0

I asked this question before, but not very well! Basically I have an editing page for a CMS, somewhere along the line (from the element onwards) the fields display in the box next to where they should be displaying. any ideas why?

<?php

if(isset($_GET['id']))
{
   $query  = "SELECT * ".
             "FROM studies ".
             "WHERE id = '".$_GET['id']."'";

   $result = mysql_query($query) or die('Error : ' . mysql_error());
      list($id, $pagetitle, $title, $date, $copy, $outputs, $strategies, $client, $niche, $media, $thumbmedia, $newfieldtitle, $newfieldcontent) = mysql_fetch_array($result, MYSQL_NUM);



}

if(isset($_POST['update1']))
{
   $id = $_POST['id'];
   $pagetitle = $_POST['pagetitle'];
   $title = $_POST['title'];
   $date = $_POST['date'];
   $copy = $_POST['copy'];
   $outputs = $_POST['outputs'];
   $strategies = $_POST['strategies'];
   $client = $_POST['client'];
   $niche = $_POST['niche'];
   $media = $_POST['media'];
   $thumbmedia = $_POST['thumbmedia'];
   $newfieldtitle = $_POST['newfieldtitle'];
   $newfieldcontent = $_POST['newfieldcontent'];

   if(!get_magic_quotes_gpc())
   {
      $pagetitle = addslashes($pagetitle);
      $title = addslashes($title);
      $date = addslashes($date);
      $copy = addslashes($copy);
      $outputs = addslashes($outputs);
      $strategies = addslashes($strategies);
      $client = addslashes($client);
      $niche = addslashes($niche);
      $media = addslashes($media);
      $thumbmedia = addslashes($thumbmedia);
      $newfieldtitle = addslashes($newfieldtitle);
      $newfieldcontent = addslashes($newfieldcontent);

   }

   // update the article in the database
   $query = "UPDATE studies
            SET pagetitle = '$pagetitle', title = '$title', date = '$date', copy = '$copy', outputs = '$outputs', strategies = '$strategies', client = '$client', niche = '$niche', media = '$media', thumbmedia = '$thumbmedia', newfieldtitle = '$newfieldtitle', newfieldcontent = '$newfieldcontent' ".
        "WHERE id = '$id'";
   mysql_query($query) or die('Error : ' . mysql_error());

   // then remove the cached file
   $cacheDir = dirname(__FILE__) . '/cache/';

   $cacheFile = $cacheDir . '_' . $_GET['id'] . '.html';

   @unlink($cacheFile);

   // and remove the index.html too because the file list
   // is changed
   @unlink($cacheDir . 'index.html');

   echo "<b>Article '$title' updated</b>";

   // now we will display $title & content
   // so strip out any slashes
      $pagetitle   = stripslashes($pagetitle);
      $title   = stripslashes($title);
      $date   = stripslashes($date);
      $copy = stripslashes($copy);
      $outputs = stripslashes($outputs);
      $strategies = stripslashes($strategies);
      $client = stripslashes($client);
      $niche = stripslashes($niche);
      $media = stripslashes($media);
      $thumbmedia = stripslashes($thumbmedia);
      $newfieldtitle = stripslashes($newfieldtitle);
      $newfieldcontent = stripslashes($newfieldcontent);

}


?>


<div class="container">
<form method="post">
<input type="hidden" name="id" value="<?php echo $id; ?>">

<p class="subheadsmall">Browser Title</p>
<textarea cols="40" rows="1" class="box" name="pagetitle" id="editbox"><?php echo $pagetitle; ?></textarea>


<p class="subheadsmall">Story Title</p>
<textarea cols="40" rows="1" class="box" name="title" id="editbox"><?php echo $title; ?></textarea>

<p class="subheadsmall">Date</p>
<textarea cols="40" rows="1" class="box" name="date" id="editbox"><?php echo $date; ?></textarea>

