2

This is for edit_inv.php which have some textboxes which users can edit.
The problem is for values that contains spaces. eg. Cisco Router (in phpmyadmin), when I printout the value in the textbox (to be edited or left the way it is) it only have Cisco. The word Router is missing. This would be bad if the user don't want to edit the Cisco Router part and would have to type Router again.

The editing script works. Just that everything after a space isn't on the textbox.

I'm just starting php and would appreciate some help.

<?php

//  Mysql Connect
include('lock.php');
require_once('mysql.php');
$edit_inv = $_GET['inventory_id'] ;

$_SESSION['edit_inv'] = $edit_inv; 

$query = "SELECT * FROM inventory WHERE unikl_id= $login_session_id and inventory_id='$edit_inv'";
$result = mysql_query($query);

    echo '<form method="post" action="handle_inv_edit.php">';
        // Table header.
    echo '<table align="center" cellspacing="0" cellpadding="5" border="2">
    <tr>
    <td align="center"><b>Inventory ID</b></td>
    <td align="center"><b>Device Name</b></td>
    <td align="center"><b>Quantity</b></td>
    <td align="center"><b>Level/Room</b></td>
    <td align="center"><b>Email</b></td>
    <td align="center"><b>Availability</b></td>
    </tr>';

        // Fetch and print all the records.
        while ($row = mysql_fetch_array($result)) {
        echo    '<tr>
                <td align="center">' . $row['inventory_id'] . '</td>

                <td align="left"><input type="text" size="60" 
                name="pro_name" value='.$row['pro_name'].'></td>

                <td align="left"><input type="text" size="4" 
                name="quantity" value='.$row['quantity'].'></td>

                <td align="center"><input type="text" size="4" 
                name="level" value='.$row['level'].'></td>

                <td align="left"><input type="text" size="60"
                name="email" value='.$row['email'].'></td>

                <td align="left"><input type="radio" name="available" value="Yes" CHECKED > Yes 
                        <input type="radio" name="available" value="No"> No</td>


                </tr>';
    }
    echo '</table>';

    echo '<br /><div align="center"><input type="submit" 
    name="Submit" value="Edit" /></div>
    <input type="hidden" name="submitted" value="TRUE" />';

    echo '</form>';
?>
Cœur
  • 37,241
  • 25
  • 195
  • 267
user1744840
  • 31
  • 1
  • 1
  • 3
  • You are using [an obsolete database API](http://stackoverflow.com/q/12859942/19068) and are exposing yourself to [SQL injection attacks](http://bobby-tables.com/) that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Oct 14 '12 at 15:40
  • Does the complete text appear in the HTML source? – Clodoaldo Neto Oct 14 '12 at 15:42
  • If by what you mean right click view page source, Yes it does Clodoaldo, 5412 is colored black like size/name/value which is quite odd for me. – user1744840 Oct 14 '12 at 15:45

3 Answers3

7

May be Because you missed "" around value property of text box if your value contains space then it breaks your text

<td align="left"><input type="text" size="60" 
                name="pro_name" value="'.$row['pro_name'].'"></td>

This way you need to put "" code into your all text box

GBD
  • 15,847
  • 2
  • 46
  • 50
  • Good spot. This would have been picked up automatically if @user1744840 had made use of [a validator](http://validator.w3.org) – Quentin Oct 14 '12 at 15:48
  • Thank you also others who replied. I will look into SQL injection prevention in my future works as i'm just starting to learn php and mysql. – user1744840 Oct 14 '12 at 16:22
2

When you try to retrieve data from my sql table and show it in html table use like:

echo "<td align='left'><input type='text' size='60' name='pro_name' value='".$row['pro_name']."'></td>";
4b0
  • 21,981
  • 30
  • 95
  • 142
Suneth Rathnayake
  • 21
  • 1
-1

You can be victim of SQL injection and you doesn't see space because are not escaped.

<?php

if (isset($_POST))
{
    $pro_name = $_POST["pro_name"]; // if you already escaped in a form you simply print post
}

?>

<?php

//  Mysql Connect
include('lock.php');
require_once('mysql.php');
$edit_inv = mysql_real_escape_string($_GET['inventory_id']);

$_SESSION['edit_inv'] = (int)$edit_inv; 

$query = "SELECT * FROM inventory WHERE unikl_id= $login_session_id and inventory_id='$edit_inv'";
$result = mysql_query($query);

    echo '<form method="post" action="handle_inv_edit.php">';
    // Table header.
    echo '<table align="center" cellspacing="0" cellpadding="5" border="2">
    <tr>
    <td align="center"><b>Inventory ID</b></td>
    <td align="center"><b>Device Name</b></td>
    <td align="center"><b>Quantity</b></td>
    <td align="center"><b>Level/Room</b></td>
    <td align="center"><b>Email</b></td>
    <td align="center"><b>Availability</b></td>
    </tr>';

    // Fetch and print all the records.
    while ($row = mysql_fetch_array($result)) {
    echo    '<tr>
            <td align="center">' . mysql_real_escape_string($row['inventory_id']) . '</td>

            <td align="left"><input type="text" size="60" 
            name="pro_name" value='.mysql_real_escape_string($row['pro_name']).'></td>

            <td align="left"><input type="text" size="4" 
            name="quantity" value='.mysql_real_escape_string($row['quantity']).'></td>

            <td align="center"><input type="text" size="4" 
            name="level" value='.mysql_real_escape_string($row['level']).'></td>

            <td align="left"><input type="text" size="60"
            name="email" value='.mysql_real_escape_string($row['email']).'></td>

            <td align="left"><input type="radio" name="available" value="Yes" CHECKED > Yes 
                    <input type="radio" name="available" value="No"> No</td>


            </tr>';
    }
    echo '</table>';

    echo '<br /><div align="center"><input type="submit" 
    name="Submit" value="Edit" /></div>
    <input type="hidden" name="submitted" value="TRUE" />';

    echo '</form>';
?>
Marin Sagovac
  • 3,932
  • 5
  • 23
  • 53
  • 1
    Spaces do not need to be escaped in SQL (they need to be quoted, which they are). `addslashes` is not suitable for escaping data for MySQL. – Quentin Oct 14 '12 at 15:47