Edit form with PDO

[phpnewbfreak]

I've created a form that allows users to edit data from a database. On a previous page, they select what they want to edit and it takes them to this page. This page isn't secure as it's not done with PDO. I've been able to update all the other pages to PDO, but not this. I'm stuck and the examples I've read on the internet haven't been much help. Any ideas on how I could adjust this code to make it more secure?

<?php
/*
EDIT.PHP
Allows user to edit specific entry in database
*/

// creates the edit record form
// since this form is used multiple times in this file, I have made it a function that is easily reusable
function renderForm($id, $program, $airdate, $description, $production, $promotion, $community, $web, $error)
{
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Edit Record</title>
</head>
<body>
<?php
// if there are any errors, display them
if ($error != '')
{
echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>';
}
?>

}
<form action="" method="post">
<input type="hidden" name="id" value="<?php echo $id; ?>"/>
<div>
<p><strong>ID:</strong> <?php echo $id; ?></p>
<strong>Program:</strong> <input type="text" name="program" value="<?php echo $program; ?>"/><br/>
<strong>Date of Content: </strong> <input type="text" name="airdate" value="<?php echo $airdate; ?>"/><br/>
<strong>Description:</strong> <input type="text" name="description" value="<?php echo $description; ?>"/><br/>
<strong>On-Air:</strong> <input type="text" name="production" value="<?php echo $production; ?>"/><br/>
<strong>Promotion:</strong> <input type="text" name="promotion" value="<?php echo $promotion; ?>"/><br/>
<strong>Community:</strong> <input type="text" name="community" value="<?php echo $community; ?>"/><br/>
<strong>Web:</strong> <input type="text" name="web" value="<?php echo $web; ?>"/><br/>

<input type="submit" name="submit" value="Submit">
</div>
</form>
</body>
</html>
<?php
}



// connect to the database
include('connect-db.php');

// check if the form has been submitted. If it has, process the form and save it to the database
if (isset($_POST['submit']))
{
// confirm that the 'id' value is a valid integer before getting the form data
if (is_numeric($_POST['id']))
{
// get form data, making sure it is valid
$id = $_POST['id'];
$program = mysql_real_escape_string(htmlspecialchars($_POST['program']));
$airdate = mysql_real_escape_string(htmlspecialchars($_POST['airdate']));
$description = mysql_real_escape_string(htmlspecialchars($_POST['description']));
$production = mysql_real_escape_string(htmlspecialchars($_POST['production']));
$promotion = mysql_real_escape_string(htmlspecialchars($_POST['promotion']));
$community = mysql_real_escape_string(htmlspecialchars($_POST['community']));
$web = mysql_real_escape_string(htmlspecialchars($_POST['web']));


// check that firstname/lastname fields are both filled in
if ($production == '' || $airdate == '' )
{
// generate error message
$error = 'ERROR: Please fill in all required fields!';

//error, display form
renderForm($id, $program, $airdate, $description, $production, $promotion, $community, $web, $error);
}
else
{
// save the data to the database
mysql_query("UPDATE calendar SET program='$program', airdate='$airdate', description='$description', production='$production', promotion='$promotion', community='$community', web='$web' WHERE id='$id'")
or die(mysql_error());

<?php
/* 
 EDIT.PHP
 Allows user to edit specific entry in database
*/

 // creates the edit record form
 // since this form is used multiple times in this file, I have made it a function that is easily reusable
 function renderForm($id, $program, $airdate, $description, $production, $promotion, $community, $web, $error)
 {
 ?>
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
 <html>
 <head>
 <title>Edit Record</title>
 </head>
 <body>

 <?php 
 // if there are any errors, display them
 if ($error != '')
 {
 echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>';
 }
 ?> 