<p class="subheadsmall">Story</p>
<textarea cols="80" rows="10" class="box" name="copy" id="editbox"><?php echo $copy; ?></textarea>

<p class="subheadsmall">Outputs</p>
<textarea cols="80" rows="10" class="box" name="outputs" id="editbox"><?php echo $outputs; ?></textarea>

<p class="subheadsmall">Strategies</p>

<p class="subheadsmall">Client</p>
<select name="client">
    <option value="empty">Select a Client...</option>
 <?php
            $result2 = mysql_query("SELECT name FROM clients");
                if (!$result2) {
                    die("Database query failed: " . mysql_error());
                }


while($row = mysql_fetch_array($result2)) {
    $clientlist = $row['name'];
    $clientname = htmlspecialchars($row['name']);

    if ($_POST['client'] == $clientlist)
    { 

    echo '<option value="' . $clientlist . '" selected="selected" >' . $clientname . '</option>' . '\n';
    }
    else{
    echo '<option value="' . $clientlist . '" >' . $clientname . '</option>' . '\n';
}
}


?>
</select>

<p class="subheadsmall">Core Classification</p>

<?php

switch ($niche) {
    case "brand":
        echo '<input type="radio" name="niche" value="brand" checked="checked" />Brand';
        echo '<input type="radio" name="niche" value="marketing" />Marketing';
        echo '<input type="radio" name="niche" value="communication" />Communication';
        break;
    case "marketing":
        echo '<input type="radio" name="niche" value="brand" />Brand';
        echo '<input type="radio" name="niche" value="marketing" checked="checked" />Marketing';
        echo '<input type="radio" name="niche" value="communication" />Communication';
        break;
    case "communication":
        echo '<input type="radio" name="niche" value="brand" />Brand';
        echo '<input type="radio" name="niche" value="marketing" />Marketing';
        echo '<input type="radio" name="niche" value="communication" checked="checked" />Communication';
        break;
    default;
        echo '<input type="radio" name="niche" value="brand" />Brand';
        echo '<input type="radio" name="niche" value="marketing" />Marketing';
        echo '<input type="radio" name="niche" value="communication" />Communication';
    break;
}

?>

<p class="subheadsmall">Add New Strategy</p>
<textarea cols="40" rows="1" class="box" name="strategies" id="editbox"><?php echo $strategies; ?></textarea>

<p class="subheadsmall">Media</p>
<textarea cols="80" rows="10" class="box" name="media" id="editbox"><?php echo $media; ?></textarea>

<p class="subheadsmall">Thumbnail image</p>
<textarea cols="80" rows="3" class="box" name="thumbmedia" id="editbox"><?php echo $thumbmedia; ?></textarea>

<p class="subheadsmall">Additional Field</p>

<p class="subheadsmall">Additional Field Title</p>
<textarea cols="40" rows="1" class="box" name="newfieldtitle" id="editbox"><?php echo $newfieldtitle; ?></textarea>
<p class="subheadsmall">Additional Field Content</p>
<textarea cols="40" rows="3" class="box" name="newfieldcontent" id="editbox"><?php echo $newfieldcontent; ?></textarea>



<input name="update1" type="submit" class="box" id="editbutton" value="Update Article">

</form>
Improve this question
4
  • Can you please reword your question? Commented Jun 30, 2009 at 7:56
  • Sorry! The <textarea> elements each call to echo a variable, but about half way down, they display the wrong information from the database. Instead of echoing the information from the cell I'm trying to call, it is echoing from the cell next to it in the MySQL table. Does this make sense? the right info is being displayed up until the "Client" <select> drop-down Commented Jun 30, 2009 at 8:11
  • sorry, the <select name="client"> line, after that the problems start Commented Jun 30, 2009 at 8:12
  • addslashes so that you can stripslashes seems like someone needs to rework their logic, you also need to see the mysql_real_escape_string() function and drop the add/stripslashes entirely. Commented Jun 30, 2009 at 8:17

3 Answers 3

Reset to default
3

A side note about security :

Please, for the sake of the internet and all your users, don't use mysql_query. Please use PDO http://php.net/pdo. It automatically escapes your variables so you don't have SQL exploits.

