Grabbing the text within text area with php html

Question

Hey so I am trying to grab the user input text within a textarea but it is not working out too well. What is happening is that we are grabbing a text (movie review) from our server and we want the user to be able to update it and then send it back to the server. Anyone know what we are doing wrong?? We arent getting any error, it just that we are unable to grab the textarea field data. We are pretty new to php and html so I am assume it is some small typeo we are overlooking.

UPDATE: Full fills here.

http://dl.dropbox.com/u/21443163/Reviews.php

http://dl.dropbox.com/u/21443163/updateReview.php

while($RecordSetMovieRow = odbc_fetch_array($RecordSetMovie))
        {
            echo "<tr>";
                $review = $RecordSetMovieRow['Review'];
                echo "<td align = 'center'>" . $RecordSetMovieRow['FirstName']. $RecordSetMovieRow['LastName']  . "</td>";
                echo "<td align = 'center'><textarea name = 'textarea' rows = '5' cols= '40'>" . $review . "</textarea></td>";
                $textarea = $_GET['textarea'];
                $u = $Re[0];
                echo "<td><form action = 'updateReview.php?id=".$RecordSetMovieRow['ReviewID']."&review=$textarea' method = 'POST'><input type='submit' value='Update'></form></td>";

            echo "</tr>";
        }
        echo "</table>";
        odbc_close($Conn);

Can you also post the processing part of `updateReview.php`. Im pretty sure youve confused some variables and where to read them and set them as well as how to process the update, but i need to see whats going on on the backend to be sure. — prodigitalson, Mar 04 '12 at 23:03
please avoid `echo`ing html elements. That is simply a bad style. Always use `=$review ?>` to generate dynamic content. Also, if you want your user to update your textarea, then how are you submitting it? Ajax or Form? Coz I see neither. — jmishra, Mar 04 '12 at 23:05

score 3 · Answer 1 · answered Mar 04 '12 at 22:58

3

You mention method='POST' in your form definition (which is right), but attempt to check $_GET['textarea'] (which is wrong either way). I'd suggest fixing the latter: sending large blocks of text in URL itself is usually not great.

Don't forget to get rid of the &review=$textarea as well; no need to send the content twice, in two different variables. )

answered Mar 04 '12 at 22:58

raina77ow

103,633
15
192
229

Still a little confused. Can you post a new copy with your suggestions?? Also, what is a better way to send large blocks of text to the database? We need to get the data there and update. – kingcong3 Mar 04 '12 at 23:05
@raina77ow means where you've written `$_GET['textarea']`, you should have written `$_POST['textarea']` instead. The variable you use should correspond to what form method you've specified (in this case, you've written POST). It is good practise to use POST for when you are posting data, and GET for when you are getting data. – Lachlan McDonald Mar 04 '12 at 23:22

score 3 · Answer 2 · edited May 23 '17 at 12:29

Your code, with just a few minor tweaks to make it get the proper data from the form. The credit goes to raina77ow, though - his answer is absolutely correct. I just saw that you requested some code, so here it is.

Also, you need to have the form tags such that the textarea is WITHIN them, otherwise it is not part of the form, and it's data does not get posted (that edit is included below).

echo '<form action = 'updateReview.php?id=".$RecordSetMovieRow['ReviewID']."' method = 'POST'>'; // Moved this outside of the while - BUT it needs to be BEFORE the <table> tag also!
echo '<table>'; // If this is not where you want your opening table tag, that's fine - but move the opening FORM tag to BEFORE the opening Table tag
while($RecordSetMovieRow = odbc_fetch_array($RecordSetMovie))
    {
        echo "<tr>";
            $review = $RecordSetMovieRow['Review'];
            echo "<td align = 'center'>" . $RecordSetMovieRow['FirstName']. $RecordSetMovieRow['LastName']  . "</td>";
            echo "<td align = 'center'><textarea name = 'textarea' rows = '5' cols= '40'>" . $review . "</textarea></td>";
            $textarea = $_POST['textarea']; // Changed from $_GET["textarea"] because you are using method='post' in form
            $u = $Re[0];
            echo "<td><input type='submit' value='Update'></td>";

        echo "</tr>";
    }
    echo "</table>";
echo '</form>'; // Moved this to the end of the form, so data from form will get passed

    odbc_close($Conn);

score 3 · Accepted Answer · edited Mar 05 '12 at 02:15

3

If you want to send large blocks of data to the database then enclose everything in a form with the method=POST name/attribute

 <form action="updatingScript.php" name="myForm" method="POST" >

     <textarea name="textArea" rows="5" cols="40"><?=$review ?></textarea>

</form>

Then in your updatingScript.php do this

 if(isset($_POST['myForm'])) {

    $textInfo = mysql_real_escape_string($_POST['textArea']);

    //move this info in your database
    mysql_connect("localhost", "root", "");
    mysql_select_db("myDb")  

    $query="UPDATE myTable SET userTextInfo='$textInfo' WHERE userId='$userId' "; 
    $result=mysql_query($query);

}

Also set error_reporting(E_ALL); at the beginning of your PHP script as this will display what went wrong (in response to your "we aren't getting any errors")

edited Mar 05 '12 at 02:15

Robjong

375
1
6

answered Mar 04 '12 at 23:15

jmishra

2,086
2
24
38

2

Along with `error_reporting(E_ALL)`, you might also try `ini_set('display_errors', 1)`, since some host configuration's report errors, but don't display them. – Lachlan McDonald Mar 04 '12 at 23:24
true, +1 for the extra info :) – jmishra Mar 04 '12 at 23:26
1

Can you say "SQL Injection"? Make sure you escape any input `mysql_real_escape_string($_REQUEST['textArea']);` and instead of $_REQUEST use $_POST `mysql_real_escape_string($_POST['textArea']);` – Robjong Mar 05 '12 at 00:16
thats a totally different subject not relvent to what @kingcong3 is desiring right now. But yes, SQL escaping is what every user must do. However, there will be different preferences for different users. Some use `PDO library`, some `Mysqli` and some still stick to `mysql_real_escape_string` which is why I didn't mention any. – jmishra Mar 05 '12 at 00:20
That is fine but my guess is this will be used almost 'as is', and it can not hurt to include it or at least mention it. Besides the example is already mysql* functions based. – Robjong Mar 05 '12 at 00:26
1

I guess you're right. But I had similar questions in the past where people suggested that I shouldn't even suggest `mysql_real_escape_string` as this as some really bad loopholes http://stackoverflow.com/questions/8800986/is-it-recommended-to-have-a-santizing-function-that-combines-two-or-more-built-i Check the accepted answer comment. – jmishra Mar 05 '12 at 00:28
I know, still it is better than nothing, but I agree that this is not the place to discuss that. – Robjong Mar 05 '12 at 00:37

Grabbing the text within text area with php html

3 Answers3