Update Query

Ask about a PHP problem here.
Post Reply
User avatar
louiegiezer
Posts: 57
Joined: Fri Oct 21, 2011 11:31 am
Contact:
Contact louiegiezer

Update Query

Post by louiegiezer »

Hello Anyone...
I'm gonna make sure if this a good one for updating database...
even the function is work... I'm looking for a good idea...
if($_POST['submitEditForm'])
		{
	$update = mysql_query("UPDATE resume SET name='$_POST[name]', age='$_POST[age]', sex='$_POST[sex]', mobile='$_POST[mobile]' WHERE id='$_POST[idnumber]'");
		echo "Record has been changed";
		}
		

echo"<form method='post' action=''>
<tr>
		<td  class='viewTable1'><center>Name</center></td>
		<td  class='viewTable1'><center>Age</center></td>
		<td  class='viewTable1'><center>Sex</center></td>
		<td  class='viewTable1'><center>Mobile</center></td>
		<td  class='viewTable1'><center>Action</center></td>
</tr>
		";
	$sel = mysql_query("SELECT * FROM resume ORDER BY name ASC");
	while($data=mysql_fetch_array($sel))
		{
		echo "<tr>
				<td ><center>$data[name]</center></td>
				<td><center>$data[age]</center></td>
				<td><center>$data[sex]</center></td>
				<td><center>$data[mobile]</center></td>
				<td><center><input type='submit' value='Update' name='updateButt$data[id]'></center></td>
			  </tr>";
		}
	
	echo "</table></form>";
echo "<br><BR>";

		for($x=0;$x<=100;$x++)
		{
			if($_POST[updateButt.$x])
			{
			$select = mysql_query("SELECT * FROM resume WHERE id=$x");
				while($data=mysql_fetch_array($select))
				{
				echo "
			<form name='myform' method='post' action='Edit.php'>
  <table border=0 cellspacing=0 align='center' class='Addstyle'>
  <tr><td align='right' class='viewTable5' colspan=2>
  <div class='textfile'>Editing: <span class='underline'>$data[name]</span></div></td></tr>
  <input size=20 type='hidden' value=$data[id] name='idnumber'>	
  <tr><td>Name: </td><td><input type='text' value='$data[name]' size=20 name='name'/></td></tr>
  <tr><td>Age: </td><td><input type='text' value='$data[age]' size=20 name='age'/></td></tr>
  <tr><td>Sex: </td><td><input type='text' value='$data[sex]' size=20 name='sex'/></td></tr>
  <tr><td>Mobile: </td><td><input type='text' value='$data[mobile]' size=20 name='mobile'/></td></tr>
  <tr><td colspan=2><input type='submit' value='Submit' name='submitEditForm'/></td></tr>
  </table></form>
		 ";		
		}
	}
}
Top
ExtremeGaming
Posts: 205
Joined: Mon Jul 09, 2012 11:13 pm

Re: Update Query

Post by ExtremeGaming »

I'm not sure what the question is, but if you're using data straight from $_POST without filtering it, you're leaving yourself open to SQL injection. Also, just in case there ever is a SQL injection attack, you're going to want to output your data with htmlentities()
<?php while(!$succeed = try()); ?>
Top
User avatar
FrederickGeek8
Posts: 148
Joined: Wed Nov 30, 2011 10:31 pm

Re: Update Query

Post by FrederickGeek8 »

ExtremeGaming wrote:I'm not sure what the question is, but if you're using data straight from $_POST without filtering it, you're leaving yourself open to SQL injection. Also, just in case there ever is a SQL injection attack, you're going to want to output your data with htmlentities()
To alaborate on this:
when adding something into the database you want to do something like 
$query = mysql_real_escape_string(htmlentities($query))
If you are inserting something that should be a int (number) instead of using mysql_real_escape_string and htmlentities you can just use 
$number = (int)$number;
So: 
if($_POST['submitEditForm'])
                {
$name = mysql_real_escape_string(htmlentities($_POST['name']));
$age = mysql_real_escape_string(htmlentities($_POST['age']));
$sex = mysql_real_escape_string(htmlentities($_POST['sex']));
$mobile = mysql_real_escape_string(htmlentities($_POST['mobile']));
$id = (int)$id;

