Jump to content

Why will this not submit

l3rodey

By l3rodey
in PHP Coding Help

 Share

Recommended Posts

l3rodey Member

l3rodey

Posted
Posted

Can anyone tell me why this will not submit? It's pretty simple code and the reason there is an if else for whether it does a select or update is unrelated. 

 

It does however submit, Name, stars and location. However the testimonial will not update. If we update every field everything will update except for testimonial. The only difference I can see is testimonial is a textarea and an input field? Please help it's driving me crazy. 

if($_POST){
						$name = $_POST['name'];
						$stars = $_POST['stars'];
						$testimonial = $_POST['testimonial'];
						$location = $_POST['location'];

						mysql_query("UPDATE testimonials SET name='$name', stars='$stars', testimonial='$testimonial', location='$location' WHERE testimonialID='$testimonialID'", $retreat);

						echo '<a href="./">Back Home</a> | <a href="./testimonials">Tesimonials</a><br><br>';
						echo 'Yay, Successful. PS: There is no error handling so this really just means you submitted it.';
					} else {
					
						$getTestimonial = mysql_query("SELECT * FROM testimonials WHERE testimonialID='$testimonialID' LIMIT 1", $retreat);
							while($row = mysql_fetch_array($getTestimonial)){
								$testimonialID = $row['testimonialID'];
								$name = $row['name'];
								$stars = $row['stars'];
								$testimonial = $row['testimonial'];
								$location = $row['location'];
							}
				?>

				<a href="./">Back Home</a> | <a href="./testimonials">Tesimonials</a><br><br>
					<form action="testimonials?p=edit&id=<?php echo $testimonialID; ?>" method="POST">

						Name:<br>
						<input type="text" name="name" value="<?php echo $name; ?>"/><br><br>

						Stars:<br>
						<input type="text" name="stars" value="<?php echo $stars; ?>"/><br><br>

						Testimonial:<br>
						<textarea type="text" name="testimonial" ><?php echo $testimonial; ?></textarea><br><br>

						Location:<br>
						<input type="text" name="location" value="<?php echo $location; ?>"/>

						<input type="submit" name="submit" value="submit" />

					</form>
Link to comment
Share on other sites
LeJack Newbie

LeJack

Posted
Posted (edited)

Why are you checking if $_POST exists? What is $_POST? If you don't have $_POST defined, but you're checking to see if $_POST exists, it won't submit your form.

 

I suggest using $_SERVER['REQUEST_METHOD']. This will allow the form to be submitted, but you must define the method with $_SERVER['REQUEST_METHOD'].

 

Also, how are you going to validate that each field is appropriately submitted? Let's say you accidentally pressed the "submit" button. Everything in your top code will be submitted with blank entry causing your current data to be blank as well. This will be a havoc trying to see what was the original data for that row.

 

I would also suggest validating if each field was correctly inputted. If it returns an empty field, print or echo out an error or warning so that the user or person who is using this will check their submission again.

 

You can test it out yourself. Erase all data from the "name" field and submit it. I guarantee you'll have a record of ____ (underscore meaning blank - name), (whatever was inputted for stars), (whatever was inputted for testimonials), and (whatever was inputted in location).

Edited by LeJack
Link to comment
Share on other sites
l3rodey Member

l3rodey

Posted
  • Author
Posted

Hi LeJack

The $_Post is being checked because it is working except for the testimonial text area everything else is working. 

Also look it's a UPDATE not insert so theoretically they shouldn't be blank.

 

This is also designed for an admin panel and everyone knows that the fields need to be put in so no blank data or validation needs to be done. 

 

The question is everything works except the testimonial name field. 

Link to comment
Share on other sites
LeJack Newbie

LeJack

Posted
Posted

Hi LeJack

The $_Post is being checked because it is working except for the testimonial text area everything else is working. 

Also look it's a UPDATE not insert so theoretically they shouldn't be blank.

