try again later.';
    }
    else
    {
 
        $dropdown = "<select name='mem'>";
        $catdropdown = "<select name='catdp'>";
        while($row = mysql_fetch_assoc($result))
        {
              $dropdown .= "\r\n<option value='{$row['member']}'>{$row['member']}</option>";
            $catdropdown .="\r\n<option value = '{$row['cat_name']} '>{$row['cat_name']}</option>";
        
        
        }
        $dropdown .= "\r\n</select>";
        $catdropdown .="\r\n</select>";

        echo '
        <form action="" method="post">' .
          $dropdown.'
          '. $catdropdown. '
        
          <input type="text" name="max_point_cont" value="" />
          <input type="text" name="points_earn_cont" value="" />
          <input type="submit" value="Get Results">;
          <input type="submit" name="update" value="Update Rewards" onclick="action='updaterew.php'">;
        </form>';
    }

    // only qeury the rewards table when the form above has been submitted
    if(isset($_POST['mem']))
    {  
        $post_sql = "select member, cat_name, point_earn, max_point
        from rewards
        where member = '" . mysql_real_escape_string($_POST['mem']) . "'
        and cat_name = '". mysql_real_escape_string($_POST['catdp']) . "'" ;

        $result_post = mysql_query($post_sql);
    
        if(!$result_post)
        {
            //the query failed, uh-oh :-(
            echo 'Error while selecting rewards from database. Please try again later.';
        }
        else
        {
            echo '<table border="1">
                    <tr>
                      <th>Member</th>
                      <th>Category</th>
                      <th>Points Earned</th>
                      <th>Max Points</th>
                    </tr>';    
                
            while($row = mysql_fetch_assoc($result_post))
            {
                echo '<tr>';
                echo '<td>' . $row['member'] . '</td>';
                echo '<td>' . $row['cat_name'] . '</td>';
                echo '<td>'. $row['point_earn']. '</td>';
                echo '<td>' . $row['max_point']. '</td>';
                
                 echo '</tr>';
            }

            echo '</table>';
        }
        
    }
}

?>

Then here is the update query.

<!DOCTYPE html>
<?php
//create_cat.php
include 'connect.php';
include 'header.php';
include 'timeout.php';

if($_SERVER['REQUEST_METHOD'] != 'POST')
{
	//someone is calling the file directly, which we don't want
	echo 'This file cannot be called directly.';
}
else
{
	//check for sign in status
	if(!$_SESSION['signed_in'])
	{
		echo 'You must be signed in to post a reply.';
	}
	else
	{
		//a real user posted a real reply
		$sql = "UPDATE `rewards` SET `max_point`= `max_point`+ '" . $_POST['max_point_cont'] . "',`point_earn`= `point_earn` + '" . $_POST['points_earn_cont'] . "' WHERE member = '" . mysql_real_escape_string($_POST['mem']) . "'
		and cat_name = '". mysql_real_escape_string($_POST['catdp']) . "'" ;
						
		$result = mysql_query($sql);
						
		if(!$result)
		{
			echo 'Your reply has not been saved, please try again later.';
		}
		else
		{
			echo 'Your rewards have been updated.'
	}
}

include 'footer.php';
?>
	
	
Link to comment
Share on other sites

You need two forms. One form for the drop downs and the other form for setting/updating the rewards.

 

So change

        echo '
        <form action="" method="post">' .
          $dropdown.'
          '. $catdropdown. '
        
          <input type="text" name="max_point_cont" value="" />
          <input type="text" name="points_earn_cont" value="" />
          <input type="submit" value="Get Results">;
          <input type="submit" name="update" value="Update Rewards" onclick="action='updaterew.php'">;
        </form>';
    }

    // only qeury the rewards table when the form above has been submitted
    if(isset($_POST['mem']))
    {  
        $post_sql = "select member, cat_name, point_earn, max_point
        from rewards
        where member = '" . mysql_real_escape_string($_POST['mem']) . "'
        and cat_name = '". mysql_real_escape_string($_POST['catdp']) . "'" ;

        $result_post = mysql_query($post_sql);
    
        if(!$result_post)
        {
            //the query failed, uh-oh :-(
            echo 'Error while selecting rewards from database. Please try again later.';
        }
        else
        {
            echo '<table border="1">
                    <tr>
                      <th>Member</th>
                      <th>Category</th>
                      <th>Points Earned</th>
                      <th>Max Points</th>
                    </tr>';    
                
            while($row = mysql_fetch_assoc($result_post))
            {
                echo '<tr>';
                echo '<td>' . $row['member'] . '</td>';
                echo '<td>' . $row['cat_name'] . '</td>';
                echo '<td>'. $row['point_earn']. '</td>';
                echo '<td>' . $row['max_point']. '</td>';
                
                 echo '</tr>';
            }

            echo '</table>';
        }
        
    }

to

        echo '
        <form action="" method="post">' .
          $dropdown.'
          '. $catdropdown. '
          <input type="submit" value="Get Results">
        </form>';
    }

    // only qeury the rewards table when the form above has been submitted
    if(isset($_POST['mem']))
    {  
        $post_sql = "select member, cat_name, point_earn, max_point
        from rewards
        where member = '" . mysql_real_escape_string($_POST['mem']) . "'
        and cat_name = '". mysql_real_escape_string($_POST['catdp']) . "'" ;

        $result_post = mysql_query($post_sql);
    
        if(!$result_post)
        {
            //the query failed, uh-oh :-(
            echo 'Error while selecting rewards from database. Please try again later.';
        }
        else
        {
            // display new form for changing points
            // mem and catdp are hidden form fields
            echo '<form action="updaterew.php" method="post">
          <input type="hidden" name="mem" value="'.$_POST['mem'].'" />
          <input type="hidden" name="catdp" value="'.$_POST['catdp'].'" />
          <input type="text" name="max_point_cont" value="" />
          <input type="text" name="points_earn_cont" value="" />
          <input type="submit" name="update" value="Update Rewards">;
        </form>';

            echo '<table border="1">
                    <tr>
                      <th>Member</th>
                      <th>Category</th>
                      <th>Points Earned</th>
                      <th>Max Points</th>
                    </tr>';    
                
            while($row = mysql_fetch_assoc($result_post))
            {
                echo '<tr>';
                echo '<td>' . $row['member'] . '</td>';
                echo '<td>' . $row['cat_name'] . '</td>';
                echo '<td>'. $row['point_earn']. '</td>';
                echo '<td>' . $row['max_point']. '</td>';
                
                 echo '</tr>';
            }

            echo '</table>';
        }
        
    }

you need to be sanitizing all post fields in your update query

		//a real user posted a real reply
		$sql = "UPDATE `rewards` SET `max_point`= `max_point`+ '" . $_POST['max_point_cont'] . "',`point_earn`= `point_earn` + '" . $_POST['points_earn_cont'] . "' WHERE member = '" . mysql_real_escape_string($_POST['mem']) . "'
		and cat_name = '". mysql_real_escape_string($_POST['catdp']) . "'" ;

Change the above to

        //a real user posted a real reply
        $sql = sprintf("UPDATE `rewards` 
                        SET `max_point`= `max_point`+ '%d',`point_earn`= `point_earn` + '%d' 
                        WHERE member = '%s' AND cat_name = '%s'",
                                                                    (int) $_POST['max_point_cont'],         /* make sure only number */
                                                                    (int) $_POST['points_earn_cont'],       /* make sure only number */
                                                                    mysql_real_escape_string($_POST['mem']),
                                                                    mysql_real_escape_string($_POST['catdp'])
        );
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.