2

I have a sample data in my database that I am trying to override with my data in a form submission with a primary key PageID set to 0, my query to my knowledge is correct, I have no errors upon submission just no data going into the database. Here is the entire PHP document. 

<?php
if(isset($_POST['update'])){
  $pageid = 0; 

 $dbc = @mysqli_connect ('localhost', 'elinksw_ju1ez', '*******', 'elinksw_ju1ez') OR die ('<p class="error">Cannot connect to the database.</body></html>');

 $q = "UPDATE tblContent SET PageHeading='$_POST[PageHeading]' ,SubHeading='$_POST[SubHeading]' ,Content='$_POST[Content]' ,PageTitle='$_POST[PageTitle]' ,MetaDescription='$_POST[MetaDescription]' ,MetaKeywords='$_POST[MetaKeywords]'  WHERE PageID='$pageid'";
 $r = mysqli_query($dbc, $q);
mysqli_close($dbc);

 }
?>
<html>
<head>
<link rel="stylesheet" type="text/css" href="./includes/adminStyle.css">
<title>Administration - Edit content</title>
</head>

<body>
<header>
<h1>Edit Content</h1>
<h2>Welcome Administrator</h2>
</header>

<nav>
<a href="admin.php" class="myButton">Manage Homepage</a><br>
<a href="admin.php" class="myButton">Manage Products</a><br>
<a href="admin.php" class="myButton">Manage Contacts</a><br>
</nav>

<section>
<h2>Manage Homepage</h2>
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">

<table width="300" cellpadding="2" cellspacing="2">
    <tr>
    </tr>
    <tr>
        <td>Page Heading:</td>
        <td><input type="text" name="PageHeading"></td> </tr>
    <tr>
        <td>Sub Heading:</td>
        <td><input type="text" name="SubHeading"></td>  </tr>
    <tr>
        <td>Page Title:</td>
        <td><input type="text" name="PageTitle"></td>   </tr>
    <tr>
        <td>MetaDescription:</td>
        <td><textarea style="width:300px;" cols="55" rows="5" name="MetaDescription"></textarea></td>   </tr>
    <tr>
        <td>MetaKeywords:</td>
        <td><input type="text" name="MetaKeywords"></td>    </tr>
    <tr>
        <td>Content:</td>
        <td><textarea style="width:300px;" cols="55" rows="5" name="Content"></textarea></td>   </tr>
    <tr>
        <td><input type="submit" name="update" value = "Update Database"></td>  </tr>

</section>
</form>
</body> 
</html>

Here is the table in the database

Improve this question
6
  • have you tried echoing any errors - ie. $r = mysqli_query($dbc, $q) or die(mysqli_error($dbc));? Commented Apr 19, 2015 at 22:33
  • 1
    You should have $_POST['PageHeading'] instead of $_POST[PageHeading]. Also, your query is vulnerable to sql injections. Commented Apr 19, 2015 at 22:34
  • I have checked for errors and echoed out results, nothing shows. So I thought maybe it was a connection problem, rumbled with that had the connection read successful is connection was establish and it was. It's like no data is coming out or reading to this database. Commented Apr 19, 2015 at 22:41
  • If any of your $_POST values have single quotes ', then your query will fail. At a minimum you want to use mysqli_real_escape_string() and better would be to use prepared statements php.net/manual/en/mysqli.quickstart.prepared-statements.php Commented Apr 19, 2015 at 22:42
  • @kidA if OP adds the single quotes, they will also need to add brackets {} as they would get a syntax error inside double quotes - {$_POST['PageHeading']} Commented Apr 19, 2015 at 22:44

1 Answer 1

Reset to default
4

First of all, your code is dangerous, is vulnerable to Injection attacks, you have to filter and escape your $_POST variables (http://corpocrat.com/2009/07/28/filtering-escaping-post-data-from-injection-attacks)

A quick & dirty solution to grasp what's going on would involve:

$PageHeading = mysqli_real_escape_string($dbc, $_POST['PageHeading']);
$subHeading = mysqli_real_escape_string($dbc, $_POST['SubHeading']);
$Content = mysqli_real_escape_string($dbc, $_POST['Content']);
$PageTitle = mysqli_real_escape_string($dbc, $_POST['PageTitle']);
$MetaDescription = mysqli_real_escape_string($dbc, $_POST['MetaDescription']);
$MetaKeywords = mysqli_real_escape_string($dbc, $_POST['MetaKeywords']);
$q = "UPDATE tblContent SET PageHeading='$PageHeading' ,SubHeading='$SubHeading' ,Content='$Content' ,PageTitle='$PageTitle' ,MetaDescription='$MetaDescription' ,MetaKeywords='$MetaKeywords'  WHERE PageID='$pageid'";
$r = mysqli_query($dbc, $q) or die(mysqli_error($dbc)); //remove this on production
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

OP's mysqli_* does not match with your mysql_*/mysql_real_escape_string().
mysqli_real_escape_string() requires the db link as the 1st param - mysqli_real_escape_string($dbc, $_POST['PageHeading']); as apposed to mysql_real_escape_string php.net/manual/en/mysqli.real-escape-string.php
ouch.... too used to the OO version $dbc->real_escape_string($string); :( thanks again
I'm still wondering if this is an actual solution for her problem. Would this work even if the strings were entered without quotes?
I've been trying so hard trying to fix the query I haven't really worked on the rest and overlooked the simple problem. Trying to keep it simplistic until I had it inserting values so I knew what wasn't working. But I tested this and it worked perfectly, so much thanks. With my query it was the single quotes. PageHeading='$_POST[PageHeading]' should have been PageHeading=$_POST['PageHeading']. Look that over too many times. ty ty
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.