Page 1 of 1

Problems reaching condition after second call to $PHP_SELF

Posted: Tue May 23, 2006 3:35 pm
by Ross
Hey All,

I've been screwing around with this code for a long while now and i've gotten no where. I figure my problem is that I am never able to execute the code inside if($edit). I've checked everything and it seems like it should be running fine. I use the same method of testing form variables for the first time through the page and everything works there.

My entire php file is below (including forms). Basically, you type in an 'id' number into a form, it retrieves that entry from the database and then asks you to alter the entry. However, the entry is never changed because once you hit the "edit" button, the code that should execute does not.

Any suggestions would be greatly appreciated. -ross

Code: Select all

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Tour Dates - Editing/Removal Center</title>
</head>

<body>
<div id="container">



<?php
	// Global Variables
	$SECURE_IMAGE_URL = "";
	$REDIRECT_URL = "";
	
	// Connect to database
	$db = mysql_connect("localhost", "...", "...");
	mysql_select_db("mydb", $db);
	$db_table = events;
	
	if($select){
	
	
	
		if($edit){
			
			/*$sql = "UPDATE  $db_table 
					SET  	DATE =  '$date',
							ESTABLISHMENT =  $establishment,
							CITY =  $city,
							TIME =  $time,
							MISC_INFO =  $misc_info'
					WHERE  	id = $idNumber					";*/
			
			// playing with db queries.
			$sql = "UPDATE $db_table SET DATE='0000-00-00' WHERE id = $idNumber"; 
					
			$result = mysql_query($sql, $db);
			
			// Redirect to pause and then reload form.
			printf("<div id =\"redirect_page\">
						<h1><span>Information Submitted!</span></h1> 
				
						<p><a href=\"%s\">Redirecting...</a></p>
					</div>", $REDIRECT_URL);
			printf("<meta HTTP-EQUIV=\"refresh\" content=5;url=\"%s\">", $REDIRECT_URL);
			
		
		}
		else if(!$edit){
			// Select the specified row
			$sql = "SELECT * FROM $db_table WHERE id = $idNumber";
			$result = mysql_query($sql, $db);
			$row = mysql_fetch_array($result);
			
			// Start a table for the fields of the database row
			printf("	<div id=\"selected_entry\">
							<table bgcolor=\"white\" border=\"0\" cellspacing=\"0\" cellpadding=\"3\">
								<h1>Current Values</h1>
								
								
							
					");
			
			// Print each field of the selected row
			$fieldName_array[] = "ID";
			$fieldName_array[] = "Date";
			$fieldName_array[] = "Est.";
			$fieldName_array[] = "City";
			$fieldName_array[] = "Time";
			$fieldName_array[] = "Misc";
			$num_of_fields = 6;
			$counter = 0;
			
			// Poor cohesion here, fix later.
			for($counter; $counter < $num_of_fields; ++$counter)
			{
				printf("			<tr>
										<td class=\"table_left\">%s</td>", $fieldName_array[$counter]);
				
				if($row[$counter] != $row["DATE"]){
					printf("			<td class=\"table_right\">%s</td>		
									</tr>", $row[$counter]);
				}
				else{
					printf("			<td class=\"table_right\">%s</td>		
									</tr>", date('M-d-y', strtotime($row["DATE"])));
				}
			}
			
			
			// Close up table
			printf("			
							</table>
						</div>				");
							
			
			//FORM ELEMENTS TO ADD NEW ENTRIES
			?>
			<div id="note">
				<p>Enter a new entry to replace the existing one. Do not omit any fields.</p>
			</div>
			
			<div id="loggedIn"><h2><span><img src="<?php echo $SECURE_IMAGE_URL; ?>" id="secure_pic"><br> Secure Area!</span></h2></div>
				<div id="editor_form">
					<form id="form_form" name="event" method="post" action="<?php $PHP_SELF ?>">
						<h1>Submit an Event into the Tour-Events Database</h1>
						<p><label for="date">Date of Event</label>			
						   <select name="month" id="month">
							<option selected>Month</option>
							<option value="01">Jan</option>
							<option value="02">Feb</option>
							<option value="03">Mar</option>
							<option value="04">Apr</option>
							<option value="05">May</option>
							<option value="06">Jun</option>
							<option value="07">Jul</option>
							<option value="08">Aug</option>
							<option value="09">Sept</option>
							<option value="10">Oct</option>
							<option value="11">Nov</option>
							<option value="12">Dec</option>
						  </select>
						  <select name="day" id="day">
							<option selected>Day</option>
							<option value="01">01</option>
							<option value="02">02</option>
							<option value="03">03</option>
							<option value="04">04</option>
							<option value="05">05</option>
							<option value="06">06</option>
							<option value="07">07</option>
							<option value="08">08</option>
							<option value="09">09</option>
							<option value="10">10</option>
							<option value="11">11</option>
							<option value="12">12</option>
							<option value="13">13</option>
							<option value="14">14</option>
							<option value="15">15</option>
							<option value="16">16</option>
							<option value="17">17</option>
							<option value="18">18</option>
							<option value="19">19</option>
							<option value="20">20</option>
							<option value="21">21</option>
							<option value="22">22</option>
							<option value="23">23</option>
							<option value="24">24</option>
							<option value="25">25</option>
							<option value="26">26</option>
							<option value="27">27</option>
							<option value="28">28</option>
							<option value="29">29</option>
							<option value="30">30</option>
							<option value="31">31</option>
						  </select>
						  <select name="year" id="year">
							<option value="2006" selected>2006</option>
							<option value="2007">2007</option>
							<option value="2008">2008</option>
							<option value="2009">2009</option>
							<option value="2010">2010</option>
							<option value="2011">2011</option>
							<option value="2012">2012</option>
							<option value="2013">2013</option>
							<option value="2014">2014</option>
							<option value="2015">2015</option>
						  </select></p>
						