 }
 <form action="" method="post">
 <input type="hidden" name="id" value="<?php echo $id; ?>"/>
 <div>
 <p><strong>ID:</strong> <?php echo $id; ?></p>
 <strong>Program:</strong> <input type="text" name="program" value="<?php echo $program; ?>"/><br/>
 <strong>Date of Content: </strong> <input type="text" name="airdate" value="<?php echo $airdate; ?>"/><br/>
 <strong>Description:</strong> <input type="text" name="description" value="<?php echo $description; ?>"/><br/>
 <strong>On-Air:</strong> <input type="text" name="production" value="<?php echo $production; ?>"/><br/>
 <strong>Promotion:</strong> <input type="text" name="promotion" value="<?php echo $promotion; ?>"/><br/>
 <strong>Community:</strong> <input type="text" name="community" value="<?php echo $community; ?>"/><br/>
 <strong>Web:</strong> <input type="text" name="web" value="<?php echo $web; ?>"/><br/>

 <input type="submit" name="submit" value="Submit">
 </div>
 </form> 
 </body>
 </html> 
 <?php
 }



 // connect to the database
 include('connect-db.php');

 // check if the form has been submitted. If it has, process the form and save it to the database
 if (isset($_POST['submit']))
 { 
 // confirm that the 'id' value is a valid integer before getting the form data
 if (is_numeric($_POST['id']))
 {
 // get form data, making sure it is valid
 $id = $_POST['id'];
 $program = mysql_real_escape_string(htmlspecialchars($_POST['program']));
 $airdate = mysql_real_escape_string(htmlspecialchars($_POST['airdate']));
 $description = mysql_real_escape_string(htmlspecialchars($_POST['description']));
 $production = mysql_real_escape_string(htmlspecialchars($_POST['production']));
 $promotion = mysql_real_escape_string(htmlspecialchars($_POST['promotion']));
 $community = mysql_real_escape_string(htmlspecialchars($_POST['community']));
 $web = mysql_real_escape_string(htmlspecialchars($_POST['web']));


 // check that firstname/lastname fields are both filled in
 if ($production == '' || $airdate == '' )
 {
 // generate error message
 $error = 'ERROR: Please fill in all required fields!';

 //error, display form
 renderForm($id, $program, $airdate, $description, $production, $promotion, $community, $web, $error);
 }
 else
 {
 // save the data to the database
 mysql_query("UPDATE calendar SET program='$program', airdate='$airdate', description='$description', production='$production', promotion='$promotion', community='$community', web='$web' WHERE id='$id'")
 or die(mysql_error()); 

 // once saved, redirect back to the view page
 header("Location: view.php"); 
 }
 }
 else
 {
 // if the 'id' isn't valid, display an error
 echo 'Error!';
 }
 }
 else
 // if the form hasn't been submitted, get the data from the db and display the form
 {

 // get the 'id' value from the URL (if it exists), making sure that it is valid (checing that it is numeric/larger than 0)
 if (isset($_GET['id']) && is_numeric($_GET['id']) && $_GET['id'] > 0)
 {
 // query db
 $id = $_GET['id'];
 $result = mysql_query("SELECT * FROM calendar WHERE id=$id")
 or die(mysql_error()); 
 $row = mysql_fetch_array($result);

 // check that the 'id' matches up with a row in the databse
 if($row)
 {

 // get data from db
 $program = $row['program'];
 $airdate = $row['airdate'];
 $description = $row['description'];
 $production = $row['production'];
 $community = $row['community'];
 $promotion = $row['promotion'];
 $web = $row['web'];


 // show form
 renderForm($id, $program, $airdate, $description, $production, $promotion, $community, $web, '');
 }
 else
 // if no match, display result
 {
 echo "No results!";
 }
 }
 else
 // if the 'id' in the URL isn't valid, or if there is no 'id' value, display an error
 {
 echo 'Error!';
 }
 }
?>

[mac_gyver]

what have you tried? just posting your existing code doesn't given us anything upon which to help you with. your code above also has about the first 1/3 of the code repeated.