0

ColumnOne   ColumnTwo   ColumnThree Columnfour  Columnfive    ColumnSix
one           two          three       four        0        'Button Here'

As you can see above, I have six columns, five of which contain some sort of text, and the sixth column is to contain a button. My end goal is to have column six contain three buttons just like this image HERE shows. These buttons will allow me to edit, delete, and possibly one other function.

For now, though, I am just curious as to how I can make a button appear in the last column using my code below:

<?php

// Create variables to retrieve the POST data

$ID= $_POST['Input1'];
$Email= $_POST['Input2'];
$Name= $_POST['Input3'];
$Company= $_POST['Input4'];
$Price= $_POST['Input5'];

// Connect to the database

mysql_connect ("localhost","Username","Password") or die ('Error: ' . mysql_error());

echo "connected to database!";

mysql_select_db ("Database");

// Insert data into table

$query = "INSERT INTO CustomerInformation (ID, Email,Name,Company,Price,Tab Count,Action) VALUES(
'NULL', '".$ID."', '".$Email."', '".$Name."', '".$Company."', '".$Price."', "Form input type = "button" (something like this!) )";

// Above is my best attempt... I'm sure it's nowhere close (sorry!).

mysql_query($query) or die ('Error updating database');

echo "Database updated successfully!";

?>
Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
  • Looks like the link to your picture is broken. – Chris Laplante Jun 12 '11 at 23:08
  • Why do you want to put a button into your database?? – Michael Robinson Jun 12 '11 at 23:11
  • Take a look at the picture ... I'm trying to create something just like this picture so that I will have the ability to delete or edit any row. –  Jun 12 '11 at 23:13
  • You are mixing behaviors in your script, inserting to MySQL database won't generate the UI automatically. You need a code path for fetching the data from the database and displaying the UI; and another path for handling the input from the UI and saving the state (inserting/updating/deleting). – Xint0 Jun 14 '11 at 23:38

2 Answers2

2

Change your code into this to make it secure and functional:

<?php
// Connect to the database

mysql_connect ("localhost","Username","Password") 
  or die ('Error: ' . mysql_error());

echo "connected to database!";

mysql_select_db ("Database");

// Insert data into table

$Email= mysql_real_escape_string($_POST['Input2']);
$Name= mysql_real_escape_string($_POST['Input3']);
$Company= mysql_real_escape_string($_POST['Input4']);
$Price= mysql_real_escape_string($_POST['Input5']);

$action = mysql_real_escape_string('insert php code for button here');

$query = "INSERT INTO CustomerInformation 
         (Email,Name,Company,Price,Tab Count,Action) 
         VALUES
         ('$Email', '$Name', '$Company', '$Price', '$action') ";
mysql_query($query) or die ('Error updating database');

echo "Database updated successfully!";

?>

Note that you don't need to insert an id into the table. If you have an autoincrement field id than MySQL will autocreate an id for you.
mysql_real_escape_string() escapes values for you. Always surround your $var in the query with ' single quotes or mysql_real_escape_string() will not work! And never use it for column/table or database names, only for values.

See: these questions for more info:

SQL injection in general: How does the SQL injection from the "Bobby Tables" XKCD comic work?
protecting against SQL injection when using dynamic table names: How to prevent SQL injection with dynamic tablenames?

Community
  • 1
  • 1
Johan
  • 74,508
  • 24
  • 191
  • 319
  • @Johan when I use the mysql_real_escape_string() I get lots of errors when attempting to run this code: Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'vhostswww'@'localhost' (using password: NO) in /www/solidwebhost.com/f/a/r/farinaevan/htdocs/AddDataToTable.php on line 6 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /www/solidwebhost.com/f/a/r/farinaevan/htdocs/AddDataToTable.php on line 6 –  Jun 12 '11 at 23:32
  • @Evan 1000x sorry you need to be connected to the database **before** using `mysql_real_escape_string()`, fixed the answer – Johan Jun 12 '11 at 23:34
  • 1
    @Evan, the error says that you cannot connect to MySQL because user `vhostswww` does not have access rights on `localhost` you need to grant user `vhostswww` on localhost explicitly, granting a user on `%` (all) does **not** include localhost. – Johan Jun 12 '11 at 23:40
  • @Johan - for this to work properly, must I make the last column (the one with the button) a special type? Right now it's a type: string, and I'll get an error "Error updating database". For my input button code, I am using this: $action = mysql_real_escape_string( ' ""'); I swear I'm not a moron, but this PHP stuff just isn't clicking with me yet! Thanks so much for sticking with me –  Jun 12 '11 at 23:42
  • @Evan, Try it without the mysql_real_escape_string(): `$action = ' ""';` – Johan Jun 12 '11 at 23:45
  • @evan being a newbie does not make you a moron. Everybody has to learn. – Johan Jun 12 '11 at 23:46
  • @Johan That did not work but I have a feeling it has to do with the way my table is setup at this point. Again, I am inserting a button into a field that is requesting a string ... Won't this cause some type of issue? –  Jun 13 '11 at 00:14
-1

Well, you will need to one or two things (depends...). You will probably have to name the submit button:

<input type="submit" name="delete" value="Delete this ugly thing" />

Than in PHP, you can do this IF:

if (isset($_POST["delete]") {
    mysql_query("DELETE FROM ...");
}

But, if you will have more records in the table, you will also have to add input with record ID. This is little bit more complicated, because the form is covering whole table and you dont know what ID input to chose. One of possible solutions is naming the input button by id of the record, for example:

<input type="submit" name="delete_5" value="Delete this ugly thing" />

Than in PHP you could do this:

foreach ($_POST as $name => $value) {
    if (preg_match("/^delete_[0-9]+$/", $name)) {
        $idArray = explode("_", $name);
        $id = addSlashes($idArray[1]);

        mysql_query("DELETE FROM ... WHERE id = '" . $id . "'");
    }
}
Erveron
  • 1,908
  • 2
  • 25
  • 48
  • @James, does this: http://stackoverflow.com/questions/332365/xkcd-sql-injection-please-explain ring a bell? – Johan Jun 12 '11 at 23:13
  • of course dont forget about SQL injection protection, but these is basic that has to be implemented in every PHP dynamic SQL query – Erveron Jun 12 '11 at 23:17
  • I am confused as to where I am supposed to put the line of "". When attempting to put it in the line where all of the other data was added, I get a T_String error. Perhaps I put the data in incorrectly? –  Jun 12 '11 at 23:19
  • That input is the button. If you are inserting it directly into PHP code, dont forget to escape " - use \". – Erveron Jun 12 '11 at 23:20
  • I wrote it exactly as follows (including the quotations): "" –  Jun 12 '11 at 23:24
  • @James, when using dynamic table names `mysql_real_escape_string()` (or PDO for that matter) don't work. Also insecure code is insecure code both in principle and in practise. – Johan Jun 12 '11 at 23:26
  • @Evan: Write it like this: "" – Erveron Jun 12 '11 at 23:28
  • @Johan: Youre right about that example code should include all important things, ok. But mysql_real_excape_string worked always for me...anyway ok, replacing it by addSlashes(). – Erveron Jun 12 '11 at 23:29
  • @James, you are missing the point `mysql_real_escape_string()` works fine for values. **nothing** works for dynamic table names, absolutely **nothing**, except checking the input against a white-list of allowed values. See this question for details: http://stackoverflow.com/questions/5811834/why-would-this-be-poor-php-code – Johan Jun 12 '11 at 23:32
  • @Johan: ok, just missunderstood you. Anyway, your code seems better. – Erveron Jun 13 '11 at 00:03