Jump to content

PHP Localhost database different information each <td>


Realcookie

Recommended Posts

Hey guys,

 

Im busy with a project and im stuck at a place unfortunately. :/ I need to make a webpage with the recent 5 articles, with a archive page with all articles. And a admin panel where the admin can see all the articles and can edit,delete,add them. So now i made the table in the admin panel with all articles. So now each click of one of the articles in the table i need to get a page with a the information of that current article. 

 

So as example : Article title = A Artical Summary = B Artical Content = C

 

So when u wanna edit this article there should come a page with the form filled in : Article title : A etc, so they are filled in and u can edit them. My question is how can i do this! Im a beginner in php so it could be i cant understand some terms. I hope you guys can help me out! 

 

Cheers. :) 

Link to comment
Share on other sites

First you need to make a link to that article, for example

<a href="article.php?id=<?php echo $article['id']; ?>">Article title</a>

That link will get you to article.php page where you will :

  • make a page article.php where you will grab data for that id from url
  • grab id from url
  • grab data from articles database where id from database is equal to a link in url
  • put data from query into input fields
Link to comment
Share on other sites

Lets say you have page articles.php in admin panel where you have listed all articles from database.

 

This is only a basic example and its not escaped for mysqli injection so "DON'T USE THIS ON LIVE SERVER", this is only that you get perception how things works, maybe is not a best way but its good to learn.

 

articles.php

<?php

error_reporting(1);

// mysqli connection
$conn = mysqli_connect('host', 'user', 'password', 'database name');

// check for connection
if (mysqli_connect_errno())
{
    die("Connection failed : " . mysqli_connect_error());
    exit();
}

// action to EDIT article
if (isset($_GET['action']) && $_GET['action'] == 'edit' && isset($_GET['id']))
{
	$id = (int)$_GET['id'];
	// here is data for a single article fetched over id
	$query = mysqli_query($conn, "SELECT * FROM articles WHERE id = '$id'");

	// check if query runs
	if ($query)
	{
		$data = mysqli_fetch_assoc($query);

		// make UPDATE when u process form to update data in database
		// if submit button is pressed
		if (isset($_POST['submit']))
		{
			// get data from form
			$title = $_POST['title'];
			$text = $_POST['text'];

			// update query
			$update = mysqli_query($conn, "UPDATE articles SET title = '$title', text = '$text' WHERE id = '".$data['id']."'");

			// check if update is successfuly
			if ($update)
			{
				// if updated redirect to articles.php
				header("Location: articles.php");
				exit();
			}
			else
			{
				echo "Mysqli error : " . mysqli_error($conn);
			}
		}

		echo '<form action="" method="post">
			  <label for="title">Title</label>
			  <input type="text" id="title" name="title" value="'.$data['title'].'"><br />
			  <label for="text">Text</label>
			  <textarea id="text" name="text">'.$data['text'].'</textarea><br />
			  <input type="submit" name="submit" value="Submit">';
	}
	else
	{
		echo "Mysqli error : " . mysqli_error($conn);
	}
}

// action for DELETE article
else if (isset($_GET['action']) && $_GET['action'] == 'delete' && isset($_GET['id']))
{
	// delete article where id from url is same as id in database
	$id = (int)$_GET['id'];

	$query = mysqli_query($conn, "DELETE FROM articles WHERE id = '$id'");

	// check if query runs
	if ($query)
	{
		// if query was successfuly get back on articles list
		header("Location : articles.php");
		exit();
	}
	else
	{
		die("Mysqli error : " . mysqli_error($conn));
		exit();
	}
}

// if no action display all articles 
else
{

	// query to get all articles
	$query = mysqli_query($conn, "SELECT * FROM articles");

	// check if query runs
	if ($query)
	{
		// get all articles in array
		$article = mysqli_fetct_array($query);
		
		echo '<table>
				<tr>
					<th>ID</th>
					<th>Title</th>
					<th>Posted date</th>
					<th>Actions</th>
				</tr>';
		// loop through arcticles
		while ($article)
		{
			echo '<tr>
					<td>'.$article['id'].'</td>
					<td>'.$article['title'].'</td>
					<td>'.$article['date'].'</td>
					<td><a href="articles.php?id='.$article['id'].'&action=edit">Edit</a> | <a href="articles.php?id='.$article['id'].'&action=delete">Delete</a></td>
			      </tr>';		
		}
		echo '</table>';
	}
	else
	{
		echo "Mysqli error : " . mysqli_error($conn);
	}

}

?>
Link to comment
Share on other sites

mlukac89: The code you've posted is fundamentally wrong, and it's certainly not a good example to learn from. If you don't have the knowledge or motivation to write correct code, then don't publish code at all.

 

Those please-don't-use-my-scripts-in-production disclaimers are rather silly. What is a newbie supposed to do with this information? Fix your code? If they knew how to do that, they wouldn't need it in the first place. So a more realistic assumption is that the code will be used in production, possibly by many other people. As you certainly know, the PHP community is infamous for its love of copy-and-paste.

 

There are many ways to answer a question. Choose the one that fits your abilities.

Link to comment
Share on other sites

Jacques1 i will have that in mind. I know many peoples copy/paste codes but why this approach is not good if you want to make all php logic in 1 script ? And can you explain me what need to be fixed in code ?

Link to comment
Share on other sites

Almost every line needs to be fixed:

  • You have an entire zoo of security vulnerabilities: SQL injection, cross-site scripting, cross-site request forgery. This will also affect legitimate users; for example, try entering text which contains an apostrophe, and the whole thing blows up.
  • The error handling is fundamentally broken. For some reason, you think that internal error messages should be displayed on the website, but this only irritates legitimate users while helping attackers gain important information. Error messages are meant for you, the programmer. They're none of the user's business.
  • You don't understand how mysqli works. You use it like the old mysql_* functions, completely ignoring all modern features like prepared statements and exceptions.
  • Using GET requests to change data violates the HTTP protocol and can cause a lot of problems, because browsers assume that GET does in fact mean “get the resource”, not “change the resource”.
  • Don't mess with the error reporting at runtime. What do you even mean with by value “1”? The function expects a bit field created from the error constants (e. g. E_ALL & ~E_NOTICE) or -1 for everything.
  • The HTML markup is invalid.

Learn the basics before jumping to complex application. Make sure you understand how HTTP, HTML, web security and database interaction works. It will save you a lot of trouble.

Link to comment
Share on other sites

mlukac89,

 

@Jacques1 beat me to it in post #7 but it bears repeating. Do not EVER post code you know is bad. If it "works" noobs will forever copy/paste the code thus perpetuating security problems.

 

Yea i know now, this code works but as Jaques1 said if its posted its better to make it secure. Btw i readed this page about security https://martinfowler.com/articles/web-security-basics.html and i know that i need to validate all inputs and outputs same as url but i make this only to that guy see how he can get, delete, edit stuff, but i won't post codes anymore because better is to leave to peoples learn to code by themself. ;)

Link to comment
Share on other sites

I find it odd when people distinguish between “working code” and “secure code”.

 

You cannot have working code with security vulnerabilities, because every vulnerability is also a defect. Even if everybody on the Internet behaved nicely, it would still be a defect. As I already said, your code crashes as soon as a user tries to enter text with an apostrophe (like “O'Reilly”). This has nothing to do with bad intentions, it's not even an exotic scenario. It can happen at any time with standard data.

 

Proper escaping isn't some kind of bonus feature. It's a necessity. It's the only way to make sure that the application can handle all possible input.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.