hecrowell Posted March 12, 2014 Share Posted March 12, 2014 (edited) The following script for vacaroutes.php is supposed to allow Add, Update and Delete routes for my Virtual Airline. The add seems to work fine, but if I try to update or delete, EVERYTHING gets upated or deleted. Have looked and looked at the script and it sure looks identical to the master mydata5.php with only essential items renamed. The master that I used works perfectly and is called mydata5.php My coding is pretty poor as I am just in the process of trying to learn php, so any help will be very much appreciated (obviously I have omitted the user and PW for both scripts) mydata5.php <html> <head> </head> <body> <?php $con = mysql_connect("localhost","",""); if (!$con){ die("Can not connect: " . mysql_error()); } //snippets id\s the name for his database mysql_select_db("snippets",$con); if(isset($_POST['update'])){ //lectures is the name for his table $UpdateQuery = "UPDATE lectures SET Topic='$_POST[topic]', Name='$_POST[name]', Attendance='$_POST[attendance]' WHERE Topic='$_POST[hidden]'"; mysql_query($UpdateQuery, $con); }; if(isset($_POST['delete'])){ $DeleteQuery = "DELETE FROM lectures WHERE Topic='$_POST[hidden]'"; mysql_query($DeleteQuery, $con); }; if(isset($_POST['add'])){ $AddQuery = "INSERT INTO lectures (Topic, Name, Attendance) VALUES ('$_POST[utopic]','$_POST[uname]','$_POST[uattendance]')"; mysql_query($AddQuery, $con); }; $sql = "SELECT * FROM lectures"; $myData = mysql_query($sql,$con); echo "<table border=1> <tr> <th>Topic</th> <th>Name</th> <th>Attendance</th> </tr>"; while($record = mysql_fetch_array($myData)){ echo "<form action=mydata5.php method=post>"; echo "<tr>"; echo "<td>" . "<input type=text name=topic value=" . $record['Topic'] . " </td>"; echo "<td>" . "<input type=text name=name value=" . $record['Name'] . " </td>"; echo "<td>" . "<input type=text name=attendance value=" . $record['Attendance'] . " </td>"; echo "<td>" . "<input type=hidden name=hidden value=" . $record['Topic'] . " </td>"; echo "<td>" . "<input type=submit name=update value=update" . " </td>"; echo "<td>" . "<input type=submit name=delete value=delete" . " </td>"; echo "</tr>"; echo "</form>"; } echo "<form action=mydata5.php method=post>"; echo "<tr>"; echo "<td><input type=text name=utopic></td>"; echo "<td><input type=text name=uname></td>"; echo "<td><input type=text name=uattendance></td>"; echo "<td>" . "<input type=submit name=add value=add" . " </td>"; echo "</form>"; echo "</table>"; mysql_close($con); ?> </body> </html> vacaroutes.php <html> <head> </head> <body> <?php //the following connects to localhost and checks for errors $con = mysql_connect("localhost","",""); if (!$con){ die("Can not connect: " . mysql_error()); } //The following connects to the "routes" database mysql_select_db("routes",$con); //This is the Update Section if(isset($_POST['update'])){ $UpdateQuery = "UPDATE routing SET Depart='$_POST[depart]', Arrive1='$_POST[arrive1]', Name1='$_POST[name1]' WHERE Depart='$_POST[hidden]'"; mysql_query($UpdateQuery, $con); }; //This is the Delete Section if(isset($_POST['delete'])){ $DeleteQuery = "DELETE FROM routing WHERE Depart='$_POST[hidden]'"; mysql_query($DeleteQuery, $con); }; //this is the Add new route Section if(isset($_POST['add'])){ $AddQuery = "INSERT INTO routing (Depart, Arrive1, Name1) VALUES ('$_POST[udepart]','$_POST[uarrive1]','$_POST[uname1]')"; mysql_query($AddQuery, $con); }; //This creates the table data for viewing $sql = "SELECT * FROM routing"; $myData = mysql_query($sql,$con); echo "<table border=1> <tr> <th>Depart</th> <th>Arrive1</th> <th>Name1</th> </tr>"; //this fetches the data to insert into the table and provides the Update and Delete Buttons while($record = mysql_fetch_array($myData)){ echo "<form action=vacaroutes.php method=post>"; echo "<tr>"; echo "<td>" . "<input type=text name=depart value=" . $record['Depart'] . " </td>"; echo "<td>" . "<input type=text name=arrive1 value=" . $record['Arrive1'] . " </td>"; echo "<td>" . "<input type=text name=name1 value=" . $record['Name1'] . " </td>"; echo "<td>" . "<input type=hidden name=hidden value=" . $record['Depart'] . " </td>"; echo "<td>" . "<input type=submit name=update value=update" . " </td>"; echo "<td>" . "<input type=submit name=delete value=delete" . " </td>"; echo "</tr>"; echo "</form>"; }//This provides the Add button echo "<form action=vacaroutes.php method=post>"; echo "<tr>"; echo "<td><input type=text name=udepart></td>"; echo "<td><input type=text name=uarrive1></td>"; echo "<td><input type=text name=uname1></td>"; echo "<td>" . "<input type=submit name=add value=add" . " </td>"; echo "</form>"; echo "</table>"; mysql_close($con); ?> </body> </html> Edited March 12, 2014 by hecrowell Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted March 12, 2014 Share Posted March 12, 2014 There are few syntax errors in your HTML. The main ones being you have not wrapped the input field values within quotes, and you have left of the > for closing the input tag. The following code is your form html fixed echo '<form action="vacaroutes.php" method="post"> <tr> <td><input type="text" name="depart" value="' . $record['Depart'] . '"></td> <td><input type="text" name="arrive1" value="' . $record['Arrive1'] . '"</td> <td><input type="text" name="name1" value="' . $record['Name1'] . '"</td> <td><input type="hidden" name="hidden" value="' . $record['Depart'] . '"></td> <td><input type="submit" name="update" value="update"></td> <td><input type="submit" name="delete" value="delete"></td> </tr> </form>'; The next major problem is your are using raw $_POST data in an SQL query. This is very dangerous and can lead to SQL injection attacks, which could allow an attacker to compromise your database. To prevent these attacks you should at least validate the user input before doing anything with it and secondly sanitize it so it can be handled safely within an SQL query. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.