Jump to content
xisto Community
apple

Update Mysql Record, Please Help.

Recommended Posts

I want to update mysql records with basic form by using OOP PHP.

Im doing in following way but i want to do by a function, so that i dont. please anybody help me, how can that.

Thanks everybody.

<?if($_POST[submit]){		$title = $_POST['title'];		$body = $_POST['body'];			$result = mysql_query("UPDATE blog SET title='$title', body='$body' WHERE id='$postid' ") or die (mysql_error());		echo "<b>Thank you! News UPDATED Successfully!<br>";		  			}						?><?$result = mysql_query("SELECT * FROM blog WHERE id='$postid' ") or die (mysql_error());			while($myrow = mysql_fetch_assoc($result))			{				$title = $myrow["title"];				$body = $myrow["body"];				?><br><h3>::Edit News</h3><form method="post">Title: <input name="title" size="40" maxlength="255" value="<? echo $title; ?>"><br>Text1: <textarea name="body"  rows="7" cols="30"><? echo $body; ?></textarea><br><input type="submit" name="submit" value="Submit"></form>

Share this post


Link to post
Share on other sites

<input type="submit" name="submit" value="Submit">

This is known as the "redux" method to allow a form and its handling to be performed all on one page. The $_POST['submit'] is obtained only if the form has been submitted by pressing the Submit button on the form. The "hidden" input is added to the POST array and checked at the top of the page to see if the first section of code needs to be handles, otherwise, the form is presented for submission.
And if the form has been submitted, after handling the submission, the form is re-displayed.

As for handling this by way of a function, the use of a function may not be the best way to handle this event. Functions are best suited for reusable code. I don't see much advantage to using a function here. But I might be wrong.

Place single quotes around the value inside the square brackets, too.

Share this post


Link to post
Share on other sites

Place single quotes around the value inside the square brackets, too.

Single quotes or double quotes. It shouldn't matter. You just want to let PHP know that the array indices that you are attempting to retrieve are in string format.

Share this post


Link to post
Share on other sites

You might want to add Anti-MYSQL injection in there, that is only if this web page is viewable by the public or just you, If it's just you then you don't have to do that.

I whipped this up for you.

<?$query = anti_injection($query);function anti_injection($sql) {   // removes words that contain sql syntax   $sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$sql);   $sql = trim($sql); // strip whitespace   $sql = strip_tags($sql); // strip HTML and PHP tags   $sql = addslashes($sql); // quote string with slashes   return $sql;}if($_POST[submit]){		$title = anti_injection($_POST['title']);		$body =  anti_injection($_POST['body']);			$result = mysql_query("UPDATE blog SET title='$title', body='$body' WHERE id='$postid' ") or die (mysql_error());		echo "<b>Thank you! News UPDATED Successfully!<br>";		  			}						?><?$result = mysql_query("SELECT * FROM blog WHERE id='$postid' ") or die (mysql_error());			while($myrow = mysql_fetch_assoc($result))			{				$title = $myrow["title"];				$body = $myrow["body"];				?><br><h3>::Edit News</h3><form method="post">Title: <input name="title" size="40" maxlength="255" value="<? echo $title; ?>"><br>Text1: <textarea name="body"  rows="7" cols="30"><? echo $body; ?></textarea><br><input type="submit" name="submit" value="Submit"></form>

Edited by Antv912 (see edit history)

Share this post


Link to post
Share on other sites

You might want to add Anti-MYSQL injection in there, that is only if this web page is viewable by the public or just you, If it's just you then you don't have to do that.
I whipped this up for you.

Using addslashes is usually not the best method - from what I've heard, it is possible to use certain multi-byte character sets which could cause the backslash added to go in the wrong place and not actually escape the quote. Also, removing common words that are SQL commands will affect posts that have those words even if isn't an injection attempt - for example it would be quite difficult to write a post about SQL :P

The best method is to use mysql_real_escape_string($string). This does not have the vulnerabilities of addslashes.

Using $_POST[submit] shouldn't work, unless for some reason submit is defined by PHP to be the string 'submit', which it isn't. You would need to use $_POST['submit'] (or alternatively with double-quotes, but single-quotes is probably better)

Share this post


Link to post
Share on other sites

Correct me if I'm wrong but doesn't PHP 5 block SQL injection attacks automatically? As long as you put quotes around it in your query I think php automatically adds slashes to input posted.

Edited by galexcd (see edit history)

Share this post


Link to post
Share on other sites

Correct me if I'm wrong but doesn't PHP 5 block SQL injection attacks automatically? As long as you put quotes around it in your query I think php automatically adds slashes to input posted.

I think you're thinking about magic_quotes_gpc, which is removed from PHP 6 as stated on the linked page. This (as well as addslashes) has the vulnerabilities of SQL injection with certain multi-byte character sets, and example can be found here (this is from three years ago, but I couldn't find anything about it being fixed..). And so, it is always best to use mysql_real_escape_string, and you should stripslashes if magic_quotes_gpc is on (you can check by using get_magic_quotes_gpc()).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.