 

This is also designed for an admin panel and everyone knows that the fields need to be put in so no blank data or validation needs to be done. 

 

The question is everything works except the testimonial name field. 

Updating and inserting does the same jobs. Insert inserts into the database if it doesn't exist, update updates the data if it exists. So when you update the data, it will replace anything you specify in the "update" string. That being said, you are replacing every field in that string meaning it will update with an empty field if it does not get inputted correctly.

 

Try this for size.

 

configuration.php

<?php
define("HOST", "");
define("USERNAME", "");
define("PASSWORD", "");
define("DATABASE", "");

// All of the fields are validated and this is a great thing
$db = new mysqli(HOST, USERNAME, PASSWORD, DATABASE);
if($db->connect_error) {
	// Do not display the actual error. Also, it is best to disable error logging onto your screen.
	// Best suggestion is to enable error logging to a file so that you can view it from a safer source
	// Only use this as a debug on a local machine
	// die('Connect Error: ' . $db->connect_error);
}

// Check to see if these two parameters are in the URL
if(!isset($_GET['p'])) {
	if($_GET['p'] != "edit") {
		die('A parameter is missing!'); // Display an error
	}
} elseif(!isset($_GET['id'])) {
	die('A parameter is missing!'); // Display an error
}

select_from_testimonials.php

<?php
if(isset($_GET['id'])) {

	// Always check to see if the $_GET parameter has the id in it or someone can abuse the fact that you are selecting form an invalid row

	$query = $db->prepare("SELECT testimonialID, name, stars, testimonial, location FROM testimonials WHERE testimonialID = ?");
	$query->bind_param("d", $get_testimonial); // Bind the placeholder to avoid SQL Injection
	$get_testimonial = $_GET['id']; // Get the id from the URL
	$query->execute(); // Execute the prepared statment
	$query->store_result();

	if($query->num_rows) {

		$query->bind_result($testimonialID, $name, $stars, $testimonial, $location); // Bind all the results from the query string

		// Loop the result
		while($query->fetch()) {

			$passing_testimonialID = $testimonialID; // Self explanatory
			$passing_name = $name; // Self explanatory
			$passing_stars = $stars; // Self explanatory
			$passing_testimonial = $testimonial; // Self explanatory
			$passing_location = $location; // Self explanatory

		}

		// We can now pass the variables outside of the while loop
		$new_testimonialID = $passing_testimonialID;
		$new_name = $passing_name;
		$new_stars = $passing_stars;
		$new_testimonial = $passing_testimonial;
		$new_location = $passing_location;

	} else {

		// No such data with the $_GET parameter defined

	}

}

testimonials_submit.php

<?php
if($_SERVER['REQUEST_METHOD'] == "POST") {

	// Check to see if the URL has the $_GET parameter "p"
	if(isset($_GET['p'])) {

		if($_GET['p'] == "edit") {

			// Validate these fields so that you don't update empty fields
			if($_POST['name'] == "") {
				echo "Please type something in for the name"; // The name field is empty
			} elseif($_POST['stars'] == "") {
				echo "Please select the appropriate stars"; // The stars field is empty
			} elseif($_POST['testimonial'] == "") {
				echo "Please type something into the testimonial field"; // The testimonial field is empty
			} elseif($_POST['location'] == "") {
				echo "Please select a location"; // The location field is empty
			} else {

				// Check to see if the ID is passed into the URL
				if(isset($_GET['id'])) {

					// Use prepare instead of the deprecated MySQL_* function which is the worst thing to use
					$stmt = $db->prepare("UPDATE testimonials SET name = ?, stars = ?, testimonial = ?, location = ? WHERE testimonialID = ?");
					$stmt->bind_param("sdssd", $name, $stars, $testimonial, $location, $testimonialID); // Bind these placeholders to separate them from SQL codes and PHP codes. Best way to avoid SQL Injection
					$name = $_POST['name']; // From the post
					$stars = $_POST['stars']; // From the post
					$testimonial = $_POST['testimonial']; // From the post
					$location = $_POST['location']; // From the post
					$testimonalID = $_GET['id']; // Get the id from the URL
					$stmt->execute(); // Execute the query

