www.webdeveloper.com
Results 1 to 8 of 8

Thread: update problem

  1. #1
    Join Date
    Mar 2006
    Location
    Canada
    Posts
    1,197

    update problem

    below is the code for a obe of my pages.. I ',m having a hard time with the code that updates the status of an item .

    the code will update the last entry but will not update other entries.

    PHP Code:
     
    PHP Code:
    <?php
    /* Check User Script */
    session_start();  // Start Session
    include ("../Connections/db.php");
    $member_id =  $_SESSION['user_id'];
    //check if user is already logged in
    if (!isset($_SESSION['user_id'])){

    $msg 'You tryed to access a members only page. Login or become a registered member to access that page!';

    header("Location: ../index.php?msg=".$msg); 
    }
    //get members ads
    $get_ads = ("SELECT * FROM ads WHERE member_id = '$member_id'");

    $query mysql_query($get_ads);

    //update status
    if(isset($_POST['updateStatus'])){
    $ad_id $_POST['ad_id'];
    $new_status $_POST['updateStatus'];
    mysql_query("UPDATE ads SET status = '$new_status', status_date = now() WHERE ad_id ='$ad_id' ");

    header("Location: treasureList.php");
    exit();
    }
    ?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
    <title></title>

    <link rel="stylesheet" type="text/css" href="../design/niftyCorners.css" />
    <link rel="stylesheet" type="text/css" href="../design/niftyPrint.css" media="print" />
    <script type="text/javascript" src="../design/nifty.js"></script> 

    <link href="../design/default.css" rel="stylesheet" type="text/css" />



    </head>

    <body>
    <div id="outer">
    <?php include('../design/banner.php'); ?>
        
      <div id="twoColumnRight">
      <form name="updateStatus" method="post" action="<?php echo $PHP_SELF?>">
        <table class="forms" style="width:99%;">
        
          <tr>
            <td colspan="7" class="header">Your Tresures For Sale / Wanted / Events </td>
          </tr>
          <tr>
            <td class="left" style="width:10%;">Image</td>
            <td class="center" style="width:30%;"><div align="center">View / Edit Item</div></td>
            <td class="center" style="width:20%;"><div align="center">Start Date </div></td>
            <td class="center" style="width:20%;"><div align="center">Days Left </div></td>
            <td class="right" style="width:10%;"><div align="center">Views</div></td>
            <td class="right" style="width:10%;"><div align="center">Status</div></td>
          </tr>
          
          <?php while($r mysql_fetch_assoc($query)){ ?>
          <tr>
            <td class="left"><div align="center"><img src="../adImages/<?php echo $r['image']; ?>" / height="40" width="40"></div></td>
            <td class="bottom"><a href="editTreasure.php?id=<?php echo $r['ad_id']; ?>">
            <?php echo $r['title']; ?></a></td>
            
            <td class="bottom"><?php echo $r['ad_date']; ?></td>
            <td class="bottom" style="text-align:center">
            <?php $date_array explode("-",$r['ad_date']);
            
    $add_date mktime(000$date_array[1], $date_array[2]+30$date_array[0]);
            
    $end_date date("y-m-d"$add_date);
             
            
    //end date
            
            
            
    $count_days explode("-",$end_date);
            
    $month $date_array[1];
            
    $day $date_array[2];
            
    $year $date_array[0];
            
    //dates remailing
            
    $keyMonth $count_days[1];
            
    $keyDay $count_days[2];
            
    $keyYear $count_days[0];
            
    $hours_left = (mktime(0,0,0,$keyMonth,$keyDay,$keyYear) - time())/3600;
            
    $daysLeft ceil($hours_left/24);
            
    $z = (string)$daysLeft;
            if (
    $z 1) {
            
            print  
    $z;
            
            }else
            echo 
    "<p>Listing has expired</p>";
            
    ?>        </td>
            <td class="bottom"><?php echo $r['views']; ?></td>
    <td class="right">
    <input name="ad_id" type="hidden" value="<?php echo $r['ad_id']; ?>" />


