CRUD edit display issue

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Publisher Bucks
    Confirmed User
    • Oct 2018
    • 1332

    #1

    Tech CRUD edit display issue

    So here is my problem:



    The code I'm using for that form is as follows:

    <h1 style="text-align: center;">Edit Recipe.</h1><p>

    <?php
    // include database connection file
    include_once("config.php");

    // Check if submitted then redirect to crud home after update
    if(isset($_POST['update']))
    {
    $RecipeID = $_POST['RecipeID'];
    $Title=$_POST['Title'];
    $Ingredients=$_POST['Ingredients'];
    $Method=$_POST['Method'];
    $Category=$_POST['Category'];

    // update recipe data
    $result = mysqli_query($mysqli, "UPDATE DatabaseName SET Title='$Title',Ingredients='$Ingredients',Method=' $Method',Category='$Category' WHERE RecipeID=$RecipeID");

    // Redirect to homepage to display updated recipe in list
    header("Location: blah/blah/blah/domain.com/crud/index.php");
    }
    ?>
    <?php
    // Display selected recipe data based on RecipeID
    // Getting id from url
    $RecipeID = $_GET['RecipeID'];

    // Fetch recipe data based on RecipeID
    $result = mysqli_query($mysqli, "SELECT * FROM DatabaseName WHERE RecipeID=$RecipeID");

    while($recipe_data = mysqli_fetch_array($result))
    {
    $Title=$recipe_data['Title'];
    $Ingredients=$recipe_data['Ingredients'];
    $Method=$recipe_data['Method'];
    $Category=$recipe_data['Category'];
    }

    ?>

    <form name="update_recipe" method="post" action="edit.php">
    <table border="0">
    <tr>
    <td>Title</td>
    <td><input type="text" name="Title" value=<?php echo $Title;?>></td>
    </tr>
    <tr>
    <td>Ingredients</td>
    <td><input type="text" name="Ingredients" value=<?php echo $Ingredients;?>></td>
    </tr>
    <tr>
    <td>Method</td>
    <td><input type="text" name="Method" value=<?php echo $Method;?>></td>
    </tr>
    <tr>
    <td>Category</td>
    <td><input type="text" name="Category" value=<?php echo $Category;?>></td>
    </tr>
    <tr>
    <td><input type="hidden" name="RecipeID" value=<?php echo $_GET['RecipeID'];?>></td>
    <td><input type="submit" name="update" value="Update"></td>
    </tr>
    </table>
    </form>
    The specific entry in the MySQL row is as follows:



    I'm assuming it has something to do with the database row, although I'm not sure why the first area for 'title' isn't displaying the full entry as there is no HTML markup in that column?

    Any pointers or help from those of you 'in the know' please? This is actually the first time I'm trying to use CRUD on this system, I have a similar system setup for a domain management setup but that just uses 2/3 words in each column and it works fine (I copied across the edit.php exactly and just changed out the column names on this).

    At this point I'm honestly at a loss as to why it isnt working, I've also tried using the <textarea> instead of text input to display the data and that didn't work either
    Extreme Link List - v1.0
  • k0nr4d
    Confirmed User
    • Aug 2006
    • 9231

    #2
    You didn't wrap the value parameter of your inputs in quotes.
    Mechanical Bunny Media
    Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

    Comment

    • Publisher Bucks
      Confirmed User
      • Oct 2018
      • 1332

      #3
      Originally posted by k0nr4d
      You didn't wrap the value parameter of your inputs in quotes.
      No data displays when I do, just a trailing backslash and quotation mark in the text fields.
      Extreme Link List - v1.0

      Comment

      • k0nr4d
        Confirmed User
        • Aug 2006
        • 9231

        #4
        PHP Code:
        <?php
        include_once("config.php");
        if(isset($_POST['update'])) {
            $RecipeID = mysqli_real_escape_string($mysqli, $_POST['RecipeID']);
            $Title= mysqli_real_escape_string($mysqli,$_POST['Title']);
            $Ingredients= mysqli_real_escape_string($mysqli,$_POST['Ingredients']);
            $Method= mysqli_real_escape_string($mysqli,$_POST['Method']);
            $Category= mysqli_real_escape_string($mysqli,$_POST['Category']);
            mysqli_query($mysqli, "UPDATE DatabaseName SET Title='".$Title."',Ingredients='".$Ingredients."',Method='".$Method."',Category='".$Category."' WHERE RecipeID='".$RecipeID."'");
            header("Location: blah/blah/blah/domain.com/crud/index.php");
        }
        ?>
        
        <h1 style="text-align: center;">Edit Recipe.</h1>
        <?php
        $result = mysqli_query($mysqli, "SELECT * FROM DatabaseName WHERE RecipeID='".mysqli_real_escape_string($mysqli, $_GET['RecipeID'])."'");
        $row = mysqli_fetch_array($result);
        ?>
        <form name="update_recipe" method="post" action="">
        <table border="0">
        <tr>
        <td>Title</td>
        <td><input type="text" name="Title" value="<?php echo htmlentities($row['Title']); ?>"></td>
        </tr>
        <tr>
        <td>Ingredients</td>
        <td><textarea name='Ingredients'><?php echo htmlentities($row['Ingredients']); ?></textarea></td>
        </tr>
        <tr>
        <td>Method</td>
        <td><textarea name='Method'><?php echo htmlentities($row['Method']); ?></textarea></td>
        </tr>
        <tr>
        <td>Category</td>
        <td><input type="text" name="Category" value="<?php echo htmlentities($row['Category']); ?>"></td>
        </tr>
        <tr>
        <td><input type="hidden" name="RecipeID" value=<?php echo htmlentities($_GET['RecipeID']);?>></td>
        <td><input type="submit" name="update" value="1"></td>
        </tr>
        </table>
        </form>
        Mechanical Bunny Media
        Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

        Comment

        • redwhiteandblue
          Bollocks
          • Jun 2007
          • 2793

          #5
          You can't put HTML tags inside an input field. So those <BR> tags need to be converted to "\r\n".