					// echo '<a href="./">Back Home</a> | <a href="./testimonials">Tesimonials</a><br><br>';
					// echo 'Yay, Successful. PS: There is no error handling so this really just means you submitted it.';
					// We don't need the above if we are redirecting the user.

					header("Location: " . $_SERVER['HTTP_REFERER']); // You need this in order for the new data to be refreshed. You may remove or comment this line if you want, but the user will not see new data until they refresh their page.

				} else {
					echo "Please do not modify the URL, it must include the ID as well";
				}

			}

		} else {
			echo "Get parameter is defined, but it is not 'edit'";
		}

	}

}

testimonals.php

<?php
require('configuration.php'); // Requires this for your database connection
require('select_from_testimonials.php'); // Requires this to display the records
require('testimonials_submit.php'); // Requires this for the form to be submitted
?>

<a href="./">Back Home</a> | <a href="./testimonials">Tesimonials</a><br><br>
<form action="testimonials?p=edit&id=<?php if(isset($new_testimonialID)) { echo $new_testimonialID; } ?>" method="POST">

	Name:<br><input type="text" name="name" value="<?php if(isset($new_name)) { echo $new_name; } ?>"/><br><br>

	Stars:<br><input type="text" name="stars" value="<?php if(isset($new_stars)) { echo $new_stars; } ?>"/><br><br>

	Testimonial:<br><textarea name="testimonial"><?php if(isset($new_testimonial)) { echo $new_testimonial; } ?></textarea><br><br>

	Location:<br><input type="text" name="location" value="<?php if(isset($new_location)) { echo $new_location; } ?>"/>

	<input type="submit" name="submit" value="submit" />

</form>

Your original code seems to be very broken and if you continue to use it, you won't get no where. You have

 

A. No way for the server to tell if the form was submitted (you do, but this is an odd approach)

B. No way of user validation. Not everyone on the internet is nice and not everyone cares if your website is broken or not.

C. (You are) using the deprecated MySQL_* functions from 1990's. Update the code because this is 2014 > Going on 2015. Most web hosters are now updating their PHP features and MySQL_* will most likely be removed causing your code to throw "function ____ deprecated"

D. (You are) stuffing the actual variables inside the query string. This is not the most safest approach. As I said in the codes, when you prepare. You avoid SQL Injection because SQL Injection comes from miss-interpreted codes. If someone does 1=1' or 'xx' for your code. They will most likely select every single row that exists in your table.

C. (You are) using the asterisk (*) in the query string which is unsafe. Only select what you want or need. Do NOT use (*) because if you only wanted to display about 4 columns. When you get attacked, the attacker will be getting 20 rows instead of 4.

 

Please take my advice as a learning precaution. If you continue to use the above listed on a live server. Don't come to me or anyone here and say that you got hacked or attacked.

Link to comment
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted (edited)

And please forget about this “an admin page doesn't need any protection” nonsense. This is exactly how Ubuntu Forums were “hacked” last year: The attacker gained access to a privileged moderator account and was then able to inject arbitrary JavaScript code into the site.

 

An admin page needs the exact same level of protection like any other page.

  • Just because you think that only admins have access to your page doesn't mean that this is actually the case. For example, you have no CSRF protection whatsoever, so anybody can “tunnel” arbitrary requests through one of the admin accounts simply by getting the person to visit a website.
  • Admins aren't necessarily smarter than the average user. They'll make the same mistakes, and sometimes they're plain stupid. For example, I recently encountered a forum admin who used his nickname as the password – and that same nickname was also on his public user profile.
  • There's a big difference between letting somebody manage your site content and giving them full access to your server. Right now, you more or less do both at the same time, because you allow admins to directly access your database system and continue from there.
Edited by Jacques1
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.