And if you must use mysql_query (for legacy code) make sure to run each variable through http://php.net/mysql_real_escape_string before using it in a query string.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

I suppose you're simply assigning the wrong content to the wrong variables, which supposedly happens here:

list($id, $pagetitle, $title, ...) = mysql_fetch_array($result, MYSQL_NUM);

You're relying on the database fields being in the exact order your code is in. Not very reliable and a horror to maintain.

Why go through the trouble of copying them out of an array into separate variables in the first place? Just keep them as they are until you need them:

<?php $row = mysql_fetch_assoc($result); ?>
...
<textarea name="date"><?php echo $row['date']; ?></textarea>
Improve this answer

Comments

0
  • Remove the addslashes and magic quotes crap replace it with mysql_real_escape_string()
  • You are leaving yourself open to sql injections with the SELECT * FROM studies WHERE id = '".$_GET['id']."'";
    • What if I make a request like: domain.tld/page.ext?id=SELECT * FROM users

I've rewritten a bunch of the problems I saw give this a try.

<?php

if(isset($_GET['id']))
{
   $query  = "SELECT * FROM studies WHERE id = " . mysql_real_escape_string($_GET['id']);
   $result = mysql_query($query) or die('Error : ' . mysql_error());
      list($id, $pagetitle, $title, $date, $copy, $outputs, $strategies, $client, $niche, $media, $thumbmedia, $newfieldtitle, $newfieldcontent) = mysql_fetch_array($result, MYSQL_NUM);
}

if(isset($_POST['update1']))
{
   $id = $_POST['id'];
   $pagetitle = $_POST['pagetitle'];
   $title = $_POST['title'];
   $date = $_POST['date'];
   $copy = $_POST['copy'];
   $outputs = $_POST['outputs'];
   $strategies = $_POST['strategies'];
   $client = $_POST['client'];
   $niche = $_POST['niche'];
   $media = $_POST['media'];
   $thumbmedia = $_POST['thumbmedia'];
   $newfieldtitle = $_POST['newfieldtitle'];
   $newfieldcontent = $_POST['newfieldcontent'];

   // update the article in the database
   $query = "UPDATE studies
            SET pagetitle = '" . mysql_real_escape_string($pagetitle) . "', title = '" . mysql_real_escape_string($title) . "', date = '" . mysql_real_escape_string($date) . "', copy = '" . mysql_real_escape_string($copy) . "', outputs = '" . mysql_real_escape_string($outputs) . "', strategies = '" . mysql_real_escape_string($strategies) . "', client = '" . mysql_real_escape_string($client) . "', niche = '" . mysql_real_escape_string($niche) . "', media = '" . mysql_real_escape_string($media) . "', thumbmedia = '" . mysql_real_escape_string($thumbmedia) . "', newfieldtitle = '" . mysql_real_escape_string($newfieldtitle) . "', newfieldcontent = '" . mysql_real_escape_string($newfieldcontent) . "' ".
        "WHERE id = '" . mysql_real_escape_string($id) . "'";
   mysql_query($query) or die('Error : ' . mysql_error());

   // then remove the cached file
   $cacheDir = dirname(__FILE__) . '/cache/';

   $cacheFile = $cacheDir . '_' . $_GET['id'] . '.html';

   @unlink($cacheFile);

   // and remove the index.html too because the file list
   // is changed
   @unlink($cacheDir . 'index.html');

   echo "<b>Article '$title' updated</b>";

}


?>


<div class="container">
<form method="post">
<input type="hidden" name="id" value="<?php echo $id; ?>">

<p class="subheadsmall">Browser Title</p>
<textarea cols="40" rows="1" class="box" name="pagetitle" id="editbox"><?php echo $pagetitle; ?></textarea>


