editing text from database with SQL on a protected page

Question

i want to create a little CMS for myself, so i can edit my text content on a protected page. i have already a page where i can see my text in a textarea(test.php), but when i hit the edit button it wont work.

who can help me? :)

ps, database config has been removed for security...

//test.php

<code>
<?php
// CONNECT TO THE DATABASE
    $DB_NAME = '';
    $DB_HOST = '';
    $DB_USER = '';
    $DB_PASS = '';

    $mysqli = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME);

    if (mysqli_connect_errno()) {
        printf("Connect failed: %s\n", mysqli_connect_error());
        exit();
    }
    echo'<h1> All users</h1><br>';
// A QUICK QUERY ON A FAKE USER TABLE
    $query = "SELECT * FROM `categorien` WHERE `categorie_id`";
    $result = $mysqli->query($query) or die($mysqli->error.__LINE__);

// GOING THROUGH THE DATA
    if($result->num_rows > 0) {
        while($row = $result->fetch_assoc()) {
    echo'
    <p>
        <form method="post" action="edit.php">
        <b>Title:</b> '.$row['categorie_naam']. '</td><br>

        <textarea name="categorie_uitleg">'.$row['categorie_uitleg'].'</textarea><br />

        <INPUT type="hidden" name="id" value='.$row['categorie_id'].'>
        <INPUT type="submit" name="edit" value="edit">
        </form>
    </p>
    ';
        }
    }
    else {
        echo 'NO RESULTS';  
    }

// CLOSE CONNECTION
    mysqli_close($mysqli);
?> 
</code>

//edit.php

   <?php
session_start();

$servername = "";
$username = "";
$password = "";
$dbname = "";


// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 

$sql = "UPDATE `categorien` SET `categorie_uitleg` = '". $_POST['categorie_uitleg']) ."' WHERE 1";
if ($conn->query($sql) === TRUE) {
    header("Location: test.php");
        echo "Record updated successfully";
} else {
        echo "Error updating record: " . $conn->error;
}

$conn->close();
?>

There are several issues I can see straight away. Are you getting your 'forgot to enter a message' error when you click through? — Ragdata, Oct 07 '15 at 08:54
K ... firstly, your textarea element doesn't have a name, you need to give it one: `` would be a good start. Then check the answer below for clues about your `UPDATE` query — Ragdata, Oct 07 '15 at 08:58

Tim V · Accepted Answer · 2015-10-07T09:16:52.460

0

Do you get an error message?

What I noticed is that the categorie_uitleg column does not get its new value which is edited in the textarea and that the table-name is within quotes (') instead of ticks (`):

$query = "UPDATE 'categorien' SET `categorie_uitleg` WHERE `1`";

It should be something like this:

$query = "UPDATE `categorien` SET `categorie_uitleg` = '". $_POST['categorie_uitleg']) ."' WHERE 1";

NB This query will update all rows in the categorien table!

EDIT based on comment

<textarea>'.$row['categorie_uitleg'].'</textarea><br />

name-attribute should be added to <textarea>

<textarea name="categorie_uitleg">'.$row['categorie_uitleg'].'</textarea><br />

edited Oct 07 '15 at 09:16

answered Oct 07 '15 at 08:56

Tim V

490
3
8

You missed the missing `textarea` element name. Edit and I reckon you've got most of the answer. – Ragdata Oct 07 '15 at 08:59
Quickly now ... your first 25 points of rep are on the line @Tim ;) – Ragdata Oct 07 '15 at 09:03
i've add the textarea name, and the code: $query = "UPDATE 'categorien' SET `categorie_uitleg` = '". $_POST['categorie_uitleg']) ."' WHERE `1`"; but now i get just a blank page!! :( – Xxx red Oct 07 '15 at 09:05
That's why this is only MOST of the answer ;) Do a quick search of the [MySQL Update Docs](http://www.w3schools.com/php/php_mysql_update.asp) @ W3Schools and you'll find your mistake. – Ragdata Oct 07 '15 at 09:08
And don't forget to accept this answer and give Tim his rep (once he makes his final edit) ;) – Ragdata Oct 07 '15 at 09:10
The table-name (categorien) is within quotes, which won't work! It should be between ticks (`). I edited my answer again... – Tim V Oct 07 '15 at 09:13
ALMOST ... you're right with your 'NB' comment Tim - but I think Reduan needs a nudge as to WHY that query will update all rows in his table. – Ragdata Oct 07 '15 at 09:14
well.. i've take a look at the w3schools page, now i have this code, but still i got a blank page... $sql = "UPDATE `categorien` SET `categorie_uitleg` = '". $_POST['categorie_uitleg']) ."' WHERE 1"; if ($conn->query($sql) === TRUE) { header("Location: test.php"); echo "Record updated successfully"; } else { echo "Error updating record: " . $conn->error; } $conn->close(); – Xxx red Oct 07 '15 at 09:28
Can you update your question, so we can see what the code looks like now? – Tim V Oct 07 '15 at 09:39
i've update my question, the code you see now is the new one.. thanks for trying to help me :) – Xxx red Oct 07 '15 at 09:46
And before you get TOO comfortable with the idea of throwing raw `$_POST` data into a table: [SQL Injection](http://php.net/manual/en/security.database.sql-injection.php) ... don't sweat TOO much right now while you're learning - but understand that it's REALLY REALLY REALLY not best practice – Ragdata Oct 07 '15 at 09:54
Your code looks fine now. I cannot find any more issues. Maybe the connection (`$conn`) is given problems, try using the code used in test.php for setting up the connection. – Tim V Oct 07 '15 at 10:01
I will try it when i'm home!! Now i have a few more lessons on school!! I let you guys know!!!! Thanks a lot :):) – Xxx red Oct 07 '15 at 11:07
still not working... when i hit the 'edit' button on test.php i will sent to edit.php but it gives me a blank page... no errors or something!! :( – Xxx red Oct 07 '15 at 15:45
Enable errors in php and let us know what error you are getting: [link]http://stackoverflow.com/questions/1053424/how-do-i-get-php-errors-to-display) – Tim V Oct 08 '15 at 08:57
thanks for the link Tim V!! Finally i can see my errors on the screen... this is the one i get Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in /home/reduaqi158/domains/reduankurtaj.eu/public_html/edit.php on line 19 – Xxx red Oct 08 '15 at 09:33
There is a ')' in your sql, after `$_POST['categorie_uitleg']`. Remove it and check again... – Tim V Oct 08 '15 at 09:40
i found the problem... i missed a .' " and " '. Thanks a lot, without you guys i think it still not working :p – Xxx red Oct 08 '15 at 19:52
$query = "UPDATE `categorie` SET `categorie_uitleg` = '". $_POST['categorie_uitleg'] ."' WHERE categorie_id = '". $_POST['categorie_id']."'"; this is the good line at //edit.php :) – Xxx red Oct 08 '15 at 20:10

editing text from database with SQL on a protected page

1 Answers1