update problem

[kproc]

below is the code for a obe of my pages.. I ',m having a hard time with the code that updates the status of an item .

the code will update the last entry but will not update other entries.

PHP Code:

 


PHP Code:

<?php
/* Check User Script */
session_start();  // Start Session
include ("../Connections/db.php");
$member_id =  $_SESSION['user_id'];
//check if user is already logged in
if (!isset($_SESSION['user_id'])){

$msg = 'You tryed to access a members only page. Login or become a registered member to access that page!';

header("Location: ../index.php?msg=".$msg); 
}
//get members ads
$get_ads = ("SELECT * FROM ads WHERE member_id = '$member_id'");

$query = mysql_query($get_ads);

//update status
if(isset($_POST['updateStatus'])){
$ad_id = $_POST['ad_id'];
$new_status = $_POST['updateStatus'];
mysql_query("UPDATE ads SET status = '$new_status', status_date = now() WHERE ad_id ='$ad_id' ");

header("Location: treasureList.php");
exit();
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title></title>

<link rel="stylesheet" type="text/css" href="../design/niftyCorners.css" />
<link rel="stylesheet" type="text/css" href="../design/niftyPrint.css" media="print" />
<script type="text/javascript" src="../design/nifty.js"></script> 

<link href="../design/default.css" rel="stylesheet" type="text/css" />



</head>

<body>
<div id="outer">
<?php include('../design/banner.php'); ?>
    
  <div id="twoColumnRight">
  <form name="updateStatus" method="post" action="<?php echo $PHP_SELF; ?>">
    <table class="forms" style="width:99%;">
    
      <tr>
        <td colspan="7" class="header">Your Tresures For Sale / Wanted / Events </td>
      </tr>
      <tr>
        <td class="left" style="width:10%;">Image</td>
        <td class="center" style="width:30%;"><div align="center">View / Edit Item</div></td>
        <td class="center" style="width:20%;"><div align="center">Start Date </div></td>
        <td class="center" style="width:20%;"><div align="center">Days Left </div></td>
        <td class="right" style="width:10%;"><div align="center">Views</div></td>
        <td class="right" style="width:10%;"><div align="center">Status</div></td>
      </tr>
      
      <?php while($r = mysql_fetch_assoc($query)){ ?>
      <tr>
        <td class="left"><div align="center"><img src="../adImages/<?php echo $r['image']; ?>" / height="40" width="40"></div></td>
        <td class="bottom"><a href="editTreasure.php?id=<?php echo $r['ad_id']; ?>">
        <?php echo $r['title']; ?></a></td>
        
        <td class="bottom"><?php echo $r['ad_date']; ?></td>
        <td class="bottom" style="text-align:center">
        <?php $date_array = explode("-",$r['ad_date']);
        $add_date = mktime(0, 0, 0, $date_array[1], $date_array[2]+30, $date_array[0]);
        $end_date = date("y-m-d", $add_date);
         
        //end date
        
        
        $count_days = explode("-",$end_date);
        $month = $date_array[1];
        $day = $date_array[2];
        $year = $date_array[0];
        //dates remailing
        $keyMonth = $count_days[1];
        $keyDay = $count_days[2];
        $keyYear = $count_days[0];
        $hours_left = (mktime(0,0,0,$keyMonth,$keyDay,$keyYear) - time())/3600;
        $daysLeft = ceil($hours_left/24);
        $z = (string)$daysLeft;
        if ($z > 1) {
        
        print  $z;
        
        }else
        echo "<p>Listing has expired</p>";
        ?>        </td>
        <td class="bottom"><?php echo $r['views']; ?></td>
<td class="right">
<input name="ad_id" type="hidden" value="<?php echo $r['ad_id']; ?>" />


<select name="updateStatus" size="1" onchange="this.form.submit()">
<?php
foreach(array("","Open", "Sold") as $value)
{
  echo "<option";
  if($value == $r['status'])
  {
    echo " selected='selected'";
  }
  echo ">$value</option>\n";
}
?>
</select>

</td>
      </tr>
      <?php } ?>
      
    </table>
    </form>
  </div>
        <div id="twoColumnLeft">
        
            <?php include('../design/leftlinks.php'); ?>
        </div>
        <div id="footer">
        <?php include('../design/footer.php'); ?>
        </div>
</div>

</body>
</html>

[NightShift58]

Just to understand...

(1) Why are you assigning $member_id the value of $_SEESION['user_id'] before you check if $_SESSION['user_id'] exists? You should first test for existence, redirect if not and assign if it exists.

(2) Why are you perform the $get_ads query before the UPDATE. It isn't being used before the next IF, which may lead to a redirect.

(3) How many items is the UPDATE expected to update? More than one? If not, use LIMIT 1.

(4) Why aren't you checking the status of the query before you redirect. There might be an error that you'll never see...

