Page 1 of 1

new to php

Posted: Wed Sep 10, 2008 1:17 pm
by sanaini
Hi
I'm new to php.
I'm codeing this page to add/update/delete some information

Code: Select all

 
<?php
include "../includes/openDBConnection.php";
$del = 'on';
?>
<html>
    <head>
        <title>Add -Edit - Remove Cost Centers </title>
        <script type="text/javascript">
 
            <!--
 
            function MM_jumpMenuGo(objId,targ,restore){ //v9.0
 
              var selObj = null;  with (document) {
 
              if (getElementById) selObj = getElementById(objId);
 
              if (selObj) eval(targ+".location='"+selObj.options[selObj.selectedIndex].value+"'");
 
              if (restore) selObj.selectedIndex=0; }
 
 
            }
 
            //-->
 
        </script>
    </head>
    <body>
        <h3>Edit and Delete Cost Centers</h3>
        <hr color="#666699">
        <form action="costcenterchange.php" method="get" name="form" id="form">
            <table border="0">
                <tr>
                    <td>
                        <select class="jumpMenu" name="jumpMenu" id="jumpMenu" onchange="MM_jumpMenu('parent',this,1)">
                            <option value="costcenterchange.php">Select a Cost Center</option>
                                <?
                                    $result = mysql_query("SELECT * FROM finAccounts");
                                    while($row = mysql_fetch_array($result))
                                    {
                                        echo '<option value=costcenterchange.php?uid=' . $row['uid'] . '>';
                                        echo $row['PSCostCenter'] . "   " . $row['PI'] . "   " . $row['projectName'];
                                        echo '</option>';
                                    }
                                ?>
                        </select>
                    </td>
                    <td>
                        <input type="button" name="editcc" id="editcc" value="Edit Cost Center" class="jumpButton" onclick="MM_jumpMenuGo('jumpMenu','parent',1)" />
                    </td>
                    <!--<td>
                        <input type="button" name="deletecc" id="deletecc" value="Delete Cost Center" />
                    </td>-->
                </tr>
            </table>
        </form>
    <?
    if(isset($_GET['del'])){
    $sqlstr2 = 'DELETE FROM finAccounts WHERE uid=' . $_GET['uid'] . ';';
    mysql_query($sqlstr2);
    }
    if(!isset($_GET['del'])){
    $sqlstr3 = 'UPDATE finAccounts SET budgetNum=' . $_POST["budgetNum"] . ', PSSpeedType=' . $_POST["PSSpeedType"] . ', PSCostCenter=' . $_POST["PSCostCenter"] . ', PI=' . $_POST["pi"] . ', agency=' . $_POST["agency"] . ', projectName=' . $_POST["projectName"] . ', startDate=' . $_POST["startDate"] . ', endDate=' . $_POST["endDate"] . ', status=' . $_POST["status"] . ', fundCode=' . $_POST["fundCode"] . ', deptCode=' . $_POST["deptCode"] . ', programCode=' . $_POST["programCode"] . ', projectID=' . $_POST["projectID"] . 'WHERE uid=' . $_POST["uid"] . ';';
    echo $sqlstr3;
    //mysql_query($sqlstr3);
}
 
    if(isset($_GET['uid'])){
    $sqlstr1 = 'SELECT * FROM finAccounts WHERE uid=' . $_GET['uid'];
    //echo $sqlstr1;
    //echo '<br />';
    $sqlrow1 = mysql_query($sqlstr1);
    $sqlresult1 = mysql_fetch_array($sqlrow1);
    
 
 
    ?>
        <form action="costcenterchange.php" method="get" name="form" id="form">
            <table border="0">
                <input type="hidden" name="uid" value="<?echo $sqlresult1['uid'];?>" />
                <tr>
                    <td>Budget Number: </td>
                    <td><input type="text" name="budgetNum" value="<?echo $sqlresult1['budgetNum'];?>" /></td>
                </tr>
                <tr>
                    <td>Speed Type: </td>
                    <td><input type="text" name="PSSpeedType" value="<?echo $sqlresult1['PSSpeedType'];?>" /></td>
                </tr>
                <tr>
                    <td>Cost Center: </td>
                    <td><input type="text" name="PSCostCenter" value="<?echo $sqlresult1['PSCostCenter'];?>" /></td>
                </tr>
                <tr>
                    <td>PI: </td>
                    <td><input type="text" name="pi" value="<?echo $sqlresult1['PI'];?>" /></td>
                </tr>
                <tr>    
                    <td>Agency: </td>
                    <td><input type="text" name="agency" value="<?echo $sqlresult1['agency'];?>" /></td>
                </tr>
                <tr>
                    <td>Project Name: </td>
                    <td><input type="text" name="projectName" value="<?echo $sqlresult1['projectName'];?>" /></td>
                </tr>
                <tr>
                    <td>Start Date: </td>
                    <td><input type="text" name="startDate" value="<?echo $sqlresult1['startDate'];?>" /></td>
                </tr>
                <tr>
                    <td>End Date: </td>
                    <td><input type="text" name="endDate" value="<?echo $sqlresult1['endDate'];?>" /></td>
                </tr>
                <tr>
                    <td>Status: </td>
                    <td><input type="text" name="status" value="<?echo $sqlresult1['status'];?>" /></td>
                </tr>
                <tr>
                    <td>Funding Code: </td>
                    <td><input type="text" name="fundCode" value="<?echo $sqlresult1['fundCode'];?>" /></td>
                </tr>
                <tr>
                    <td>Department Code: </td>
                    <td><input type="text" name="deptCode" value="<?echo $sqlresult1['deptCode'];?>" /></td>
                </tr>
                <tr>
                    <td>Program Code: </td>
                    <td><input type="text" name="programCode" value="<?echo $sqlresult1['programCode'];?>" /></td>
                </tr>
                <tr>
                    <td>Project ID: </td>
                    <td><input type="text" name="projectID" value="<?echo $sqlresult1['projectID'];?>" /></td>
                </tr>
                <tr>
                    <td>Delete: </td>
                    <td><input type="checkbox" name="del" onclick /></td>
                </tr>
            </table>
            <input type="submit" value="Update Cost Center" />
        </form>
<?}
 
?>
    </body>
</html>
 
 
The problem is that I can't get the update string to work. it gives an error on line 65 $sqlstr3 = 'UPDATE finAccounts......... Its because the values are not passing back.

Any suggestions?

Re: new to php

Posted: Fri Sep 12, 2008 7:29 pm
by ssssss
I've skimmed your code and noticed two forms that submit using the get method. Your update code looks for values in the $_POST array. You need to match those up. I'd use post.

Also, very, very importantly: you need to learn the mysql_real_escape_string() function. As it is now, you are vulnerable to SQL injection attacks that make it possible (easy even) for a hacker to completely destroy your database. Never assume that input (including the contents of $_GET, $_POST, and $_REQUEST) is safe.

http://us2.php.net/manual/en/function.m ... string.php
http://en.wikibooks.org/wiki/Programmin ... _Injection