I want the edit.php page to not give me any errors

o8codex

Hello guys I found an awesome CRUD file for updating to a sql database with php every thing works great but the thing that is very annoying is that the index.php page haves a button that links to edit.php?post_id= so that's correct, but any ways I like to test pages because I know there is going to be a boring illogical person that will say to them self's what would happen if I do this etc.. any ways so what I did instead of putting edit.php?post_id= and the id of a post from my mysqli database in the url I instead put this in the url as simply as edit.php and it said this error Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in etc.. on line 43 so basically I just want to fix this edit.php page when some one types this directly and what I mean by fixing this is I want no errors shown when some one types www.example.com/edit.php since www.example.com/edit.php?post_id= shows no errors.

Here's what I mean

visually

[ATTACH]5457[/ATTACH]

[ATTACH]5459[/ATTACH]

and the code

<?php

include("/fake_path/instructions/php/session_and_connection.php");

if(isset($_POST['update']))
{   

$post_id = mysqli_real_escape_string($connect, $_POST['post_id']);

$user_id = $row['user_id'];
$topic_id = mysqli_real_escape_string($connect, $_POST['topic_id']);
$post_title = mysqli_real_escape_string($connect, $_POST['post_title']);
$post_content = mysqli_real_escape_string($connect, $_POST['post_content']);


// checking empty fields
if(empty($post_title) || empty($post_content)) {    

if(empty($post_title)) {
echo "<font color='red'>post_title field is empty.</font><br/>";
}

if(empty($post_content)) {
echo "<font color='red'>post_content field is empty.</font><br/>";
}

} else {    

//updating the table
$result = mysqli_query($connect, "UPDATE posts SET user_id='$user_id',topic_id='$topic_id',post_title='$post_title',post_content='$post_content' WHERE post_id=$post_id");

//redirectig to the display page. In our case, it is index.php
header("Location: index.php");
}
}
?>
<?php
//getting post_id from url
$post_id = $_GET['post_id'];

//selecting data associated with this particular post_id
$result = mysqli_query($connect, "SELECT * FROM posts WHERE post_id=$post_id");

while($res = mysqli_fetch_array($result))
{
$user_id = $res['user_id'];
$topic_id = $res['topic_id'];
$post_title = $res['post_title'];
$post_content = $res['post_content'];
}
?>
<html>
<head>  

<title>Edit Data</title>
</head>

<body>
<a href="index.php">Home</a>
<br/><br/>

<form name="form1" method="post" action="edit.php">
<table border="0">
<tr> 
<td>post_title</td>
<td><input type="text" name="post_title" value="<?php echo $post_title;?>"></td>
</tr>
<tr> 
<td>post_content</td>
<td><input type="text" name="post_content" value="<?php echo $post_content;?>"></td>
</tr>
<tr>
<td><input type="hidden" name="post_id" value=<?php echo $_GET['post_id'];?>></td>
<td><input type="submit" name="update" value="Update"></td>
</tr>
</table>
</form>
</body>
</html>

editx.php.png edit.php.png

dalecosp

Please don't take the following personally.

Actually, you want to get messages like this one, which will occur when $post_id isn't set properly in line 41, although you may not want to show them to the public ... more on that (and that) later.

But there's so many problems with this script, I would suggest, PLEASE DO NOT USE IT. From the attached screenshots, I take it you love Jesus ... please don't put this code out there in His Name. 😉

For example, this assignment:

//getting post_id from url
$post_id = $_GET['post_id'];

We're getting a variable from the URL and NOT SANITIZING IT? We are going to get our database (and maybe our entire server) pwned in 4 minutes and 15 seconds[SUP]*[/SUP] after this goes public.

Obligatory XKCD cartoon: https://xkcd.com/327/

That's known as SQL injection, and serious students of PHP programming have been attempting to make sure we don't allow our scripts to be vulnerable to that for a long time[SUP]**[/SUP]. Shoot, brand new users of PHP have been attempting ... well ... you see my point, I hope.

Next, the error, as mentioned above. Most of us know that when you query the database, you hope to get a $result from a call to mysqli_query, but you might not get a result, and therefore you need to handle that possibility. This script doesn't care about that at all ... look:

$result = mysqli_query($connect, "SELECT * FROM posts WHERE post_id=$post_id");

while($res = mysqli_fetch_array($result)) {
    $user_id = $res['user_id'];
    $topic_id = $res['topic_id'];
    $post_title = $res['post_title'];
    $post_content = $res['post_content'];
}

What do you see here? We call "mysqli_fetch_array()" on the $result variable without bothering to check if it's actually a valid result. That's the source of your error above.

It should be more like:

$result = mysqli_query($connect, "SELECT * FROM posts WHERE post_id=$post_id");

if ($result && $result->num_rows) {

while($res = mysqli_fetch_array($result)) {
    $user_id = $res['user_id'];
    $topic_id = $res['topic_id'];
    $post_title = $res['post_title'];
    $post_content = $res['post_content'];
}
} else {

 echo "We have no such story!"; //a simple example of what should be a very nice looking error page.
}

As a matter of fact, just about everything about this script screams 'it's still 2004 where we live'. It's not! :eek:

In my profession opinion, you should not use the script until it's cleaned up and properly secured. I will add "Please" ... 🙂

[SUP]*[/SUP]possibly quite less
[SUP]**[/SUP]as evidence, I note 7.42 MILLION results for "php mysql injection" on a major search engine....

o8codex

OMG!!! lol thank you very much god bless you may Jesus bless your beautiful soul lol ha ha thanks I was looking for hours and hours to look for a fix but yeah I know its not safe to use this script but the things about scripts from online is that you can always pimp them out lol so yeah I will start working on this script before I release it to the public thanks for your help! 🙂