Consider changing this part:

PHP Code:

<?php
/* Check User Script */
session_start();  // Start Session
include ("../Connections/db.php");
$member_id =  $_SESSION['user_id'];
//check if user is already logged in
if (!isset($_SESSION['user_id'])){
  $msg = 'You tryed to access a members only page. Login or become a registered member to access that page!';
  header("Location: ../index.php?msg=".$msg);
}
//get members ads
$get_ads = ("SELECT * FROM ads WHERE member_id = '$member_id'");
$query = mysql_query($get_ads) or die("SQL Error: $get_ads<br>" . mysql_error());

//update status
if(isset($_POST['updateStatus'])){
  $ad_id = $_POST['ad_id'];
  $new_status = $_POST['updateStatus'];
  mysql_query("UPDATE ads SET status = '$new_status', status_date = now() WHERE ad_id ='$ad_id' ");
  header("Location: treasureList.php");
  exit();
}

?>

to this:

PHP Code:

<?php
/* Check User Script */
session_start();  // Start Session
//check if user is already logged in
if (!isset($_SESSION['user_id'])){
  $msg = 'You tryed to access a members only page. Login or become a registered member to access that page!';
  header("Location: ../index.php?msg=".$msg);
}

include ("../Connections/db.php");

//update status
if(isset($_POST['updateStatus'])){
  $ad_id = $_POST['ad_id'];
  $new_status = $_POST['updateStatus'];
  $sql = "UPDATE ads SET status = '$new_status', status_date = now() WHERE ad_id ='$ad_id' LIMIT 1"
  mysql_query($sql)  or die("SQL Error: $sql<br>" . mysql_error());
  header("Location: treasureList.php");
  exit();
}

$member_id =  $_SESSION['user_id'];
//get members ads
$get_ads = ("SELECT * FROM ads WHERE member_id = '$member_id' LIMIT 1");
$query = mysql_query($get_ads) or die("SQL Error: $get_ads<br>" . mysql_error());
?>

[NightShift58]

I forgot to mention escaping your entries...

These two:

PHP Code:

$ad_id = $_POST['ad_id'];
$new_status = $_POST['updateStatus']; 


should be, at least:

PHP Code:

$ad_id = mysql_real_escape_string($_POST['ad_id']);
$new_status = mysql_real_escape_string($_POST['updateStatus']); 


[kproc]

thanks for the replay and the pointers

should I be using mysql_real_escape_string around all variables that send data to the data base.


also should I be using addslashes() when sending data to the data base and stripslashes() when calling the information

[NightShift58]

If your PHP version supports it: yes, usually*.
If not supported, try mysql_escape_string().
If your version doesn't support that either, then addslashes().

Whichever you use, use stripslashes() to get it back.

* Usually means anything that doesn't come from the DB itself and that you're not 100% sure about. If you manually assign: $id = 100; there's no need escaping that, obviously. But $id = $_POST['id']; absolutely should. If you're not sure, escape it...

[kproc]

does mysql_real_escape_string do the same thing as addslashes and strip slashes. I'm kinda confused this is new to mmy web hosting provider offers php 4 and 5 and uses mysql 5

thank you

[NightShift58]

If you have the option to go PHP5, it would've been better and we could have saved a lot of time on some of those subqueries we had to "fabricate"...

addslashes(), mysql_escape_string() and mysql_real_escape_string() essentially do the same thing - with subtle differences.

The first one works anywhere, anytime.

The second one works anywhere, anytime, starting with PHP 4.0.3.

The third one works anywhere, anywhere, AFTER you have connected to a database and starting with PHP 4.3.0.

The manual describes the difference between the last two:

This (mysql_escape_string()) function is identical to mysql_real_escape_string() except that mysql_real_escape_string() takes a connection handler and escapes the string according to the current character set. mysql_escape_string() does not take a connection argument and does not respect the current charset setting.

The order of preference, therefore, should be option 3,2,1.

stripslashes(), on the other hand, undoes whatever you did with either of these functions, so that you can deal with your data as it originally was before you stored it in the table.

There's a catch somewhere, though. If you server is configured to automatically escape GPC (GET-POST-COOKIE) variables, before you can apply any of the three "slashing" functions, you may have to strip the slashes and then add slashes. It may not make sense but "magic" quoting that takes places is different than what you need for a database. So, there's no safe remedy other than strip and add slashes. Here's one way to do it:

PHP Code:

<?php
if (get_magic_quotes_gpc()) {
   $updateStatus = stripslashes($_POST['updateStatus']);
} else {
   $updateStatus = $_POST['updateStatus'];
}
$updateStatus = mysql_real_escape_string($updateStatus);
?>

Most people end up writing a function to do that, for example:

PHP Code:

<?php
function escapeSQL($pVARNAME) {
  $returnVAR = "";
  if (get_magic_quotes_gpc()) {
     $returnVAR = stripslashes($_POST[$pVARNAME]);
  } else {
     $returnVAR = $_POST[$pVARNAME];
  }
  if (function_exists('mysql_real_escape_string') AND mysql_ping()) {
    $returnVAR = mysql_real_escape_string($returnVAR);
  } elseif (function_exists('mysql_escape_string')) {
    $returnVAR = mysql_escape_string($returnVAR);
  } else {
    $returnVAR = addslashes($returnVAR);
  }
  return $returnVAR:
}
?>

The use of "mysql_ping()" is certainly overkill but I included it to underline the fact that a database is required for mysql_real_escape_string() to work.

Reference list (in order of appearance):
get_magic_quotes_gpc()
stripslashes()
function_exists()
mysql_real_escape_string()
mysql_escape_string()
addslashes()

[kproc]

thanks for the info, I'm switching web hosting providers which offers the newer versions of mysql and php for the reason that you and the others give me uses functionality greater then my current web hosting company.