Jump to content

Recommended Posts

The following script for vacaroutes.php is supposed to allow Add, Update and Delete routes for my Virtual Airline. The add seems to work fine, but if I try to update or delete, EVERYTHING gets upated or deleted. Have looked and looked at the script and it sure looks identical to the master mydata5.php with only essential items renamed. 

 

The master that I used works perfectly and is called mydata5.php

My coding is pretty poor as I am just in the process of trying to learn php, so any help will be very much appreciated

 

(obviously I have omitted the user and PW for both scripts)

 

 

 

mydata5.php

<html>
<head>
</head>
<body>
<?php
$con = mysql_connect("localhost","","");
if (!$con){
die("Can not connect: " . mysql_error());
}
//snippets id\s the name for his database
mysql_select_db("snippets",$con);
 
if(isset($_POST['update'])){
//lectures is the name for his table
$UpdateQuery = "UPDATE lectures SET Topic='$_POST[topic]', Name='$_POST[name]', Attendance='$_POST[attendance]' WHERE Topic='$_POST[hidden]'";               
mysql_query($UpdateQuery, $con);
};
 
if(isset($_POST['delete'])){
$DeleteQuery = "DELETE FROM lectures WHERE Topic='$_POST[hidden]'";          
mysql_query($DeleteQuery, $con);
};
 
if(isset($_POST['add'])){
$AddQuery = "INSERT INTO lectures (Topic, Name, Attendance) VALUES ('$_POST[utopic]','$_POST[uname]','$_POST[uattendance]')";         
mysql_query($AddQuery, $con);
};
 
 
 
$sql = "SELECT * FROM lectures";
$myData = mysql_query($sql,$con);
echo "<table border=1>
<tr>
<th>Topic</th>
<th>Name</th>
<th>Attendance</th>
</tr>";
while($record = mysql_fetch_array($myData)){
echo "<form action=mydata5.php method=post>";
echo "<tr>";
echo "<td>" . "<input type=text name=topic value=" . $record['Topic'] . " </td>";
echo "<td>" . "<input type=text name=name value=" . $record['Name'] . " </td>";
echo "<td>" . "<input type=text name=attendance value=" . $record['Attendance'] . " </td>";
echo "<td>" . "<input type=hidden name=hidden value=" . $record['Topic'] . " </td>";
echo "<td>" . "<input type=submit name=update value=update" . " </td>";
echo "<td>" . "<input type=submit name=delete value=delete" . " </td>";
echo "</tr>";
echo "</form>";
}
echo "<form action=mydata5.php method=post>";
echo "<tr>";
echo "<td><input type=text name=utopic></td>";
echo "<td><input type=text name=uname></td>";
echo "<td><input type=text name=uattendance></td>";
echo "<td>" . "<input type=submit name=add value=add" . " </td>";
echo "</form>";
echo "</table>";
mysql_close($con);
 
?>
 
</body>
</html>

vacaroutes.php

<html>
<head>
</head>
<body>
<?php
//the following connects to localhost and checks for errors
$con = mysql_connect("localhost","","");
if (!$con){
die("Can not connect: " . mysql_error());
}
//The following connects to the "routes" database
mysql_select_db("routes",$con);
 
//This is the Update Section
if(isset($_POST['update'])){
$UpdateQuery = "UPDATE routing SET Depart='$_POST[depart]', Arrive1='$_POST[arrive1]', Name1='$_POST[name1]' WHERE Depart='$_POST[hidden]'";               
mysql_query($UpdateQuery, $con);
};
//This is the Delete Section
if(isset($_POST['delete'])){
$DeleteQuery = "DELETE FROM routing WHERE Depart='$_POST[hidden]'";          
mysql_query($DeleteQuery, $con);
};
//this is the Add new route Section
if(isset($_POST['add'])){
$AddQuery = "INSERT INTO routing (Depart, Arrive1, Name1) VALUES ('$_POST[udepart]','$_POST[uarrive1]','$_POST[uname1]')";         
mysql_query($AddQuery, $con);
};
 
//This creates the table data for viewing 
$sql = "SELECT * FROM routing";
$myData = mysql_query($sql,$con);
echo "<table border=1>
<tr>
<th>Depart</th>
<th>Arrive1</th>
<th>Name1</th>
</tr>";
//this fetches the data to insert into the table and provides the Update and Delete Buttons
while($record = mysql_fetch_array($myData)){
echo "<form action=vacaroutes.php method=post>";
echo "<tr>";
echo "<td>" . "<input type=text name=depart value=" . $record['Depart'] . " </td>";
echo "<td>" . "<input type=text name=arrive1 value=" . $record['Arrive1'] . " </td>";
echo "<td>" . "<input type=text name=name1 value=" . $record['Name1'] . " </td>";
echo "<td>" . "<input type=hidden name=hidden value=" . $record['Depart'] . " </td>";
echo "<td>" . "<input type=submit name=update value=update" . " </td>";
echo "<td>" . "<input type=submit name=delete value=delete" . " </td>";
echo "</tr>";
echo "</form>";
}//This provides the Add button
echo "<form action=vacaroutes.php method=post>";
echo "<tr>";
echo "<td><input type=text name=udepart></td>";
echo "<td><input type=text name=uarrive1></td>";
echo "<td><input type=text name=uname1></td>";
echo "<td>" . "<input type=submit name=add value=add" . " </td>";
echo "</form>";
echo "</table>";
mysql_close($con);
 
?>
 
</body>
</html>
Edited by hecrowell
Link to comment
https://forums.phpfreaks.com/topic/286924-update-and-delete-everything/
Share on other sites

There are few syntax errors in your HTML. The main ones being you have not wrapped the input field values within quotes, and you have left of the > for closing the input tag.

 

The following code is your form html fixed

echo '<form action="vacaroutes.php" method="post">
    <tr>
        <td><input type="text" name="depart" value="' . $record['Depart'] . '"></td>
        <td><input type="text" name="arrive1" value="' . $record['Arrive1'] . '"</td>
        <td><input type="text" name="name1" value="' . $record['Name1'] . '"</td>
        <td><input type="hidden" name="hidden" value="' . $record['Depart'] . '"></td>
        <td><input type="submit" name="update" value="update"></td>
        <td><input type="submit" name="delete" value="delete"></td>
    </tr>
</form>';

The next major problem is your are using raw $_POST data in an SQL query. This is very dangerous and can lead to SQL injection attacks, which could allow an attacker to compromise your database. To prevent these attacks you should at least validate the user input before doing anything with it and secondly sanitize it so it can be handled safely within an SQL query.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.