Ban & Unban application with html form & php

polarexpress

I've a form on my website through which visitor can post message including email address. The form inputs are stored in MySql database.

To prevent the visitor from posting the message over and over using same e-mail address, I want to create a ban & unban application with html form and php where a single e-mail address or a list of e-mail addresses can be banned with that form.

I'm trying to implement the following codes for this purpose but the code can't update the value (0 & 1) of column banned to the database.

The form is as following:

<title>Ban / Remove Bans</title><form name="form1" method="post" action="">
  <h3>Ban/Unban Users</h3>
  <p>To ban/unban multiple users type <strong>EMAILS</strong> separated by <strong>spaces. 
    </strong>Banned users will not be able to login.<strong> <br>
    </strong>To ban/unban a single user, just enter one email. </p>
  <p><strong>*Note:</strong> Once the user is banner, he/she will never be able 
    to register new account with same email address.</p>
  <p> 
    <textarea name="id" cols="40" id="id"></textarea>
  </p>
  <p> 
    <input type="submit" name="Submit" value="Ban">
    <input name="Submit" type="submit" id="Submit" value="Unban">
  </p>
</form>

and the php syntax is as following:

<?php

if (($_POST['Submit'] == 'Ban') )
{
$did = explode(' ',$_POST['id']);

foreach ($did as $del)
{
if (!empty($del))
{
 mysql_query("update users set banned='1'
			  WHERE `user_email`='$del'
 			   ",$link) or die("Failed:" . mysql_error());
	}		   
 }
 echo "done..";
 }
if (($_POST['Submit'] == 'Unban') )
{
$did = explode(' ',$_POST['id']);

foreach ($did as $del)
{
if (!empty($del))
{
 mysql_query("update users set banned='0'
			  WHERE `user_email`='$del'
 			   ",$link) or die("Failed:" . mysql_error());
	}		   
 }
 echo "<h3>done..</h3>";
 }
?>

and MySql syntax is as following:

$colname_test = "-1";
if (isset($_GET['id'])) {
  $colname_test = $_GET['id'];
}
mysql_select_db($database_x, $x);
$query_test = sprintf("SELECT id, name, user_email,  comment,  banned FROM users WHERE id = %s ORDER BY id DESC", GetSQLValueString($colname_test, "int"));
$test = mysql_query($query_test, $x) or die(mysql_error());
$row_test = mysql_fetch_assoc($test);
$totalRows_test = mysql_num_rows($test);

Would an advanced level programmer like to guide me to point out the problem and solve it?

Thanks,

Bonesnap

A few things:

1) Stay consistent with your indentation; it makes it much easier to read and debug (for both us and you).

2) In your SQL statements, you don't really need to use the backticks unless you're using a reserved word (such as table) or using spaces in your column names. In your situation, for simplicity I would remove them.

3) You should be setting banned to 1, not '1'. The first is an integer, the second is a string (since it's enclosed in quotes).

4) I noticed in your code there's no actual connection statement to your database. Did you omit that on purpose? If not that could be your culprit.

5) What is happening? You haven't told us what the script is doing (besides not what you desire). Are there any error messages being printed to the screen?

polarexpress

Bonesnap;11003247 wrote:
A few things:

1) Stay consistent with your indentation; it makes it much easier to read and debug (for both us and you).

2) In your SQL statements, you don't really need to use the backticks unless you're using a reserved word (such as table) or using spaces in your column names. In your situation, for simplicity I would remove them.

3) You should be setting banned to 1, not '1'. The first is an integer, the second is a string (since it's enclosed in quotes).

4) I noticed in your code there's no actual connection statement to your database. Did you omit that on purpose? If not that could be your culprit.

5) What is happening? You haven't told us what the script is doing (besides not what you desire). Are there any error messages being printed to the screen?

The result is same whether the values of banned column are with or without the quote. I'm not encountering any problem with database connection. When I press the Ban button after inserting a previously stored e-mail address it gives the message Failed: on the other hand if I press the Ban button to submit the empty form it shows the message done.. though the value of banned column isn't inserted to the database. Moreover the form's text field doesn't store e-mail address under any circumstances.

Please be decent during exchange of idea & knowledge.

dagon

should be a mysql_error after the word Failed, what is it?

I would also put the query in a string variable, rather than directly in the query, then you can echo it to see if it is what you expect it to be.

polarexpress

dagon;11003268 wrote:
should be a mysql_error after the word Failed, what is it?

I would also put the query in a string variable, rather than directly in the query, then you can echo it to see if it is what you expect it to be.

The form action doesn't show any MySql error. It prints Failed: only just below the form caused by mysql_query after page refresh on form submission. The form's text field doesn't even store the e-mail address after pressing the ban button.

Would you guide me about how should I put the query in a string variable in this case so that I can implement the syntax in order to observe the output?

Thanks,

vivek151189

Did you have initialized $link variable as a connection string of database if not so than that might be the isue

polarexpress

MySql connection variable and it's value is

$link = mysql_pconnect($hostname_link, $username_link, $password_link) or trigger_error(mysql_error(),E_USER_ERROR);

Thanks,

Bonesnap

Not sure if this is causing your problem, but it's incorrect nonetheless:

<input type="submit" name="Submit" value="Ban">
<input name="Submit" type="submit" id="Submit" value="Unban">

You have two elements with the same name Submit. These should really be unique.

polarexpress

That doesn't seem to solve the problem.