Page 1 of 1
i cann't update
Posted: Sat Mar 03, 2012 12:09 pm
by ipharaoh
hello every body
all i want to do in this project is when you decide to edit a post, by clicking on edit post.
i wanted to show a web form for the user with his old post displayed in the form, and all he have got to do is replacing the old post with news post....
i have the following errors :
Notice: undfined variable: gid in C:\xxxxxx.editnews.php on line 11
Notice: undfined variable: author in C:\xxxxxx.editnews.php on line 25
Notice: undfined variable: titke in C:\xxxxxx.editnews.php on line 25
Notice: undfined variable: content in C:\xxxxxx.editnews.php on line 25
line 25 where i am actually update = mysql_query( .................)
any suggetions please i have working on this simple project over 10 hours now and i don't know what to do anymore
<?php
#1. Connecting to database #
require("SQL_connect.php");
#-------------------------#
if(isset($_GET['id'])){
$gid = $_GET['id'];
}
$data = mysql_query("SELECT * FROM addnews WHERE id='$gid'") or die("CANNOT EXCUTE SELECTION");
while($row = mysql_fetch_assoc($data)){
$author = $row['author'];
$title = $row['title'];
$content = $row['content'];
}
#-------FORM HERE-----------#
if(isset($_POST['author'],$_POST['title'],$_POST['content']))
{
$update = mysql_query("UPDATE news_system SET author='$author', title='$title', content='$content' WHERE id='$gid'")
or die("Something went wrong: Please Try again later..");
}
echo "<form action='".$_SERVER['PHP_SELF']."' method='POST'>
Author:<br/>
<input type='text' name='author' value='".$author."' size='35px'/><br/>
Title:<br/>
<input type='text' name='title' value='".$title."' size='35px' /><br/>
Content:<br/>
<textarea name='content' rows='5' cols='50' >".$content."</textarea><br/>
<input type='submit' value='update' />
</form>";
?>
Re: i cann't update
Posted: Sat Mar 03, 2012 7:03 pm
by Temor
The problem is that you never give $author, $title, $gid and $content a value. Easiest thing would be to set those at the top of the page or use the $_POST or $_GET variables directly. Creating a new variable in this case serves no real purpose.
Re: i cann't update
Posted: Sat Mar 03, 2012 11:23 pm
by jacek
Some general points.
if(isset($_GET['id'])){
$gid = $_GET['id'];
}
$data = mysql_query("SELECT * FROM addnews WHERE id='$gid'") or die("CANNOT EXCUTE SELECTION");
Here you check to see if the $_GET variable is defined. But then you try to use a variable that would not be defined below it anyway.
$data = mysql_query("SELECT * FROM addnews WHERE id='$gid'") or die("CANNOT EXCUTE SELECTION");
while($row = mysql_fetch_assoc($data)){
$author = $row['author'];
$title = $row['title'];
$content = $row['content'];
}
There is no need to use a loop if you only have one row in your result.
if(isset($_POST['author'],$_POST['title'],$_POST['content']))
{
$update = mysql_query("UPDATE news_system SET author='$author', title='$title', content='$content' WHERE id='$gid'")
or die("Something went wrong: Please Try again later..");
}
Okay, but you should consider SQL injection.
echo "<form action='".$_SERVER['PHP_SELF']."' method='POST'>
Author:<br/>
<input type='text' name='author' value='".$author."' size='35px'/><br/>
Title:<br/>
<input type='text' name='title' value='".$title."' size='35px' /><br/>
Content:<br/>
<textarea name='content' rows='5' cols='50' >".$content."</textarea><br/>
<input type='submit' value='update' />
</form>";
Echo-ing huge chunks of HTML like this is very un-tidy.
Re: i cann't update
Posted: Sun Mar 04, 2012 6:10 am
by ipharaoh
Thanks man. i will give it try and i will let you know....i really appreciated your response......
Re: i cann't update
Posted: Sun Mar 04, 2012 2:54 pm
by ipharaoh
Thank you guys for helping me..finaly i fixed this probelm -- i just wanted to say i am new php beginner i don't have this much of experince with the language but i am doing my best to be a good php developer..
any way one more time thank you guys here is the code finaly worked correctly without any errors 
<?php
//including connection
include("SQL_connect.php");
include("functions.php");
$gid=0;
if(isset($_GET['id']) && is_numeric($_GET['id']))
{
$gid= intval($_GET['id']);
}
$ERRORS = array();
if(isset($_POST['author'],$_POST['title'],$_POST['content']))
{
$author = protect($_POST['author']);
$title = protect($_POST['title']);
$content = protect($_POST['content']);
//checking if no errors
if(empty($author)){
$ERRORS[] = "ERROR: You cannot leave <span style=\"color:red\">Author</span> empty...!";
}
if(empty($title)){
$ERRORS[] = "ERROR: You cannot leave <span style=\"color:red\">Title</span> empty...!";
}
if(empty($content)){
$ERRORS[] = "ERROR: You cannot leave <span style=\"color:red\">Content</span> empty...!";
}
//if there is no errors then add values to the addnews table
if(empty($ERRORS)){
//No ERRORS - UPDATE addnews SET
$update = ("UPDATE tbl_news SET author='$author', title='$title', content='$content' WHERE id='$gid'") or die("Something went wrong: Please Try again later..");
//redirecting the user for nonspaming
if(mysql_query($update)){
header("Location: selecting_data.php");
die();
}
}
else {
foreach($ERRORS as $ERROR){
echo $ERROR."<br/>";
}
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Editing the Posts News</title>
<style type="text/css">
</style>
</head>
<body>
<?php
$select = mysql_query("SELECT * FROM tbl_news WHERE id='".$gid."'");
$row = mysql_fetch_assoc($select);
?>
<br/>
<strong>Edit your post news</strong>
<br/>
<form method="post" action="[syntax=php]<?php protect($_SERVER['PHP_SELF']); ?>
">
Author:<br/>
<input type="text" name="author" value="
<?php echo protect($row['author']); ?>
" size="40" /><br/>
Title:<br/>
<input type="text" name="title" value="
<?php echo protect($row['title']); ?>
" size="40" /><br/>
Content:<br/>
<textarea name="content" rows="7" cols="50" >
<?php echo protect($row['content']); ?>
</textarea><br/>
<br/>
<input type="submit" value="Send.!" />
</form>
<?php mysql_close($connect); ?>
</body>
</html>
[/syntax]
Re: i cann't update
Posted: Sun Mar 04, 2012 2:59 pm
by ipharaoh
here is the security function i made to prevent SQL injection :
if is there something more should i include to prevent SQL injection : Please guys inform me to add with function
function protect($securing){
$securing = mysql_real_escape_string($securing);
$securing = strip_tags($securing);
$securing = htmlentities($securing);
return $securing;
}
Re: i cann't update
Posted: Mon Mar 05, 2012 10:54 pm
by jacek
Well it would work, but there are cases where you would want to insert html into the database or something that looks like a html tag at least. Then you would need a different function.
Instead of creating a function that is so generic it will never really be used why not just make one that handles escaping and then use htmlentites where you need to.