First and foremost, your script is vulnerable to SQL injection attacks. You should never place user-supplied data directly into a SQL query. Instead, you should first sanitize it with a function such as [man]mysql_real_escape_string/man.
You have a '<?php ?>' at the top of the script that contains no PHP code; what's the point of this?
In this code:
<?php //
// Connect to database
//
?>
<?php require("mysql_connect.php"); ?>
<?php
//
// Get posted form data
//
why are there so many PHP tags? Is there ever a reason to close the PHP tag throughout that entire snippet?
This section:
$StudentID=intval($_POST["StudentID"]);
$LastName=$_POST["LastName"];
$FirstName=$_POST["FirstName"];
$EmailAddress=$_POST["EmailAddress"];
//response.write EmailAddress
$AddNew="";
$AddNew=$_POST["AddNew"];
$ScheduleID=$_POST["ScheduleID"];
$TopicID1=$_POST["TopicID1"];
$TopicID2=$_POST["TopicID2"];
generates E_NOTICE errors when the POST fields are undefined.
Same problem here:
$DeleteSec=$_POST[$ButtonName];
if ($DeleteSec!="") {
break;
}
Try using [man]isset[/man]() or [man]empty[/man]() instead.
In this code (and others like it):
$sql="UPDATE Students SET LastName = '".$LastName."', FirstName ='".$FirstName."', EmailAddress = '".$EmailAddress."' WHERE CSUNID = ".$StudentID.";";
$AddName=$Conn->Execute;
($sql);
What is the purpose of that last line, B;[/B] ?
Ran out of time, but that should give you a start in cleaning it up at least.
