Update Query

louiegiezer · Post by **louiegiezer** » Sun May 26, 2013 5:03 am

Hello Anyone...
I'm gonna make sure if this a good one for updating database...
even the function is work... I'm looking for a good idea...

[syntax=php]
if($_POST['submitEditForm'])
{
$update = mysql_query("UPDATE resume SET name='$_POST[name]', age='$_POST[age]', sex='$_POST[sex]', mobile='$_POST[mobile]' WHERE id='$_POST[idnumber]'");
echo "Record has been changed";
}

echo"<form method='post' action=''>
<tr>
<td class='viewTable1'><center>Name</center></td>
<td class='viewTable1'><center>Age</center></td>
<td class='viewTable1'><center>Sex</center></td>
<td class='viewTable1'><center>Mobile</center></td>
<td class='viewTable1'><center>Action</center></td>
</tr>
";
$sel = mysql_query("SELECT * FROM resume ORDER BY name ASC");
while($data=mysql_fetch_array($sel))
{
echo "<tr>
<td ><center>$data[name]</center></td>
<td><center>$data[age]</center></td>
<td><center>$data[sex]</center></td>
<td><center>$data[mobile]</center></td>
<td><center><input type='submit' value='Update' name='updateButt$data[id]'></center></td>
</tr>";
}

echo "</table></form>";
echo "<br><BR>";

for($x=0;$x<=100;$x++)
{
if($_POST[updateButt.$x])
{
$select = mysql_query("SELECT * FROM resume WHERE id=$x");
while($data=mysql_fetch_array($select))
{
echo "
<form name='myform' method='post' action='Edit.php'>
<table border=0 cellspacing=0 align='center' class='Addstyle'>
<tr><td align='right' class='viewTable5' colspan=2>
<div class='textfile'>Editing: <span class='underline'>$data[name]</span></div></td></tr>
<input size=20 type='hidden' value=$data[id] name='idnumber'>
<tr><td>Name: </td><td><input type='text' value='$data[name]' size=20 name='name'/></td></tr>
<tr><td>Age: </td><td><input type='text' value='$data[age]' size=20 name='age'/></td></tr>
<tr><td>Sex: </td><td><input type='text' value='$data[sex]' size=20 name='sex'/></td></tr>
<tr><td>Mobile: </td><td><input type='text' value='$data[mobile]' size=20 name='mobile'/></td></tr>
<tr><td colspan=2><input type='submit' value='Submit' name='submitEditForm'/></td></tr>
</table></form>
";
}
}
}
[/syntax]

ExtremeGaming · Post by **ExtremeGaming** » Sun May 26, 2013 2:50 pm

I'm not sure what the question is, but if you're using data straight from $_POST without filtering it, you're leaving yourself open to SQL injection. Also, just in case there ever is a SQL injection attack, you're going to want to output your data with htmlentities()

FrederickGeek8 · Post by **FrederickGeek8** » Thu Jun 06, 2013 10:16 pm

ExtremeGaming wrote:I'm not sure what the question is, but if you're using data straight from $_POST without filtering it, you're leaving yourself open to SQL injection. Also, just in case there ever is a SQL injection attack, you're going to want to output your data with htmlentities()

To alaborate on this:
when adding something into the database you want to do something like [syntax=php]$query = mysql_real_escape_string(htmlentities($query))[/syntax]
If you are inserting something that should be a int (number) instead of using mysql_real_escape_string and htmlentities you can just use [syntax=php]$number = (int)$number;[/syntax]

So:
[syntax=php]if($_POST['submitEditForm'])
{
$name = mysql_real_escape_string(htmlentities($_POST['name']));
$age = mysql_real_escape_string(htmlentities($_POST['age']));
$sex = mysql_real_escape_string(htmlentities($_POST['sex']));
$mobile = mysql_real_escape_string(htmlentities($_POST['mobile']));
$id = (int)$id;

$update = mysql_query("UPDATE resume SET name='{$name}', age='{$age}', sex='{$sex}', mobile='{$mobile}' WHERE id='{$id}'");
echo "Record has been changed";
}

echo"<form method='post' action=''>
<tr>
<td class='viewTable1'><center>Name</center></td>
<td class='viewTable1'><center>Age</center></td>
<td class='viewTable1'><center>Sex</center></td>
<td class='viewTable1'><center>Mobile</center></td>
<td class='viewTable1'><center>Action</center></td>
</tr>
";
$sel = mysql_query("SELECT * FROM resume ORDER BY name ASC");
while($data=mysql_fetch_array($sel))
{
echo "<tr>
<td ><center>$data[name]</center></td>
<td><center>$data[age]</center></td>
<td><center>$data[sex]</center></td>
<td><center>$data[mobile]</center></td>
<td><center><input type='submit' value='Update' name='updateButt$data[id]'></center></td>
</tr>";
}