						
						<p><label for="establishment">Place of Event (Establishment Name):</label>	
							<input name="establishment" type="text" id="establishment" size="20" maxlength="50"></input></p>
							
						<p><label for="city">City/State of Event:</label>					
							<input name="city" type="text" id="city" size="20" maxlength="50"></input></p>
							
						<p><label for="time">Time Interval of Event (HH:MM am/pm - HH:MM am/pm):</label>					
							<input name="time" type="text" id="time" size="20" maxlength="50"></input></p>
										
						<p><label for="misc_info">Misc. Details (Include directions, cost, etc):</label>		
							<textarea name="misc_info" cols="40" rows="10" id="misc_info"></textarea></p>
						
						<div id="form_buttons">
							<p>	<input name="edit" 		id="edit" 	type="submit" 	value="Edit" 	/>
								<input name="reset"		id="reset"	type="reset"	value="Reset" 	/></p>
						</div>
					</form>
	<?php
		}	
	}
	else{
			//print out all db rows
			$sql = "SELECT * FROM $db_table";
			$result = mysql_query($sql, $db);
			
			//If there are entries in the database
			if($row = mysql_fetch_array($result))
			{
				//We use this variable to specify the class of the table row
				$rowClass = "odd";
				$eventDate = date('Y-m-d', strtotime($row["DATE"]));
//				$curDate = date('Y-m-d', mktime(getdate()));	//This was giving me two hours off time
				$curDate = date('Y-m-d', gmmktime() + (-6 * 60 * 60)); 
				
				//Start HTML Table
				printf("		<table id=\"table\" border=\"0\" cellspacing=\"0\" padding=\"2\">
									<tr class=\"top_row\">
										<td>ID</td>
										<td>Date</td>
										<td>Establishment</td>
										<td>City</td>
										<td>Time</td>
										<td>Misc_Info</td>
									</tr>
									<tr>
						
				");
				
				
				
				//DO WHILE loop becacuse we've already called the first row of the db_table
				do{
					if($rowClass == "odd")
						$rowClass = "even";
					else if($rowClass == "even")
						$rowClass = "odd";
						
					
					
					if(strtotime($row["DATE"]) >= strtotime($curDate))
					{
					printf("
							<tr class = \"%s\">
								<td width=\"30\"> %s </td>
								<td width=\"65\"> %s </td>
								<td width=\"170\"> %s </td>
								<td width=\"100\"> %s </td>
								<td width=\"140\"> %s </td>
								<td> %s </td>
							</tr>",
							$rowClass,
							$row["id"],
							date('M-d-y', strtotime($row["DATE"])),
							$row["ESTABLISHMENT"],
							$row["CITY"],
							$row["TIME"],
							$row["MISC_INFO"]);
					}
				}while($row = mysql_fetch_array($result));
				
				//end table
				printf("</table>");
?>
			<form id="input_id_form" name="select_row_form" method="post" action="<?php $PHP_SELF ?>">
				<label for="idNumber">ID Number of the Event to Edit</label>
				<input name="idNumber" type="text" size="4" maxlength="4">
				<input name="select" type="submit" value="Select">
			</form>			
<?php			
			}
			else
				printf("Sorry, no database entries at this time.");
		}
		
?>



	
</div>


</body>
</html>

Posted: Tue May 23, 2006 3:45 pm
by RobertGonzalez
Where are $select and $edit being set? I can't see where they get their values.

Another thing,

Code: Select all

<?php $db_table = events; ?>
Should be

Code: Select all

<?php $db_table = 'events'; ?>
... andso on throughout the script.

Posted: Tue May 23, 2006 4:14 pm
by Ross
$edit and $submit get their values from when their corresponding form buttons are pressed. Or atleast thats what I thought happened. I could be horribly wrong.

Posted: Tue May 23, 2006 4:17 pm
by RobertGonzalez
That would assume that your register_blobals directive is set to on, which is a big security risk. I would recommend coding as though it were off and setting your vars to their respective $_GET, $_POST, $_COOKIE, $_SESSION array var values before using them in anything that you are doing.

Moving on, if register_globals is off, $edit will never be set so that if() will never trigger.

Posted: Tue May 23, 2006 4:28 pm
by Ross
But if registered_globals is off and $edit cannot be set, why is if($submit) passing?

Posted: Tue May 23, 2006 4:34 pm
by RobertGonzalez
$select is part of one form, $edit is part of another. That being said, $edit will never fire because $edit will never be sent with the form data that comes from the $select submit. Putting $edit inside of the if($select) conditional will virtually guarantee that it will never evaluate to true.

Posted: Tue May 23, 2006 4:46 pm
by Ross
Oh Sweet!

Everah, you have helped me learn a valueable lesson today about forms. Thank you very much. I've got to play around with the sql now but i'm reaching the redirect page so i know i'm close.

As for the registered_globals, i'll have to read some about them and try to use it. This is the first time i've heard of using them (I guess since the server my stuff is on runs PHP3). I might be back around with some more questions on that but as for now, i'm cool. Thanks again for the help.

-ross

Posted: Tue May 23, 2006 4:49 pm
by timvw
There is a security issue with using $_SERVER['PHP_SELF']. If you use '#' as action you can also redirect the users to the same page where they posted the form (but without the security issue).

http://blog.phpdoc.info/index.php?url=a ... D=threaded

Posted: Tue May 23, 2006 5:54 pm
by RobertGonzalez
Ross wrote:(I guess since the server my stuff is on runs PHP3)
PHP3! Whoa, your host needs to update, stat! Seriously, I would look at upgrading to at least PHP 4.4, if not to 5.