Dime Posted February 25, 2020 Share Posted February 25, 2020 Hello I work on my school project where we have to create a website with front and back end. So I decided to create a lyrics website. I created a DB, with a table table called "lyrics" This is the structure: CREATE TABLE lyrics ( lyricsId int(8) PRIMARY KEY AUTO_INCREMENT, artist varchar(100), song varchar(100), cover varchar(100), lyrics varchar(9999), chartId int(8), commentId int(8), FOREIGN KEY (chartId) REFERENCES charts(chartId), ); So right now I dont know how I can create a Editlyrics.php button where I can edit he lyrics by the ID page for example I have 2 sogns with lyrics and when i press on a song i go to the lyris of that song, and on that page I want to have a button where i can edit the lyrics. Tjis is what i did: I created a editlyrics.php file and added this code, but its not working and I know for a fact that nothing is right here, there are so many errors, but I dont know what the errors are or how can i fix this... <?php session_start(); include("connectdb.php"); $id = $_SESSION['id']; $lyricsId = $_POST['lyricsId']; $col = "UNDEFINED"; if(isset($_POST['lyricsId'])){ $col = "lyrics"; $val = $_POST['lyrics']; } $query = "UPDATE lyrics SET $col='$val' WHERE lyricsId=$id;"; if(mysqli_query($dbc_form,$query)){ header("Location: index.php"); }else{ $_SESSION['error_msg'] = "Same Lyrics!"; header("Location: index.php"); } ?> Any help? thanks Quote Link to comment Share on other sites More sharing options...
maxxd Posted February 25, 2020 Share Posted February 25, 2020 You've gotten some things confused, I think. Take a step back and think about what you're trying to do, what you're doing currently, and what needs to be done to do what you actually want to do. For instance, you know you're going to update lyrics, right? Does the name of the column containing lyrics change? I'm going to bet not, so why then not just use the column name directly - there's no need for a variable. Also, you set $id to whatever the value of $_SESSION['id'] is, assign $_POST['lyricsId'] to a variable before you check whether or not it exists, and then completely ignore $lyricsId in favor or $id (which I think is probably not the same thing) to let the database know which record to update. And while you're at it, get into the habit of using prepared queries. Right now your query is wide open to SQL injection attacks - learning to avoid this from the outset is a lot easier than trying to relearn how to do things later on. Just ask Little Bobby Tables's school administrators... Quote Link to comment Share on other sites More sharing options...
gizmola Posted February 26, 2020 Share Posted February 26, 2020 Quote I created a editlyrics.php file and added this code, but its not working and I know for a fact that nothing is right here, there are so many errors, but I dont know what the errors are or how can i fix this... When looking for help for a problem, it is important to include the diagnostics you already have. You stated you have errors that you know of, but you didn't provide them in your post. Let's start with something a little more standard for an edit script: <?php session_start(); $id = $_SESSION['id']; if (!$id) { die('Invalid Session'); } include("connectdb.php"); $lyricsId = (int)$_POST['lyricsId']; $lyrics = trim(strip_tags($_POST['lyrics'])); if ($lyricsId && !empty($lyrics)) { $query = "UPDATE lyrics SET lyrics = ? WHERE lyricsId = ?"; $stmt = mysqli_prepare($dbc_form, $query); mysqli_stmt_bind_param($stmt, 'si', $lyrics, $lyricsId); mysqli_stmt_execute($stmt); # Should go back to your lyrics display page, to show the updated lyrics for that $lyricsId header("Location: index.php"); } else { $_SESSION['error_msg'] = "No Lyrics provided"; header("Location: index.php"); } Some things to note: Check that there is a session id cast lyricsId to an integer to keep people from screwing around with id parameters trim and strip html tags from the posted lyrics. Properly use bound parameters. Do not interpolate strings, as it opens you up to sql injection. User input should Never be trusted, and that includes all get and post parameters. Binding parameters helps so that you do not need to escape input when used in SQL statements, AND prevents SQL injection. When the edit works OR fails, you should go back to the lyrics detail page, not back to index.php. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.