0

I am doing an exercise from the book PHP & MYSQL in easy steps. It involves an HTML form to update a row in a database then various PHP scripts to check the the input data for HTML code and make it into a secure format. However, the code just does not work the way the book says. I went to the publisher's website and downloaded the code example, but no joy.

Instead of a form with the name of the row below it, instead I get the form, then below that "No valid new name submitted". Then below that the current name of row in the table which I want to change. When I try to enter and submit data into the form it makes no difference. It displays exactly the same page. The code is below.

<!DOCTYPE HTML>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Ensuring security
    </title>
</head>
<body>

<form action="secure.php" method="POST">
    <p>New Name : <input type="text" name="name">
        <input type="submit"></p></form>



<?php

require('../connect_db.php');


if (!empty($POST['name']) && !is_numeric($_POST['name'])) {
    $name = $POST['name'];

    $name = mysqli_real_escape_string($dbc, $name);
    $name = strip_tags($name);

    $q = 'UPDATE towels SET name "' . $name . '" WHERE id= 1';
    mysqli_query($dbc, $q);
} else {
    echo 'No valid new name submitted';
}

$q = 'SELECT * FROM towels WHERE id = 1 ';
$r = mysqli_query($dbc, $q);
while ($row = mysqli_fetch_array($r, MYSQLI_NUM)) {
    echo "<p>Name : $row[1] </p>";
}
mysqli_close($dbc);

I'd appreciate any ideas on this. I have spent about 3 hours and been on the publishers website, but I am still at square one.

Improve this question
9
  • 3
    Get a different book. One that teaches prepared statements. (Not to mention the mix of HTML and PHP which makes stuff unreadable and unmaintainable.) Commented Sep 16, 2013 at 15:37
  • 1
    You're using mysqli wrong. You should be preparing a statement and then using bind_param to add the $name value. Using string concatenation is extremely hazardous as a simple mistake can be devastating. If you're learning this technique from a book, your book is broken. I'm with Bart here, get a new book. Commented Sep 16, 2013 at 15:37
  • For starters, change all $POST to $_POST Commented Sep 16, 2013 at 15:41
  • Please tell us which book is it (title and author). Commented Sep 16, 2013 at 15:46
  • I just downloaded what I assume is the same code from ineasysteps.com/wp-content/uploads/2012/09/php-src.zip and it works fine and also has a different value for the title element : <title>PHP Security</title>. So first, everyone who is assuming that the book must be bogus just like any other resource for beginners is so lame should stand down. Second, Troy, were you modifying the code to get your hands dirty or copying it straight from the book originally? Commented Sep 16, 2013 at 15:52

1 Answer 1

Reset to default
5

There is no superglobal array $POST so you have to change $POST['name'] to $_POST['name'].

PHP can't see that array so it evaluates !empty($POST['name']) as false and never executes code with update query.

And, like @BartFriederichs said, buy better book. I don't think you'll learn something valuable from current one.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks. I have already commented above. I corrected the error, but it still does not process the name change. I am not sure which book I will go with next.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.