    <select name="updateStatus" size="1" onchange="this.form.submit()">
    <?php
    foreach(array("","Open""Sold") as $value)
    {
      echo 
    "<option";
      if(
    $value == $r['status'])
      {
        echo 
    " selected='selected'";
      }
      echo 
    ">$value</option>\n";
    }
    ?>
    </select>

    </td>
          </tr>
          <?php ?>
          
        </table>
        </form>
      </div>
            <div id="twoColumnLeft">
            
                <?php include('../design/leftlinks.php'); ?>
            </div>
            <div id="footer">
            <?php include('../design/footer.php'); ?>
            </div>
    </div>

    </body>
    </html>
    Kevin

  2. #2
    Join Date
    Dec 2006
    Location
    Escaz˙ (Costa Rica) and Mallorca (Spain)
    Posts
    3,234
    Just to understand...

    (1) Why are you assigning $member_id the value of $_SEESION['user_id'] before you check if $_SESSION['user_id'] exists? You should first test for existence, redirect if not and assign if it exists.

    (2) Why are you perform the $get_ads query before the UPDATE. It isn't being used before the next IF, which may lead to a redirect.

    (3) How many items is the UPDATE expected to update? More than one? If not, use LIMIT 1.

    (4) Why aren't you checking the status of the query before you redirect. There might be an error that you'll never see...

    Consider changing this part:
    PHP Code:
    <?php
    /* Check User Script */
    session_start();  // Start Session
    include ("../Connections/db.php");
    $member_id =  $_SESSION['user_id'];
    //check if user is already logged in
    if (!isset($_SESSION['user_id'])){
      
    $msg 'You tryed to access a members only page. Login or become a registered member to access that page!';
      
    header("Location: ../index.php?msg=".$msg);
    }
    //get members ads
    $get_ads = ("SELECT * FROM ads WHERE member_id = '$member_id'");
    $query mysql_query($get_ads) or die("SQL Error: $get_ads<br>" mysql_error());

    //update status
    if(isset($_POST['updateStatus'])){
      
    $ad_id $_POST['ad_id'];
      
    $new_status $_POST['updateStatus'];
      
    mysql_query("UPDATE ads SET status = '$new_status', status_date = now() WHERE ad_id ='$ad_id' ");
      
    header("Location: treasureList.php");
      exit();
    }

    ?>
    to this:
    PHP Code:
    <?php
    /* Check User Script */
    session_start();  // Start Session
    //check if user is already logged in
    if (!isset($_SESSION['user_id'])){
      
    $msg 'You tryed to access a members only page. Login or become a registered member to access that page!';
      
    header("Location: ../index.php?msg=".$msg);
    }

    include (
    "../Connections/db.php");

    //update status
    if(isset($_POST['updateStatus'])){
      
    $ad_id $_POST['ad_id'];
      
    $new_status $_POST['updateStatus'];
      
    $sql "UPDATE ads SET status = '$new_status', status_date = now() WHERE ad_id ='$ad_id' LIMIT 1"
      
    mysql_query($sql)  or die("SQL Error: $sql<br>" mysql_error());
      
    header("Location: treasureList.php");
      exit();
    }

    $member_id =  $_SESSION['user_id'];
    //get members ads
    $get_ads = ("SELECT * FROM ads WHERE member_id = '$member_id' LIMIT 1");
    $query mysql_query($get_ads) or die("SQL Error: $get_ads<br>" mysql_error());
    ?>

  3. #3
    Join Date
    Dec 2006
    Location
    Escaz˙ (Costa Rica) and Mallorca (Spain)
    Posts
    3,234
    I forgot to mention escaping your entries...

    These two:
    PHP Code:
    $ad_id $_POST['ad_id'];
    $new_status $_POST['updateStatus']; 
    should be, at least:
    PHP Code:
    $ad_id mysql_real_escape_string($_POST['ad_id']);
    $new_status mysql_real_escape_string($_POST['updateStatus']); 

  4. #4
    Join Date
    Mar 2006
    Location
    Canada
    Posts
    1,197
    thanks for the replay and the pointers

    should I be using mysql_real_escape_string around all variables that send data to the data base.


    also should I be using addslashes() when sending data to the data base and stripslashes() when calling the information
    Kevin

  5. #5
    Join Date
    Dec 2006
    Location
    Escaz˙ (Costa Rica) and Mallorca (Spain)
    Posts
    3,234
    If your PHP version supports it: yes, usually*.
    If not supported, try mysql_escape_string().
    If your version doesn't support that either, then addslashes().