<p class="subheadsmall">Story Title</p>
<textarea cols="40" rows="1" class="box" name="title" id="editbox"><?php echo $title; ?></textarea>

<p class="subheadsmall">Date</p>
<textarea cols="40" rows="1" class="box" name="date" id="editbox"><?php echo $date; ?></textarea>

<p class="subheadsmall">Story</p>
<textarea cols="80" rows="10" class="box" name="copy" id="editbox"><?php echo $copy; ?></textarea>

<p class="subheadsmall">Outputs</p>
<textarea cols="80" rows="10" class="box" name="outputs" id="editbox"><?php echo $outputs; ?></textarea>

<p class="subheadsmall">Strategies</p>

<p class="subheadsmall">Client</p>
<select name="client">
    <option value="empty">Select a Client...</option>
 <?php
                $result2 = mysql_query("SELECT name FROM clients") or die("Database query failed: " . mysql_error());    

while($row = mysql_fetch_assoc($result2)) {
    $clientlist = $row['name'];
    $clientname = htmlspecialchars($row['name']);

    if ($_POST['client'] == $clientlist)
    { 

    echo '<option value="' . $clientlist . '" selected="selected" >' . $clientname . '</option>' . '\n';
    }
    else{
    echo '<option value="' . $clientlist . '" >' . $clientname . '</option>' . '\n';
}
}


?>
</select>

<p class="subheadsmall">Core Classification</p>

<?php

switch ($niche) {
    case "brand":
        echo '<input type="radio" name="niche" value="brand" checked="checked" />Brand';
        echo '<input type="radio" name="niche" value="marketing" />Marketing';
        echo '<input type="radio" name="niche" value="communication" />Communication';
        break;
    case "marketing":
        echo '<input type="radio" name="niche" value="brand" />Brand';
        echo '<input type="radio" name="niche" value="marketing" checked="checked" />Marketing';
        echo '<input type="radio" name="niche" value="communication" />Communication';
        break;
    case "communication":
        echo '<input type="radio" name="niche" value="brand" />Brand';
        echo '<input type="radio" name="niche" value="marketing" />Marketing';
        echo '<input type="radio" name="niche" value="communication" checked="checked" />Communication';
        break;
    default;
        echo '<input type="radio" name="niche" value="brand" />Brand';
        echo '<input type="radio" name="niche" value="marketing" />Marketing';
        echo '<input type="radio" name="niche" value="communication" />Communication';
    break;
}

?>

<p class="subheadsmall">Add New Strategy</p>
<textarea cols="40" rows="1" class="box" name="strategies" id="editbox"><?php echo $strategies; ?></textarea>

<p class="subheadsmall">Media</p>
<textarea cols="80" rows="10" class="box" name="media" id="editbox"><?php echo $media; ?></textarea>

<p class="subheadsmall">Thumbnail image</p>
<textarea cols="80" rows="3" class="box" name="thumbmedia" id="editbox"><?php echo $thumbmedia; ?></textarea>

<p class="subheadsmall">Additional Field</p>

<p class="subheadsmall">Additional Field Title</p>
<textarea cols="40" rows="1" class="box" name="newfieldtitle" id="editbox"><?php echo $newfieldtitle; ?></textarea>
<p class="subheadsmall">Additional Field Content</p>
<textarea cols="40" rows="3" class="box" name="newfieldcontent" id="editbox"><?php echo $newfieldcontent; ?></textarea>



<input name="update1" type="submit" class="box" id="editbutton" value="Update Article">

</form>

EDIT: I've made a few more changes to your code, also I think your problem stems from this line:

while($row = mysql_fetch_array($result2)) {

I think your looking for the mysql_fetch_assoc() array.

Improve this answer

1 Comment

thanks, that is much nicer looking code, same problem though. I can't figure it out. Basically the form enters the info into the database correctly, but the problem happens when trying to retrieve it.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.