Record not updating because ID isn't remaining set after form is submitted

ineedahelp

Hello,

I cannot figure out why my id isn't remaining 'set' after my form is submitted. Can anyone help? I also encourage any suggestions for better, more secure coding. Thank you much!

Leslie

here's my code...

<?php
require_once('../functions.php');
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>AAG&mdash;Admin-Edit Investment Articles</title>
<link rel="stylesheet" href="/test/arm/css/arm.css" type="text/css">
<link rel="shortcut icon" href="/test/arm/images/favicon.ico" >
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1" >
</head> 
<body> 
<div id="container">
	<div id="hotTopic">
	<?php include ("adminLoginMenu.php") ?>
	</div> <!--end hotTopic-->
<div id="banner">
<a href="http://www.lassfc.com/test/arm/index.php" title="The Arm Group"><img src="/test/arm/images/aagLogo.png" alt="Arm logo" width="321" height="106px"/></a>
<?php include("adminMenu.php") ?>
</div> <!--end banner-->
<div id="content">
<h3 style="margin-bottom:30px">Admin-Edit Investment Articles</h3>
<?php
connect();
$id = (isset($_GET['id'])) ? intval($_GET['id']):0;
$id = mysql_real_escape_string($id);
echo $id;
if (!isset($_POST['submit'])){
	$sql = "SELECT * FROM articles WHERE id = '$id'";
	$return = "<p><a href='adminIndex.php'>Go Back</a></p>";
	$result = mysql_query($sql) or die(mysql_error());
	$row = mysql_fetch_assoc($result);
	$tempDate = strtotime($row['artDate']); //mysql datetime to php
	$tempDate = date("Y-m-d", $tempDate);
	?>
	<div class="investArt">
	<form action="<?php echo $_SERVER['PHP_SELF']; ?>"  method='POST'>
		<input type="hidden" name="id" value="<?=$row['id']?>"/>
		<label>Author:</label><input type="text" name="author" id="author" value="<?=$row['author']?>"><br>
		<label>Date:</label><input type="text" name="date" id="date" value="<?=$tempDate?>"><br>
		<label>Title:</label><input type="text" name="title" id="title" value="<?=stripslashes($row['title'])?>"><br>
		<label>Subtitle:</label><input type="text" name="subtitle" id="subtitle" value="<?=$row['subtitle']?>"><br>
		<label>Body:</label><textarea name="articleBody" id="articleBody" rows="8" cols="60"><?php echo $row['articleBody'];?></textarea><br>
		<input class="submit" type="submit" name="submit" value="Update"/>

</form>
</div>
<?php
} else {
	echo $id;
	$author = protect($_POST['author']);
	$title = protect($_POST['title']);
	$subtitle = protect($_POST['subtitle']);
	$date = protect($_POST['date']);
	$articleBody = protect($_POST['articleBody']);
	echo $subtitle;
	echo $id;
	if (!$author){
		echo "<p>All fields must have data.&nbsp;&nbsp;<a href = 'editInvesting.php?id=".$id."'><b>Try again</b></a></p><br><br>";
	} else {
		$sql2 = "UPDATE articles SET author='$author', title='$title', subtitle='$subtitle', artDate='$date', articleBody='$articleBody' WHERE id=".$id."";
		$result2 = mysql_query($sql2) or die(mysql_error());
		//echo "<script>alert('Record updated...'); history.back();</script>";
	}
	if ($result2) {
		echo "updated successfully";
	} else {
		echo "no update";
	}
}
?>
</div> <!--end content-->
<div class="clearBoth"></div>
</div> <!--end container-->
<div class="clearBoth"></div>
</body>
</html>

bradgrafelman

You define $id here:

$id = (isset($_GET['id'])) ? intval($_GET['id']):0;

and always assume that it's coming from $_GET. However, the form does not pass it along in the query string but rather in the body of the form contents itself (meaning the hidden id value is getting POST'ed instead).