0

What im trying to do is to present the text in the 'text' row of the table about in a textarea... (that was a strange sentence) and i should be able to add/remove/edit text in that textarea and then press save to update it...

When trying the about table gets wiped of all data...

<?php 

if(isset($_POST['submit_about']))

{

mysql_query("UPDATE about SET `text` = '$row['text']'");

}

// get result from database
  $result = mysql_query("SELECT * FROM about") 
    or die(mysql_error());

// present the result
  while($row = mysql_fetch_array( $result )) {

  echo "<form method='post' action='uc_admin.php'>
  <textarea name='text' rows='8'>" . $row['text'] . "</textarea>
  <br />
  <button type='submit' name='submit_about' class='btn'>Save</button>";
}

?>
span
  • 5,405
  • 9
  • 57
  • 115
Fredrik Tornell
  • 23
  • 1
  • 6
  • 2
    your query should use $_POST['text'] not $row, and there are security data sanitation issues here. –  Aug 23 '12 at 21:29
  • And you really should sanitize the input. I'm sure you will but I thought it a good reminder, it usually is. Here's a great explanation on it: http://stackoverflow.com/a/130323/1068167 – span Aug 23 '12 at 21:30
  • Are you actually connecting to the database or have you removed that from the snippet above? – JohnDevelops Aug 23 '12 at 21:31
  • It may not help answer your question, but you should stop using `mysql_*` functions. They're being deprecated. Instead use [PDO](http://php.net/manual/en/book.pdo.php) (supported as of PHP 5.1) or [mysqli](http://php.net/manual/en/book.mysqli.php) (supported as of PHP 4.1). If you're not sure which one to use, [read this article](http://net.tutsplus.com/tutorials/php/pdo-vs-mysqli-which-should-you-use/). – Matt Aug 23 '12 at 21:36
  • Nice [SQL injection](http://bobby-tables.com) holes... enjoy having your server pwn3d. – Marc B Aug 23 '12 at 21:37

3 Answers3

2

change 

mysql_query("UPDATE about SET `text` = '$row['text']'");

to 

mysql_query("UPDATE about SET `text` = '".mysql_real_escape_string($_POST['text'])."'");

Also, try to move to mysqli or PDO..

raidenace
  • 12,789
  • 1
  • 32
  • 35
  • Ok, so i should replace all $row['text'] to $_POST['text']? and by security issues, should one use htmlspecialchars() ? – Fredrik Tornell Aug 23 '12 at 22:01
  • use `mysql_real_escape_string` when you are putting user content into MySQL database. Use `htmlspecialchars` if you are echoing user content within an HTML page. – raidenace Aug 23 '12 at 22:03
1

Your update query should look like:

mysql_query("update `about` set `text`='".mysql_real_escape_string($_POST['text'])."'");
Niet the Dark Absol
  • 320,036
  • 81
  • 464
  • 592
0

You should try following code. 

mysql_query("UPDATE about SET `text` = '$_POST['text']' WHERE DBid='dbid'");

DBid is your data base table primary id.

ArnoHlaMoe
  • 287
  • 1
  • 4
  • 10