Hey, I need help with a website.

Scooby_Doo

I don't know if this is the right place to post or not but here is my question.

I am building a website for my Mom so she can advertise her products. In the admin controls I need to have it set up where it displays all the products she has and two links that she can update info (title, price, description, ect.) and to delete that product from the list. I am new to php and I know this is asking alot but if you could help me write the script and tell me what it does (for in the future). I have looked at w3 schools and php-mysql-tutorial.com tizag.com but I haven't found anything that explained what I really need. I know html so I can make the form I really need help with php. Thanks so much in advance

sneakyimp

does your hosting provider offer php? what about mysql database?

Scooby_Doo

Yes, I am hosting with godaddy, I have built the form that inserts it into the database and made the Select from database and it works. I don't know what php version I'm using though. When I made the database I had the choice of 4 or 5 and I chose 4 but I have a lot of errors that you would get if you were using 5. I hope this makes since to you. Thanks for you reply.

sneakyimp

You can find out your php version by using [man]phpversion[/man]. The version probably doesn't really matter though.

So your form has an action attribute which specifies the name of the page to handle your form submission...maybe something like this:

<form action="my_form_handler.php" method="post">
  <input type="text" name="my_input">
</form>

You can then handle the submitted information in the file my_form_handler.php like this:

echo "you submitted.  my_input=" . $_POST['my_input'];

Generally speaking, when someone changes the form and submits it, you'll need to remove magic quotes on any text inputs and then properly escape the string before running an insert query.

'magic quotes' are a feature of php 4 and 5 that puts a backslash before certain characters submitted through GET, COOKIE, or POST. Why? I'm not really sure but I suspect the motivation was to offer a convenience to make it easy to insert the data directly into a query. Try submitting that form with a value of "George O'Malley". If magic quotes are on, you'll see \"George O\'Malley\". Unfortunately, magic quotes are not secure and can't really be trusted. Remove them first. I use this function:

// this fn recursively strips backslashes from an array
function strip_backslashes_recursive($arg) {
        if (is_array($arg)) {
                $result = Array();
                foreach($arg as $key => $value) {
                        $result[$key] = strip_backslashes_recursive($value);
                }
                return $result;
        } else {
                return stripslashes($arg);
        }
}

You can easily use it on GET, COOKIE, and POST like this:

if (get_magic_quotes_gpc()==1) {
  $_GET = strip_backslashes_recursive($_GET);
  $_POST = strip_backslashes_recursive($_POST);
  $_COOKIE = strip_backslashes_recursive($_COOKIE);
}

After removing magic quotes, you need to properly escape any strings before putting them in an INSERT query. If you're using MySQL, then use the function [man]mysql_real_escape_string[/man]. It might seem ridiculous to have the server automatically add quote marks and then remove them and then add them again but I've been told this function is a much more reliable way to add backslashes before quote marks and stuff because it takes into account the language settings in mysql and provides more safety against hacks.

$escaped_input = mysql_real_escape_string($_POST['my_input']);
$sql = "INSERT INTO my_table (my_field) VALUES ('" . $escaped_input . "')

Scooby_Doo

Thanks for helping me, I'm not sure if I'm correct or not but I can get it to insert

(code to the form)

<html>
<head>
<title>Add a puppy</title>

</head>
<body>
<center>
<form action="addpuppy2.php" method="POST">
<table width="600" border="3">
<tr>
<td>Puppy's Name</td> <td><input type="text" name="name"></td>
</tr>
<tr>
<td>Puppy's Price</td> <td>$<input type="text" name="price"></td>
</tr>
<tr>
<td>Breed</td> <td><select name="breed">
							<option>Shih-Tzu
							<option>Pomeranian
							<option>Yorkie
							<option>Maltese
							<option>Chihuahuas
							<option>Shorkies
							<option>ShihPoms
<tr>
<td>Description</td> <td><textarea type="text" cols="30" rows="6" name="description"></textarea></td>
</tr>
<tr>
<td>&nbsp;</td> <td><input type="submit" value="Add Puppy">
</table>
</form>
</center>
</body>
</html>

(here is addpuppy2.php)

<?php
$con = mysql_connect("HOST","USERNAME","PASSWORD");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }mysql_select_db("tttbd", $con);$sql="INSERT INTO addpup (name, price, breed, description)
VALUES
	('$_POST[name]','$_POST[price]','$_POST[breed]','$_POST[description]')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  echo "I'm sorry, your puppy was not added";
  }
echo "<html>";
echo "<head>";
echo "<title>Your Puppy has been added</title>";
echo "</head>";
echo "<body>";
echo "</body>";
echo "</html>";
mysql_close($con);
?> 
<html>
<body>
<a href="/addpuppy.php">Click here to add another puppy</a>
<br><br>
<a href="/momsadminpage.php">Click here to go back to your admin page</a>
<br><br>
<a href="/getdogs.php">Click here to see the dogs that you've added</a>
</body>
</html>

I can also get it to pull the data out of the database. but I don't know how to get it to let me update or delete the data. Thank you so much for your reply, and taking the time to help me. I'm going to try the "Get magic quotes"

sneakyimp

You could test your form by trying to insert any text containing quotes. If magic quotes are on, the query should still work. If not, the query will break. I'd also like to point out that you're not validating anything. It would be possible to create new records containing no data.

As for updating or deleting, you should probably list a summary of the records you have with an edit button and a delete button next to each. Such a link might look like this:

<a href="delete.php?id=<?=$record_id ?>">DEL</a>

where $record_id is the primary key of the record to delete. Then you set up delete.php to look in $GET['id'] for the primary key of the record and you can delete it like this:

<?
// validation is a good thing
if (!is_numeric($_GET['id'])) {
  die ('invalid id!');
}

$sql = "DELETE FROM addpup WHERE id=" . $_GET['id'];
?>

Scooby_Doo

Ok, I tried what you said here's what it looks like

while($row = mysql_fetch_array($result))
  {
  echo "<tr>";
  echo "<td>" . $row['name'] . "</td>";
  echo "<td>" . $row['breed'] . "</td>";
  echo "<td>" . $row['price'] . "</td>";
  echo "<td width=450>" . $row['description'] . "</td>";
  echo "<td><a href="deletedog.php?id=<?=$pid ?>">DELETE</a></td>";  <--40
  echo "</tr>";
  }
echo "</table>";

pid is what I named the id (puppy id)

but I get this error line 40 is the line that the link is on.

Parse error: parse error, unexpected T_STRING, expecting ',' or ';' in /home/content/d/o/m/domain/html/getdogs.php on line 40

am I putting this in the wrong place or am I putting it in wrong. I took out a lot of the coding to cut down size.

Also where do I need to add the magic quotes at. Thanks

sneakyimp

if you are using an echo statement, then you don't need to do the whole <? ?> thing around $pid. Also, in order to define a string that contains double quotes (") you have to either surround the string with single quotes (') or you have to escape the quotes with a backslash.

Like this:

echo "<td><a href=\"deletedog.php?id=\"" . $pid . "\">DELETE</a></td>";

When you are putting quotes in a string these are the ways

// if you start your string with single quotes, you can use double quotes
$string = 'This will "work" without any problem';
// you can use single quotes in a string surrounded by double quotes
$string = "This will 'also' work";
// if you start with double quotes, you have to escape double quotes
$string = "I started with double quotes, so i have to \"escape\" them in my string";
$string = 'Like wise in a single quoted string i have to \'escape\' single quotes';

Scooby_Doo

I tried the new code, and it worked except it won't get the id. I don't know why it won't I am trying to delete the last one. #15 but every time I click delete it says invalid id and if I add the # manually I get the same thing. ( I know that is the error msg) and in the url says

http://teenytinytails.com/deletedog.php?id=

here is an image of my php my admin that lets me know what the id is.

http://img233.imageshack.us/img233/7114/errorxu0.jpg

Thanks for taking the time to help me. it means alot

sneakyimp

It sounds like you have neglected to actually defined $pid in the page that makes the link....if it's not defined then none of your links will have a pid.