2

Problem which I am having is as follows:

I can save and retrieve information after its saved but I don't know how to do that automatically as soon as the record is saved/updated.

To update I use: 

$result = mysql_query("UPDATE loan SET loana='$loann', dater='$dater', apaid='$apaid' WHERE id=$id");

Once save I can load the main page wit the results and click on a link which looks like this and it displays all of the info:

echo "<td><a href=\"full_loan_details.php?id=$res[id]\" target=\"_blank\" alt=\"Print loan details\" title=\"Print loan details\">".$res['name']."&nbsp;".$res['surname']."</a></td>";

...but for I am not able to do this automatically when the record is saved. Any help is greatly appreciated.

Cluster
  • 65
  • 5
  • 1
    You may use [`header`](http://php.net/manual/en/function.header.php) to redirect the user to the page. – secelite Nov 15 '16 at 15:29
  • In the same action of you updating the record, you could immediatly after the update run a select query. – Loko Nov 15 '16 at 15:30
  • 1
    ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Nov 15 '16 at 15:31
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! ***SQL Injection!*** *It's not just for breakfast any more!* – Jay Blanchard Nov 15 '16 at 15:31
  • @secelite i have tried that but no joy, – Cluster Nov 15 '16 at 15:39
  • @Loko that's what I was thinking but for the hell of it i can seem to get the id from the updated record. – Cluster Nov 15 '16 at 15:39
  • @Jay Blanchard this is something which I run locally not online so I am not worried that much. – Cluster Nov 15 '16 at 15:39
  • 1
    I hate when people say *"I'm not that far along..."* or *"This site will not be public..."* or *"It's only for school, so security doesn't matter..."*. If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, *"I'll add security later..."* or *"Security isn't important now..."* or *"Ignore the security risk..."*. If you don't have time to do it right the first time, when will you find the time to add it later? – Jay Blanchard Nov 15 '16 at 15:40
  • @Cluster actually atoms actually took the time to give you a decent answer. – Loko Nov 15 '16 at 15:55

1 Answers1

0

You could use header:

header("Location: /full_loan_details.php?id=$res[id]");

As mentioned your script is vulnerable to injection attacks. You should use PDO's:

<?php

define( "DB_DSN", "mysql:host=localhost;dbname=foo");
define( "DB_USERNAME", "root");
define( "DB_PASSWORD", "password" ); 

// define sql
$sSQL = "UPDATE loan SET loana=:loana, dater=:dater, apaid=:apaid WHERE id=:id";

// create an instance of the connection
$conn   = new PDO( DB_DSN, DB_USERNAME, DB_PASSWORD );

// prepare
$st   = $conn->prepare( $sSQL );

// securely bind any user input in the query
$st->bindValue(":loana", $loana, PDO::PARAM_STR);
$st->bindValue(":dater", $dater, PDO::PARAM_STR);
$st->bindValue(":apaid", $apaid, PDO::PARAM_STR);
$st->bindValue(":id", $id, PDO::PARAM_INT);

// execute the connection
if($st->execute()){
    header("Location: /full_loan_details.php?id=".$id);   
}else{
    // didnt execute 
}

You could do a SELECT to confirm the change and or get a value. Same method as above but will need the following to read it;

To fetch single row use an If, or if more than 1 row use a while

if($row = $st->fetch() ){
    header("Location: /full_loan_details.php?id=".$row['id']);   
}

Note: it could be unsafe to redirect a user to a location based of unsanatised data from the DB. Even if you have inserted it with the method above. Ensure you sanatise all output correctly.

atoms
  • 2,993
  • 2
  • 22
  • 43
  • I have tried exactly the same thing but it fails, I assume it is because id is not passed. Hence my problem. – Cluster Nov 15 '16 at 15:41
  • have updated my answer. if you still have issues check that you have a value in $id. – atoms Nov 15 '16 at 15:46