echo "</table></form>";
echo "<br><BR>";

for($x=0;$x<=100;$x++)
{
if($_POST[updateButt.$x])
{
$select = mysql_query("SELECT * FROM resume WHERE id=$x");
while($data=mysql_fetch_array($select))
{
echo "
<form name='myform' method='post' action='Edit.php'>
<table border=0 cellspacing=0 align='center' class='Addstyle'>
<tr><td align='right' class='viewTable5' colspan=2>
<div class='textfile'>Editing: <span class='underline'>$data[name]</span></div></td></tr>
<input size=20 type='hidden' value=$data[id] name='idnumber'>
<tr><td>Name: </td><td><input type='text' value='$data[name]' size=20 name='name'/></td></tr>
<tr><td>Age: </td><td><input type='text' value='$data[age]' size=20 name='age'/></td></tr>
<tr><td>Sex: </td><td><input type='text' value='$data[sex]' size=20 name='sex'/></td></tr>
<tr><td>Mobile: </td><td><input type='text' value='$data[mobile]' size=20 name='mobile'/></td></tr>
<tr><td colspan=2><input type='submit' value='Submit' name='submitEditForm'/></td></tr>
</table></form>
";
}
}
} [/syntax]

killfrog47 · Post by **killfrog47** » Sun Jun 09, 2013 4:38 am

louiegiezer wrote:Hello Anyone...
I'm gonna make sure if this a good one for updating database...
even the function is work... I'm looking for a good idea...

[syntax=php]
if($_POST['submitEditForm'])
{
$update = mysql_query("UPDATE resume SET name='$_POST[name]', age='$_POST[age]', sex='$_POST[sex]', mobile='$_POST[mobile]' WHERE id='$_POST[idnumber]'");
echo "Record has been changed";
}

echo"<form method='post' action=''>
<tr>
<td class='viewTable1'><center>Name</center></td>
<td class='viewTable1'><center>Age</center></td>
<td class='viewTable1'><center>Sex</center></td>
<td class='viewTable1'><center>Mobile</center></td>
<td class='viewTable1'><center>Action</center></td>
</tr>
";
$sel = mysql_query("SELECT * FROM resume ORDER BY name ASC");
while($data=mysql_fetch_array($sel))
{
echo "<tr>
<td ><center>$data[name]</center></td>
<td><center>$data[age]</center></td>
<td><center>$data[sex]</center></td>
<td><center>$data[mobile]</center></td>
<td><center><input type='submit' value='Update' name='updateButt$data[id]'></center></td>
</tr>";
}

echo "</table></form>";
echo "<br><BR>";

for($x=0;$x<=100;$x++)
{
if($_POST[updateButt.$x])
{
$select = mysql_query("SELECT * FROM resume WHERE id=$x");
while($data=mysql_fetch_array($select))
{
echo "
<form name='myform' method='post' action='Edit.php'>
<table border=0 cellspacing=0 align='center' class='Addstyle'>
<tr><td align='right' class='viewTable5' colspan=2>
<div class='textfile'>Editing: <span class='underline'>$data[name]</span></div></td></tr>
<input size=20 type='hidden' value=$data[id] name='idnumber'>
<tr><td>Name: </td><td><input type='text' value='$data[name]' size=20 name='name'/></td></tr>
<tr><td>Age: </td><td><input type='text' value='$data[age]' size=20 name='age'/></td></tr>
<tr><td>Sex: </td><td><input type='text' value='$data[sex]' size=20 name='sex'/></td></tr>
<tr><td>Mobile: </td><td><input type='text' value='$data[mobile]' size=20 name='mobile'/></td></tr>
<tr><td colspan=2><input type='submit' value='Submit' name='submitEditForm'/></td></tr>
</table></form>
";
}
}
}
[/syntax]

Here is a nice little function i use to clean all my variables:
[syntax=php]function clean($value) {

// If magic quotes not turned on add slashes.
if(!get_magic_quotes_gpc())

// Adds the slashes.
{ $value = addslashes($value); }

// Strip any tags from the value.
$value = strip_tags($value);

// Return the value out of the function.
return $value;
}[/syntax]
Then from there you can just do
[syntax=php]
$FormEdit = $_POST['submitEditForm'];
$FormEdit = clean($FormEdit);[/syntax]

BetterPHP

Update Query

Update Query

Re: Update Query

Re: Update Query

Re: Update Query