Update sreen in form of a table

Awestruck

I am new to MySQL and although I have been successfully using phpAdmin I would like to learn more about using PHP files to manipulate the database.
The following files were taken from a W3Schools tutorial and I have mastered them.
Now I wish to create a PHP file to show a table on the screen for updating a field or two in a record. Would one of you clever chaps show me how please? Here are some of my files:-

insertDataDirect.php
<?php
$con = mysql_connect("127.0.0.1","root","");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("w3database", $con);
mysql_query("INSERT INTO Persons (FirstName, LastName, Age)
VALUES ('Andrew', 'Cole',48)");
mysql_query("INSERT INTO Persons (FirstName, LastName, Age)
VALUES ('Kathy', 'Bench',39)");
mysql_close($con);
?>

HTMLForm.html
<html>
<body>
<form action="insertDatafromHTMLForm.php" method="post">
Firstname: <input type="text" name="firstname" />
Lastname: <input type="text" name="lastname" />
Age: <input type="text" name="age" />
<input type="submit" />
</form>
</body>
</html>

insertDatafromHTMLForm.php
<?php
$con = mysql_connect("127.0.0.1","root","");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("w3database", $con);
$sql="INSERT INTO Persons (FirstName, LastName, Age)
VALUES
('$POST[firstname]','$POST[lastname]','$_POST[age]')";
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "1 record added";
mysql_close($con);
?>

updateExistingRecord.php
<?php
$con = mysql_connect("127.0.0.1","root","");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("w3database", $con);
mysql_query("UPDATE Persons SET Age=48
WHERE FirstName='Andrew' AND LastName='Cole'");
mysql_close($con);
?>

Awestruck

Further to my posting yesterday. Perhaps it would be more sense to forget about presenting a table and instead show the HTMLForm.html screen again. But in the case of an update, the screen should request that the administrator enters the record to be updated by entering say the telephone number or something else reasonably unique (not the ID number). The rest of the record's data should then populate the fields in a form that can be amended by the administrator. Is this possible using the existing files as a starting point?

johanafm

First off, never take your information from W three Schools. They are often wrong and despite the impression have nothing to do with the W3 Consortium.

Security issues:
Never connect to the DBMS as user root.
Never have a root user without password.
Never pass unescaped data into SQL queries. Or used prepared statements

header('content-type: text/plain; charset=utf-8');

$query = 'INSERT INTO Persons(firstname, lastname, age) VALUES '.PHP_EOL;
$_POST['lastname'] = 'Doe';
$_POST['age'] = '30';

# Query is ok for this value
$_POST['firstname'] = 'John';
$values = "('$_POST[firstname]', '$_POST[lastname]', $_POST[age])";
echo $query . $values .PHP_EOL.PHP_EOL;

# Query is NOT ok
$_POST['firstname'] = "O'Reilly";
$values = "VALUES ('$_POST[firstname]', '$_POST[lastname]', $_POST[age])";
echo $query . $values .PHP_EOL.PHP_EOL;

$_POST['firstname'] = "O', 'a', 15) and now you can inject SQL code here; followed by garbage: ";
$values = "VALUES ('$_POST[firstname]', '$_POST[lastname]', $_POST[age])";
echo $query . $values .PHP_EOL;

Also note that you can't assume its safe to use $POST['age'] either. First off, it's external data and external data is never safe. Secondly, it's a string containing a number (or rather, which you assume is a number). The user may still send anything in there. However, if you …

$_POST['age'] = (int) $_POST['age'];

… then you'd actually have an int. The value would be 0 if the variable could not otherwise be converted to an int.

All of the above can be handled by using prepared statements, as shown below.

Should you really persist in using the mysql-extension, cast ints to int and floats. Then escape strings with mysql_real_escape_string(), which actually uses an active db connection to ask the database how to escape stuff properly.

The root user can do anything and pretty much all of those anythings will never ever be needed by a PHP script. Create a new user and give them SELECT, INSERT, UPDATE and DELETE privileges, or perhaps just SELECT privs on all or most tables while they get the others on a select few (such as DELETE, INSERT, UPDATE on their own shopping cart, while only having INSERT privs on the order table).

The mysql-extension used to access MySQL databases is very old and should no longer be used. There are better alternatives, such as mysqli (i as in Improved) or PDO. PDO does things a bit differently, but is easy to use and also have the advantage of being able to access other databases without changhing the code (more or less). Both mysqli and PDO have support for prepared statements.

As for your question, there are several ways of achieving what you want. It's pretty much the same as letting the user insert records, with the only difference that you will
1. Show them stored data instead of blank fields
2. Have to keep track of which record(s) they are editing
The rest is the same.

You could SELECT stuff FROM table... iterate over the result set to show all those rows in their respective form control elements and send everything back to be updated (or not) as per user selection.