    Whichever you use, use stripslashes() to get it back.

    * Usually means anything that doesn't come from the DB itself and that you're not 100% sure about. If you manually assign: $id = 100; there's no need escaping that, obviously. But $id = $_POST['id']; absolutely should. If you're not sure, escape it...

  6. #6
    Join Date
    Mar 2006
    Location
    Canada
    Posts
    1,197
    does mysql_real_escape_string do the same thing as addslashes and strip slashes. I'm kinda confused this is new to mmy web hosting provider offers php 4 and 5 and uses mysql 5

    thank you
    Kevin

  7. #7
    Join Date
    Dec 2006
    Location
    Escaz˙ (Costa Rica) and Mallorca (Spain)
    Posts
    3,234
    If you have the option to go PHP5, it would've been better and we could have saved a lot of time on some of those subqueries we had to "fabricate"...

    addslashes(), mysql_escape_string() and mysql_real_escape_string() essentially do the same thing - with subtle differences.

    The first one works anywhere, anytime.

    The second one works anywhere, anytime, starting with PHP 4.0.3.

    The third one works anywhere, anywhere, AFTER you have connected to a database and starting with PHP 4.3.0.

    The manual describes the difference between the last two:
    Quote Originally Posted by PHP Manua
    This (mysql_escape_string()) function is identical to mysql_real_escape_string() except that mysql_real_escape_string() takes a connection handler and escapes the string according to the current character set. mysql_escape_string() does not take a connection argument and does not respect the current charset setting.
    The order of preference, therefore, should be option 3,2,1.

    stripslashes(), on the other hand, undoes whatever you did with either of these functions, so that you can deal with your data as it originally was before you stored it in the table.

    There's a catch somewhere, though. If you server is configured to automatically escape GPC (GET-POST-COOKIE) variables, before you can apply any of the three "slashing" functions, you may have to strip the slashes and then add slashes. It may not make sense but "magic" quoting that takes places is different than what you need for a database. So, there's no safe remedy other than strip and add slashes. Here's one way to do it:
    PHP Code:
    <?php
    if (get_magic_quotes_gpc()) {
       
    $updateStatus stripslashes($_POST['updateStatus']);
    } else {
       
    $updateStatus $_POST['updateStatus'];
    }
    $updateStatus mysql_real_escape_string($updateStatus);
    ?>
    Most people end up writing a function to do that, for example:
    PHP Code:
    <?php
    function escapeSQL($pVARNAME) {
      
    $returnVAR "";
      if (
    get_magic_quotes_gpc()) {
         
    $returnVAR stripslashes($_POST[$pVARNAME]);
      } else {
         
    $returnVAR $_POST[$pVARNAME];
      }
      if (
    function_exists('mysql_real_escape_string') AND mysql_ping()) {
        
    $returnVAR mysql_real_escape_string($returnVAR);
      } elseif (
    function_exists('mysql_escape_string')) {
        
    $returnVAR mysql_escape_string($returnVAR);
      } else {
        
    $returnVAR addslashes($returnVAR);
      }
      return 
    $returnVAR:
    }
    ?>
    The use of "mysql_ping()" is certainly overkill but I included it to underline the fact that a database is required for mysql_real_escape_string() to work.

    Reference list (in order of appearance):
    get_magic_quotes_gpc()
    stripslashes()
    function_exists()
    mysql_real_escape_string()
    mysql_escape_string()
    addslashes()

  8. #8
    Join Date
    Mar 2006
    Location
    Canada
    Posts
    1,197
    thanks for the info, I'm switching web hosting providers which offers the newer versions of mysql and php for the reason that you and the others give me uses functionality greater then my current web hosting company.
    Kevin

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles