$_GET[] Problem with HTML form

Brede

Hi everyone new here which makes me feel good in the newbie section 🙂

I have a problem with a news-publishing-script for about 3 days now and I just can't figure out how to solve it, so now I tur to you. 🙂

The problem is when I hit the Edit-news link I'm supposed to load edit_news.php?newsid=the-news-id
But the form don't show up.

My first thought were that I might not use $POST and $GET in the same if function. But changing that didn't help at all so I honestly don't have a clue. I upload the part of the code i think is the problem + the code of the link in index.php

If you think the problem is on another location please tell me and I upload that code, just feels unnecessary having you guys go through tons of pages 😉

Here's the code:

elseif(isset($_GET['newsid']))

{



    $result = mysql_query("SELECT * FROM news WHERE newsid='$_GET[newsid]' ",$connect);

    while($myrow = mysql_fetch_assoc($result))

         {

            $title = $myrow["title"];

            $text1 = $myrow["text1"];

            $text2= $myrow["text2"];

?>
<html>
<body>
<br>

<h3>::Edit News</h3>



<form method="post" action="<?php echo $PHP_SELF ?>">

<input type="hidden" name="newsid" value="<? echo $myrow['newsid']?>">



Title: <input name="title" size="40" maxlength="255" value="<? echo $title; ?>" />

<br>

Text1: <textarea name="text1"  rows="7" cols="30"><? echo $text1; ?></textarea>

<br>

Text2: <textarea name="text2" rows="7" cols="30"><? echo $text2; ?></textarea>

<br>

<input type="submit" name="submit" value="Update News"/>

</form>
</body>
</html>
<?

          }//end of while loop



  }//end else

?>

And the link code:

<a href=\"edit_news.php?newsid=$myrow[newsid]\">Edit</a>

(Sorry for my bad english)
Thanks! / Brede

ultima_yoshi

First of all you need to echo out the mysql data, im presuming that this link wasn't part of an echo statement.

<a href="edit_news.php?newsid=<?php echo $myrow[newsid] ; ?>">Edit</a>

I'm not sure why you've got a forward slash in the url but i've removed it.

Secondly you should escape all data coming from insecure sources (that includes the querystring since any user can change that data), MySQL real escape string or Addslashes

If you have access to php.ini you may also want to consider turning off register globals and using the $_SERVER superglobal array for PHP_SELF, register globals has had some pretty well documented security faults.

Brede

Thanks for the answer ultima! But I don't think that's the problem, I tried remove the forward slash but that didn't change anything and the MYSQ_real_escape_string and Addslashes is more of a security thing than something that gets my code work? don't get me wrong it's great to get security tips but right now I focus on just getting it to work. about the echo statement this is how it looks.

 echo "<br><a href=\"read_more.php?newsid=$myrow[newsid]\">Read More...</a>

            || <a href=edit_news.php?newsid=$myrow[newsid]>Edit</a>

             || <a href=\"delete_news.php?newsid=$myrow[newsid]\">Delete</a><br><hr>";

Because I really can't find the source to the problem I now load up the hole edit_news.php I'm sorry if it's too much.

<?php

include("config.php");

 if(isset($_POST['submit']))

  {



  // Set global variables to easier names

 // and prevent sql injection and apostrophe to break the db.

  $title = mysql_escape_string($_POST['title']);

  $text1 = mysql_escape_string($_POST['text1']);

  $text2 = mysql_escape_string($_POST['text2']);







     $result = mysql_query("UPDATE news SET title='$title', text1='$text1', text2='$text2' WHERE newsid='$newsid' ",$connect);



      echo "<b>Thank you! News UPDATED Successfully!<br>You'll be redirected to Home Page after (4) Seconds";

      echo "<meta http-equiv=Refresh content=4;url=index.php>";

}

elseif(isset($_GET['newsid']))

{



    $result = mysql_query("SELECT * FROM news WHERE newsid='$_GET[newsid]' ",$connect);

    while($myrow = mysql_fetch_assoc($result))

         {

            $title = $myrow["title"];

            $text1 = $myrow["text1"];

            $text2= $myrow["text2"];

?>
<html>
<body>
<br>

<h3>::Edit News</h3>



<form method="post" action="<?php echo $PHP_SELF ?>">

<input type="hidden" name="newsid" value="<? echo $myrow['newsid']?>">



Title: <input name="title" size="40" maxlength="255" value="<? echo $title; ?>" />

<br>

Text1: <textarea name="text1"  rows="7" cols="30"><? echo $text1; ?></textarea>

<br>

Text2: <textarea name="text2" rows="7" cols="30"><? echo $text2; ?></textarea>

<br>

<input type="submit" name="submit" value="Update News"/>

</form>
</body>
</html>
<?

          }//end of while loop



  }//end else

?>

I don't think the problem is in the link-code, because when i look in the statusbar before i push the link I get the right link. The problem is that the form in edit_news.php never shows up, so now I think the problem is in the code above.

Thanks!

bretticus

There's lots you can do to accomplish some simple debugging...

<?php

if ( 1==1 ) { //added if statement so forum PHP code highlighting works properly, not part of example code...

}
elseif(isset($_GET['newsid']))

{

	// is our elseif working...

	echo "Did If even get here?\n\n";

	// let's make the query a variable so we can print it out:

	$query = "SELECT * FROM news WHERE newsid='{$_GET[newsid]}'"; // notice I put brackets around array variable.

	// print query

	echo $query . "\n\n";

    $result = mysql_query($query,$connect);

    // did we throw an error?

    if ( !empty(mysql_error($connect)) )
    	echo "An error occurred: " . mysql_error($connect);


     // everything fine, let's see if query returned any results.
	if ( mysql_num_rows($result) ) {
		echo "No records were returned";
	}

    while($myrow = mysql_fetch_assoc($result))

         {

            $title = $myrow["title"];

            $text1 = $myrow["text1"];

            $text2= $myrow["text2"];

?>
<html>
<body>
<br>

<h3>::Edit News</h3>



<form method="post" action="<?php echo $PHP_SELF ?>">

<input type="hidden" name="newsid" value="<? echo $myrow['newsid']?>">



Title: <input name="title" size="40" maxlength="255" value="<? echo $title; ?>" />

<br>

Text1: <textarea name="text1"  rows="7" cols="30"><? echo $text1; ?></textarea>

<br>

Text2: <textarea name="text2" rows="7" cols="30"><? echo $text2; ?></textarea>

<br>

<input type="submit" name="submit" value="Update News"/>

</form>
</body>
</html>
<?

          }//end of while loop ?>

djjjozsi

before print, let's print the sql command, i think .

And: if you put a value into a form, in hidden : newsid

After a post method, your value will apper with post.

if(isset($_POST['submit']))

{

  // Set global variables to easier names

 // and prevent sql injection and apostrophe to break the db.

$POST= array_map("mysql_escape_string", $POST);

  $title = $_POST['title'];
  $text1 = $_POST['text1'];
  $text2 = $_POST['text2'];
 $newsid= $_POST['newsid'];

//before update, lets check if it is an exists ID...

$command="UPDATE news SET title='$title', text1='$text1', text2='$text2' WHERE newsid='$newsid' ";
print $command; // if for just a debug
$result = mysql_query($command,$connect);

..............

Hi!

jjozsi