# This is the name of PDO's mysql driver and NOT the same as the
# mysql-extension you have been using
$pdo_driver = 'mysql';
$dsn = sprintf('%s:dbname=%s;host=%s',
	$pdo_driver,
	'NameOfDatabase',
	'127.0.0.7'
);
$user = 'username';
$pass = 'supersecret';

$db = new PDO($dsn, $user, $pass);

# Handle updates for all selected (by checkbox) items
# $_POST['update'] corresponds to checkboxes which have row id as value
# thus giving an easy way to update data. See output section further down first.
if (isset($_POST['update']))
{
	echo '
	<h2>Updated</h2>';
	printf('
	<div>%d items to update</div>',
		count($_POST['update'])
	);

# Prepared statement. This way you don't have to worry about escaping
# data to avoid SQL injection. The data is sent separately from the query
# and the database deals with everything else.
$query = 'UPDATE members SET name=:name WHERE id=:id';
$db->prepare($query);
echo '<pre>';
foreach ($_POST['update'] as $id)
{
	printf("%7d: %s\n",
		$id,
		$_POST['name'][$id]
	);
}
# Execute the prepared statement. The only thing sent on each
# execution is the new parameters. Thus, the DBMS doesn't have
# to keep parsing the query every time.
$db->execute(array(':id' => $id, ':name' => $_POST['name'][$id]));
echo '</pre>';
}

# Display all editable data
$stmt = $db->query("SELECT id, name FROM members WHERE stuff='condition'");

echo '
<h2>Users</h2>
<form action="" method="post">
<table>
	<thead>
		<tr>
			<th>Id</th><th>Name</th><th>Update</th>
		</tr>
	</thead>
	<tbody>';
foreach ($stmt->fetchAll() as $row)
{
	# Using the id as array element keys for your form elements and using
	# checkboxes containing these id values, you have a simple way of
	# accessing the data which should be updated (see section handling
	# post data above)
	printf('
		<tr>
			<td>%1$d</td>
			<td class="formElement textInput"><input type="text" name="name[%1$d]" value="%2$s"></td>
			<td class="formElement"><input type="checkbox" name="update[]" value="%1$d"></td>
		</tr>',
		$row['id'],
		$row['name']
	);
}
echo '
	<tbody>
</table>
<div>
	<input type="submit" name="submit" value="submit">
</div>
</form>

This approach should only be used if the user is allowed to edit any record of this table. You have no control over what data they send, so even if you will only display certain record to a specific user, he's the one sending the id values, and as such could send any id value at all.

Another way is to only let the user click links for records to edit and display one record at the time on an "edit record page".

Or you could use the approach shown here, but change the checkboxes to inputs of type button and use ajax to send updates for one record at the time.

johanafm

Awestruck;11006358 wrote:
or something else reasonably unique (not the ID number).

The only thing which is "reasonably" unique, is the admins user credentials: login name and password.

Once the admin has logged in, you know who he or she is, and you know what data he or she has the right to update. This should be checked on every single request, wether its presenting data (check for privileges to see data) or updating it (check for privs to update data).

If I don't have to log in and can update data if I happen to provide a matching telephone number, I could use an online phone number service to get hold of phone numbers and...
Or I could simply try to brute force them. Or I could say I'm not only learning about socially engineered phishing attacks, but also a hot woman (see attached pictures) and ask for the phone number...

Awestruck

many thanks johanafm for your prompt and comprehensive reply.
I was aware that I should use mysqli and not mysql, but after several weeks of trying to understand and implement database queries from manuals, I was receiving only error messages. I was therefore delighted when the old msql actually worked. I will heed your advice and try the mysqli version of those files now. I am only interested in updating a record via the administrator, I would not want users doing it. I will not explore PDO until I have mastered MySQLi. I thought the password and root only mattered when uploaded to a server, am I mistaken? and should I therefore use a password even when used only on my local easyphp installation?

I will try your code after I have converted the files (the ones that work) to MySQLi.
Again, many thanks.

johanafm

Well, if you are developing on a local machine not open to the external world, there is of course little risk involved in logging in as root. But there are risks nonetheless.

If someone gains access to your computer, they could screw you over royally. Perhaps not that likely, but annoying nonetheless.

But there is one advantage which I believe makes it worthwile. You will have to set up proper users and privileges in the end, so why not do so on the development machine to begin with. Your dev and production environment should be as close to each other as possible. If you can't match OS, at least match application versions, users and privileges etc. Otherwise, how will you know if things work in production when you go from root to a proper setup?

Moreover, should you somehow screw up when writing code, there is a chance that the privs will save you from doing things you shouldn't. Always be as restrictive as possible if you ever plan on eventually giving access to something to the outside world.

Aside from the fact that you may find it fun to learn things, or that it may be useful in the future, there is no real point in first learning MySQLi and then PDO. Besides, once you have learnt one, understanding code written using the other should be straightforward, at least with a bunch of documentation lookups at php.net. So I recommend choosing whichever seems preferable to you to begin with.

Either way, should you run into new problems using either PDO or mysqli that you can't solve, post the errors here and you're likely to get help decently fast since pretty much anyone helping out here will know what's wrong from the error messages.

Good luck 🙂