...

View Full Version : Just a quick question -- can read from db but not write.



DJJama
02-22-2010, 09:40 AM
Hi.

I'm new here and came acroos this as i'm a little stuck with my project.

I'm making a running trainer user php, mysql.
I have sorted logins and sessions and it can read from a database.


However my add/edit/delete user form will only display and delete users.

I have scanned it several times and can't find the problem, it is proably blindingly obvious, so I would appreciate is some people could have a look.



<?php
require("includes/sesh.inc");
require("includes/header.inc");
require("includes/db.inc");



if (isset($_GET['add']))
//if the user has chosen to add someone to the database
{
echo "<h1>Add user</h1>";
$f = $_POST['fname'];
$s = $_POST['sname'];
$u = $_POST['uname'];
$p = $_POST['pass'];
$l = $_POST['alevel'];
$a = $_POST['age'];
$g = $_POST['gend'];
$r = $_POST['rabil'];
$t = $_POST['rtrain'];

$query = "INSERT INTO userdetails (userid, firstname, surname, username, password, accesslevel, age, gender, runnerability, racetrainingfor) VALUES (NULL, '$f', '$s','$u','$p',$l,$a,'$g',$r,'$t')";
mysql_query($query);
echo "<p>User added. <a href='user.php'>Add/Edit People</a></p>";
}

elseif(isset($_GET['del']))
{
//if the user has chosen to delete a record ask them to confirm
echo "<h1>Confirm Delete User</h1>";
$therecord = $_GET['del'];
echo "<form action='user.php?confirm=yes' method='post'>Are you sure you want to delete user ".$therecord."?. It will be irreversible <br>";
echo "<input type='hidden' name='todel' value='".$therecord."'><input type='submit' name='yes' value ='Yes'> || <input type='submit' name='no' value ='No'></form>";
}

elseif(isset($_GET['confirm']) && isset($_POST['yes']))
{
echo "<h1>Deleting The User</h1>";
//the user has confirmed that they want to delete a record
$d = $_POST['todel'];
$query = "DELETE FROM userdetails WHERE userid=$d";
mysql_query($query);
echo "<p>User deleted. <a href='user.php'>Add/Edit Users</a></p>";
}

elseif(isset($_GET['edit']))
{
// if the user has chosen to edit a record
$peeps = $_GET['edit'];
$query = "SELECT * FROM userdetails WHERE userid=$peeps";
$result =mysql_query($query);
$row = mysql_fetch_array($result);
extract($row);
echo "<h1>Edit User</h1>";
//display a form for adding a User
echo "<form action='user.php?add=yes' method='post'>
<p>Firstname: <input type='text' name='fname'><br>
Surname: <input type='text' name='sname'><br>
Username: <input type='text' name='uname'><br>
Password: <input type='text' name='pass'><br>
Access Level: <input type='text' name='alevel'><br>
Age: <input type='int' name='age'><br>
Gender: <input type='text' name='gen'><br>
Runner Ability: <input type='int' name='rabil'><br>
Race Training For: <input type='text' name='rtrain'><br>
<input type='submit' value='Add User'></p>
</form>";
}

elseif(isset($_GET['update']))
{
// if the user has selected to update the details of a record
$i = $_POST['uid'];
$f = $_POST['fname'];
$s = $_POST['sname'];
$u = $_POST['uname'];
$p = $_POST['pass'];
$l = $_POST['alevel'];
$a = $_POST['age'];
$g = $_POST['gend'];
$r = $_POST['rabil'];
$t = $_POST['rtrain'];
$query = "UPDATE userdetails SET firstname='$f', surname='$s', username='$u', password='$p', accesslevel=$l, age=$a, gender='$g', runnerability=$r, racetrainingfor='$t' WHERE userid=$i";
mysql_query($query);
echo "<h1>Update User</h1><p><a href='user.php'>Add/Edit People</a></p>";
}

else {
//default view
echo "<h1>Add/Edit User</h1>";
//display a form for adding a User
echo "<form action='user.php?add=yes' method='post'>
<p>Firstname: <input type='text' name='fname'><br>
Surname: <input type='text' name='sname'><br>
Username: <input type='text' name='uname'><br>
Password: <input type='text' name='pass'><br>
Access Level: <input type='text' name='alevel'><br>
Age: <input type='int' name='age'><br>
Gender: <input type='text' name='gen'><br>
Runner Ability: <input type='int' name='rabil'><br>
Race Training For: <input type='text' name='rtrain'><br>
<input type='submit' value='Add User'></p>
</form>";
//display full list of people in the database with option to edit or delete
$query = "SELECT * FROM userdetails";
$result = mysql_query($query);
echo "<table border='box'><tr><th>Firstname</th><th>Surname</th><th>Username</th><th>Access Level</th><th>Age</th><th>Gender</th><th>Runner Ability</th><th>Race Training For</th><th>Edit</th></tr>";
while ($row = mysql_fetch_array($result))
{
extract($row);
echo "<tr><td>".$firstname."</td><td>".$surname."</td><td>".$username."</td><td>".$accesslevel."</td><td>".$age."</td><td>".$gender."</td><td>".$runnerability."</td><td>".$racetrainingfor."</td><td><a href='user.php?edit=".$userid."'>Edit</a> || <a href='user.php?del=".$userid."'>Delete</a></td></tr>";
//<td><a href='user.php?edit=".$userid."'>Edit</a> || <a href="user.php?del=".$userid."'>Delete</a></td></tr>";
}
echo "</table>";
}

require("includes/menu.inc");
require("includes/footer.inc");
?>


Thanks, Jama

abduraooft
02-22-2010, 09:49 AM
However my add/edit/delete user form will only display and delete users.You don't have any error checks in your queries.
Change all your query statements like
$query = "UPDATE userdetails SET firstname='$f', surname='$s', username='$u', password='$p', accesslevel=$l, age=$a, gender='$g', runnerability=$r, racetrainingfor='$t' WHERE userid=$i";
mysql_query($query) or die(mysql_error(). '<br/>query:'. $query );

DJJama
02-24-2010, 10:29 AM
Thank you.

Doing this showed up that there was an error with my user id.
After some searching found i did not have auto-increment on.

Jama

abduraooft
02-24-2010, 10:39 AM
Doing this showed up that there was an error with my user id.
After some searching found i did not have auto-increment on.

JamaGood job :thumbsup:

btw, your code is susceptible to sql injections, read http://php.net/manual/en/security.database.sql-injection.php



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum