PHP - Updating / Editing Data / Records In The Database Table

Question

So I'm currently playing around with PHP and making a "blog" system. I want to user to be able to edit the topic name of their own posts. Currently when you edit a topic name, all of the other topic names changes no matter which user made the post.

Only edit the current topic name.
Only the editor who made the post can edit that post.

topic.php

<?php 

session_start();
require('connect.php');
if (@$_SESSION["username"]) {

 ?>

 <!DOCTYPE html>
 <html>
 <head>
    <title>Home page</title>
 </head>
 <body>
<?php include('header.php'); ?>

<center>

<?php 
    if (@$_GET['id']) {
        $check = mysql_query("SELECT * FROM topics WHERE topic_id='".$_GET['id']."'");

        if (mysql_num_rows($check) > 0) {
            while ($row = mysql_fetch_assoc($check)) {
                $check_u = mysql_query("SELECT * FROM users WHERE username='".$row['topic_creator']."'");
                while ($row_u = mysql_fetch_assoc($check_u)) {
                    $user_id = $row_u['id'];
                }

                echo "<h1>".$row['topic_name']."</h1>";
                echo "<h5>By <a href='profile.php?id=$user_id'>".$row['topic_creator']."</a><br />Date: ".$row['date']."</h5>";
                echo "<br />".$row['topic_content'];
                echo "<br /><br /><img src='img/".$row['image']."' width='300' />";
                echo "<br /><br /><a href='edit.php?edit=".$row['topic_id']."'>Edit</a>";
            }

        }else {
            echo "Topic not found.";
        }
    }


?>

</center>

 </body>
</html>

 <?php 

}else {
    echo "You must be logged in.";
}

?>

edit.php

<?php 

session_start();
require('connect.php');
if (@$_SESSION["username"]) {

 ?>

 <!DOCTYPE html>
 <html>
 <head>
    <title>Home page</title>
 </head>
 <body>
<?php include('header.php'); ?>

<center>

<?php 

if( isset($_GET['edit']) )
    {
        $id = $_GET['edit'];
        $res= mysql_query("SELECT * FROM topics");
        $row= mysql_fetch_assoc($res);
    }

    if( isset($_POST['newTn']) )
    {
        $newTn = $_POST['newTn'];
        // $id       = $_POST['id'];
        $sql     = "UPDATE topics SET topic_name='$newTn'";
        $res     = mysql_query($sql) 
                                    or die("Could not update".mysql_error());
        echo "<meta http-equiv='refresh' content='0;url=index.php'>";
    }

?>

<form action="edit.php" method="POST">
Name: <input type="text" name="newTn" value=<?php echo $row['topic_name']; ?>><br />
<input type="hidden" name="id" value="">
<input type="submit" value=" Update "/>
</form>

</center>

</body>
</html>

<?php


if (@$_GET['action'] == "logout")   {
    session_destroy();
    header("Location: login.php");
}

}else {
    echo "You must be logged in.";
}

  ?>

Thanks beforehand! //E

Use a WHERE clause in your UPDATE statement (`WHERE topic_id =?`); and use placeholders (`?`), don't interpolate values into SQL-statements. Also, don't use the `msql_` family of functions, but `mysqli_*` or PDO. — Tom Regner, Aug 17 '17 at 11:31
This code shouldn't be used in a live environment, I hope you realize that and there are quite a few gaping sql injection holes. If used in a live environment, you stand at getting your database hacked and possibly losing all your information, and/or your users' vital information being stolen. — Funk Forty Niner, Aug 17 '17 at 11:33
if you're playing around with php look into using a framework for php such as https://www.codeigniter.com/ or https://laravel.com/ . Both come with build in query builders and security features to help you out. — Parker Dell, Aug 17 '17 at 11:36
You're also using a deprecated api that is no longer supported in PHP 7.0. If and when your server gets upgraded to that version of PHP, you will need to do a total rewrite. Stay ahead of the game and stop what you're doing and rewrite it now using a prepared statement. — Funk Forty Niner, Aug 17 '17 at 11:39
This question is getting too many duplicated answers, that's really unnecessary. — Funk Forty Niner, Aug 17 '17 at 11:40

score 3 · Answer 1 · answered Aug 17 '17 at 11:33

In edit.php

You need to specify the post id to be edited in the query.

if( isset($_POST['newTn']) )
    {
        $newTn = $_POST['newTn'];
        $id       = $_POST['id'];
        //notice here the $id is added as where clause to filter the edit on one row only
        $sql     = "UPDATE topics SET topic_name='$newTn' WHERE post_id = '$id'";
        $res     = mysql_query($sql) 
                                    or die("Could not update".mysql_error());
        echo "<meta http-equiv='refresh' content='0;url=index.php'>";
    }

score 2 · Accepted Answer · answered Aug 17 '17 at 11:31

2

$sql     = "UPDATE topics SET topic_name='$newTn' where topic_id = '".$_GET['edit]."'";

You have passed the topic id from Grid and you need to attach that in query

answered Aug 17 '17 at 11:31

Naveed Ramzan

3,565
3
25
30

score 1 · Answer 3 · answered Aug 17 '17 at 11:33

1

You need to specifies the id of the topic in the query UPDATE :

 $sql     = "UPDATE topics SET topic_name='$newTn' where id=$session[yourtopicID]" ;

answered Aug 17 '17 at 11:33

Malek Zarkouna

943
10
21

score 0 · Answer 4 · edited Aug 17 '17 at 12:44

0

In edit.php change UPDATE topics SET topic_name='$newTn' query to below

UPDATE topics SET topic_name = '$newTn' where `yourTopicId` = '$_GET[edit]'

edited Aug 17 '17 at 12:44

Taz

3,718
2
37
59

answered Aug 17 '17 at 11:39

Dhruvil Patel

165
5

PHP - Updating / Editing Data / Records In The Database Table

4 Answers4