0

I have a table in my database called agendas which is linked with another table called meetings. I would like to edit the agendas table through the form but I want the current information in the agendas fields to appear on the web form.

    <?php
include 'library/connect.php';
$agenda_id = $_GET['agenda_id'];
$result = mysql_query("SELECT agenda.*, meetings.meeting_id FROM agenda INNER JOIN meetings ON agenda.meetings = meetings.meeting_id WHERE agenda_id = '$agenda_id'");

$row = mysql_fetch_array($result);
$meeting_id = $row['meeting_id'];

?>
  <form id="form1" name="form1" method="post" action="secretary_agendaSuccesful.php?agenda_id=<?php echo $agenda_id; ?>">
    <table width="666" border="1">
      <tr>
        <td width="91">Subject:</td>
        <td width="559"><span id="sprytextarea1">
          <label for="subject"></label>
         <textarea name="subject" id="subject" cols="45" rows="5" value="<? echo  $row['subject'] ?>"></textarea>
          <span class="textareaRequiredMsg">A subject is required.</span></span></td>
      </tr>
      <tr>
        <td>Duration:</td>
        <td><span id="sprytextfield1">
        <label for="duration"></label>
        <input type="text" name="duration" id="duration" value="<? echo  $row['duration'] ?>"/>
        <span class="textfieldRequiredMsg">duration in hours</span><span class="textfieldInvalidFormatMsg">Enter duration in hours</span></span></td>
      </tr>
       <td>&nbsp;</td>
        <td><input type="submit" name="submitbtn" id="submitbtn" value="Submit" /></td>
      </tr>
    </table>
  </form>

Is this the correct way to get information from a database into the fields?

Jason
  • 15,017
  • 23
  • 85
  • 116
user1130533
  • 13
  • 2
  • Your code is extremely open to SQL injection attacks. You should never insert `$_GET` variables (or *any* variables) directly into a query. Please take a look at this question for how to fix it, http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php – Dan Simon Jan 06 '12 at 22:49

1 Answers1

0

this is almost correct way
only you need is to use htmlspecialchars() function on the displayed values.

there can be another problem - with the query itself, which prevents your data from displaying.

and there is also obvious SQL injection

Make your code this way 

$agenda_id = intval($_GET['agenda_id']);
$query = "SELECT agenda.*, meetings.meeting_id FROM agenda 
          INNER JOIN meetings ON agenda.meetings = meetings.meeting_id 
          WHERE agenda_id = $agenda_id";
$result = mysql_query($query) or trigger_error(mysql_error()." ".$query);

and see if it will show any errors

Edit
just noticed that you are using value parameter for the <textarea> tag. This tag has different usage from others.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • Notice: Unknown column 'agenda.meetings' in 'on clause' SELECT agenda.*, meetings.meeting_id FROM agenda INNER JOIN meetings ON agenda.meetings = meetings.meeting_id WHERE agenda_id = 16 in E:\webareas\bj115\year3\EWSD\MeetingSystem\secretary_editAgenda.php on line 31 ...<<< – user1130533 Jan 06 '12 at 22:58
  • see how error reporting helps? Always run your queries this way and be notified of all the database errors – Your Common Sense Jan 06 '12 at 23:20