        $update = mysql_query("UPDATE resume SET name='{$name}', age='{$age}', sex='{$sex}', mobile='{$mobile}' WHERE id='{$id}'");
                echo "Record has been changed";
                }
               
 
echo"<form method='post' action=''>
<tr>
                <td  class='viewTable1'><center>Name</center></td>
                <td  class='viewTable1'><center>Age</center></td>
                <td  class='viewTable1'><center>Sex</center></td>
                <td  class='viewTable1'><center>Mobile</center></td>
                <td  class='viewTable1'><center>Action</center></td>
</tr>
                ";
        $sel = mysql_query("SELECT * FROM resume ORDER BY name ASC");
        while($data=mysql_fetch_array($sel))
                {
                echo "<tr>
                                <td ><center>$data[name]</center></td>
                                <td><center>$data[age]</center></td>
                                <td><center>$data[sex]</center></td>
                                <td><center>$data[mobile]</center></td>
                                <td><center><input type='submit' value='Update' name='updateButt$data[id]'></center></td>
                          </tr>";
                }
       
        echo "</table></form>";
echo "<br><BR>";
 
                for($x=0;$x<=100;$x++)
                {
                        if($_POST[updateButt.$x])
                        {
                        $select = mysql_query("SELECT * FROM resume WHERE id=$x");
                                while($data=mysql_fetch_array($select))
                                {
                                echo "
                        <form name='myform' method='post' action='Edit.php'>
 <table border=0 cellspacing=0 align='center' class='Addstyle'>
 <tr><td align='right' class='viewTable5' colspan=2>
 <div class='textfile'>Editing: <span class='underline'>$data[name]</span></div></td></tr>
  <input size=20 type='hidden' value=$data[id] name='idnumber'>
 <tr><td>Name: </td><td><input type='text' value='$data[name]' size=20 name='name'/></td></tr>
 <tr><td>Age: </td><td><input type='text' value='$data[age]' size=20 name='age'/></td></tr>
 <tr><td>Sex: </td><td><input type='text' value='$data[sex]' size=20 name='sex'/></td></tr>
 <tr><td>Mobile: </td><td><input type='text' value='$data[mobile]' size=20 name='mobile'/></td></tr>
 <tr><td colspan=2><input type='submit' value='Submit' name='submitEditForm'/></td></tr>
 </table></form>
                 ";            
                }
        }
}
Top
User avatar
killfrog47
Posts: 106
Joined: Tue Mar 12, 2013 2:52 am
Location: Tempe, AZ
Contact:
Contact killfrog47

Re: Update Query

Post by killfrog47 »

louiegiezer wrote:Hello Anyone...
I'm gonna make sure if this a good one for updating database...
even the function is work... I'm looking for a good idea...
if($_POST['submitEditForm'])
		{
	$update = mysql_query("UPDATE resume SET name='$_POST[name]', age='$_POST[age]', sex='$_POST[sex]', mobile='$_POST[mobile]' WHERE id='$_POST[idnumber]'");
		echo "Record has been changed";
		}
		

echo"<form method='post' action=''>
<tr>
		<td  class='viewTable1'><center>Name</center></td>
		<td  class='viewTable1'><center>Age</center></td>
		<td  class='viewTable1'><center>Sex</center></td>
		<td  class='viewTable1'><center>Mobile</center></td>
		<td  class='viewTable1'><center>Action</center></td>
</tr>
		";
	$sel = mysql_query("SELECT * FROM resume ORDER BY name ASC");
	while($data=mysql_fetch_array($sel))
		{
		echo "<tr>
				<td ><center>$data[name]</center></td>
				<td><center>$data[age]</center></td>
				<td><center>$data[sex]</center></td>
				<td><center>$data[mobile]</center></td>
				<td><center><input type='submit' value='Update' name='updateButt$data[id]'></center></td>
			  </tr>";
		}
	
	echo "</table></form>";
echo "<br><BR>";

		for($x=0;$x<=100;$x++)
		{
			if($_POST[updateButt.$x])
			{
			$select = mysql_query("SELECT * FROM resume WHERE id=$x");
				while($data=mysql_fetch_array($select))
				{
				echo "
			<form name='myform' method='post' action='Edit.php'>
  <table border=0 cellspacing=0 align='center' class='Addstyle'>
  <tr><td align='right' class='viewTable5' colspan=2>
  <div class='textfile'>Editing: <span class='underline'>$data[name]</span></div></td></tr>
  <input size=20 type='hidden' value=$data[id] name='idnumber'>	
  <tr><td>Name: </td><td><input type='text' value='$data[name]' size=20 name='name'/></td></tr>
  <tr><td>Age: </td><td><input type='text' value='$data[age]' size=20 name='age'/></td></tr>
  <tr><td>Sex: </td><td><input type='text' value='$data[sex]' size=20 name='sex'/></td></tr>
  <tr><td>Mobile: </td><td><input type='text' value='$data[mobile]' size=20 name='mobile'/></td></tr>
  <tr><td colspan=2><input type='submit' value='Submit' name='submitEditForm'/></td></tr>
  </table></form>
		 ";		
		}
	}
}
Here is a nice little function i use to clean all my variables: 
function clean($value) {

       // If magic quotes not turned on add slashes.
       if(!get_magic_quotes_gpc())

       // Adds the slashes.
       { $value = addslashes($value); }

       // Strip any tags from the value.
       $value = strip_tags($value);

       // Return the value out of the function.
       return $value;
}
Then from there you can just do 
$FormEdit = $_POST['submitEditForm'];
$FormEdit = clean($FormEdit);
Top
Post Reply

Return to “PHP”