Form updating database

[SiKing]

Hopefully, this is the last of my problems as the site is more-or-less done. However, I am completely clueless as to what is happening.

The scenario: I have a form which the user fills out and the input then overwrites the previous data in the database using the MySQL statement 'UPDATE'. (it's a profile website) This all works fine and the database is updated but there are a few problems:

1: The row in the database table has a tendancy to delete all of the data inside it.
2: I am unsure how to let the user know that the update was successful.
3: The link to the page ends with editprofile.php?id=1, so if the user is clever enough, they can change the id to another number and edit somebody else's profile.

The code:: http://www.darkfx.co.uk/studios/editprofile.php.txt




There are a few more problems but I will have to figure out the solutions.

 

[user-7256]

Answer to #2:

$result = mysql_query( stuff here... );

if (!$result) {
echo("Error with update.");
exit;
}

Answer to #3: Send the ID through a POST variable. If that's not possible, then compare their login to whose profile they are editing, probably via a cookie variable.

 

[moondog]

1) Make sure the values are coming through properly. What I usually do if SQL is not doing what I expect it to, is to just echo it to the screen:

echo "sql: $sql";

If you are tyring to "UPDATE", and the fields are "delete", chances are the values are are using to update to are blank.

2) I check for errors this way:

$sql = "sql here";
mysql_query($sql) or die ("Error updating database" . mysql_error());

3) You need to make a login section and store the login as either a cookie or a session variable. If you do it your way, your entire database is open to 'hacking'. I don't advocate CompuXP's method because it can still be 'hacked' by making a form on another site, while still posing to YOUR site.

Happy coding.

-Bob

 

[Peter]

have the id in the session for that user (and don't use cookies for it). And have the script retrieve the id in the session and put it in the sql statement.

Remember NEVER trust any input from a user ALWAYS double check it is safe.

 

[SiKing]

1) Make sure the values are coming through properly. What I usually do if SQL is not doing what I expect it to, is to just echo it to the screen:

echo "sql: $sql";

If you are tyring to "UPDATE", and the fields are "delete", chances are the values are are using to update to are blank.

2) I check for errors this way:

$sql = "sql here";
mysql_query($sql) or die ("Error updating database" . mysql_error());

Thanks for all the replies so far. When I tried these methods, I recieved

"sql: UPDATE users SET firstname='Simon', lastname='King', dob='29/09/1988', status='Long term relationship', occupation='', details='', picture='', band='', otherbands='' WHERE id='9'Error with update."


I also think problems #1 and #2 are connected. Because the form is submitted to the same file, when the user submits it, it displays the form as it was before the submission but the databse is updated. It sounds confusing but it's hard to explain. Basically, after I have submitted the form and then go to the page via a link (not refreshing the page because that will submit the empty fields), It works fine. So I think the only cure is to go to a different page once the form is submitted but I am unsure how

I remain clueless

 

[moondog]

When you post a form to itself (which is fine), you should ALWAYS have something at the top of the code that looks like this:

if($_POST[submit]) {
 . . . do your database update here . . 
 . . . After you update the database, either 1)  Display a thank you or 2)  redirect to another page with the thank-you . . .
}
else {
 . . . Fetch the data from the database . . .
 . . . Populate and display the form . . . 
}

That way when the user submits the info, one block or the other executes.

If this is their 'first' visit to the form, then the 'else' block will execute. In the else block, you should do your database query, pre-populate, and display the form.

If the user was already on the form and has updated the information, then the if($_POST[submit]) portion would execute (note that the [submit] portion needs to be whatever you set as the name of the submit button). This block ONLY updates the information and then displays a thank you message. You can either just display the thank you information right there, OR you can use the header("Location: . . . ") format.

The way you have it now, it sounds like that no matter what, you are displaying the form with the information being pre-populated. You can run into caching problems with browsers under some circumstances if you do this (also, if you have the code in the wrong order it would create problems). There are ways around the caching problem, and if you would like more info on that, I can give it.

If you are still having issues, I would suggest posting the snippet of code here so I / we can have a look at it (or send it to me in a PM).

Happy coding,

-Bob

 

[SiKing]

Thanks very much Bob, that problem has been solved :bingo:

 

[moondog]

Thanks very much Bob, that problem has been solved :bingo:

Welcome. Hope I helped

-Bob