          You could do for example,

          $Ingredients = str_replace("<BR>", "\r\n", $Ingredients);

          Then the line to display it should use <textarea>

          <td><textarea name="Ingredients"><?php echo $Ingredients;?></textarea></td>
          Interserver unmanaged AMD Ryzen servers from $73.00

          Comment

          • Publisher Bucks
            Confirmed User
            • Oct 2018
            • 1332

            #6
            Awesome, thank you both for your help with this, I have it running correctly now
            Extreme Link List - v1.0

            Comment

            • Publisher Bucks
              Confirmed User
              • Oct 2018
              • 1332

              #7
              I'm having another really strange issue with this edit.php on the crud system, does anyone know what might be causing it not to add data to the Category field?

              Everything else appears to be working correctly, but it isnt allowing me to add new data (when editing) to this field specifically.

              Its set as mediumtext in the database and only have 2 words seperated by a comma presently so the space in the column shouldn't be an issue.

              The code is exactly as above so should be working fine.

              Adding a new record isnt giving me any issues and neither is displaying or deleting a record

              Any thoughts on what may be causing this issue please?
              Extreme Link List - v1.0

              Comment

              • k0nr4d
                Confirmed User
                • Aug 2006
                • 9231

                #8
                Originally posted by Publisher Bucks
                I'm having another really strange issue with this edit.php on the crud system, does anyone know what might be causing it not to add data to the Category field?

                Everything else appears to be working correctly, but it isnt allowing me to add new data (when editing) to this field specifically.

                Its set as mediumtext in the database and only have 2 words seperated by a comma presently so the space in the column shouldn't be an issue.

                The code is exactly as above so should be working fine.

                Adding a new record isnt giving me any issues and neither is displaying or deleting a record

                Any thoughts on what may be causing this issue please?
                Post the code, we don't know what you ended up using on it
                Mechanical Bunny Media
                Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

                Comment

                • Publisher Bucks
                  Confirmed User
                  • Oct 2018
                  • 1332

                  #9
                  <?php
                  // include database connection file
                  include_once("../../config.php");

                  // Check if form is submitted for recipe update, then redirect to homepage after update
                  if(isset($_POST['update']))
                  {
                  $RecipeID = $_POST['RecipeID'];
                  $Title=$_POST['Title'];
                  $Ingredients=$_POST['Ingredients'];
                  $Method=$_POST['Method'];
                  $Category=$_POST['Category'];
                  $Edit=$_POST['Edit'];

                  // update recipe data
                  $result = mysqli_query($mysqli, "UPDATE Recipe SET Title='$Title',Ingredients='$Ingredients',Method=' $Method',Category='$Category',Edit='$Edit' WHERE RecipeID=$RecipeID");

                  // Redirect to homepage to display updated recipe in list
                  header("Location: /blah/blah/domain.com/manage/index.php");
                  }
                  ?>
                  <?php
                  // Display selected recipe data based on id
                  // Getting id from url
                  $RecipeID = $_GET['RecipeID'];

                  // Fetech recipe data based on id
                  $result = mysqli_query($mysqli, "SELECT * FROM Recipe WHERE RecipeID=$RecipeID");

                  while($recipe_data = mysqli_fetch_array($result))
                  {
                  $Title=$recipe_data['Title'];
                  $Ingredients=$recipe_data['Ingredients'];
                  $Method=$recipe_data['Method'];
                  $Category=$recipe_data['Category'];
                  $Edit=$recipe_data['Edit'];
                  }

                  ?>

                  <form name="update_recipe" method="post" action="edit.php">
                  <table border="0">
                  <input name="Edit" type="hidden" value="<?php echo $username; ?>" /></p>
                  <tr>
                  <td valign="top">Title</td>
                  <td><input type="text" name="Title" value="<?php echo $Title;?>" style="width: 250px"></td>
                  </tr>
                  <tr>
                  <td>&nbsp;</td>
                  <td>&nbsp;</td>
                  </tr>
                  <tr>
                  <td valign="top">Ingredients</td>
                  <td><textarea name="Ingredients" style="width: 500px; height: 150px"><?php echo $Ingredients;?></textarea></td>
                  </tr>
                  <tr>
                  <td>&nbsp;</td>
                  <td>&nbsp;</td>
                  </tr>
                  <tr>
                  <td valign="top">Method</td>
                  <td><textarea name="Method" style="width: 500px; height: 150px"><?php echo $Method;?></textarea></td>
                  </tr>
                  <tr>
                  <td>&nbsp;</td>
                  <td>&nbsp;</td>
                  </tr>
                  <tr>
                  <td valign="top">Category</td>
                  <td><textarea name="Category" style="width: 250px; height: 50px"><?php echo $Category;?></textarea></td>
                  </tr>
                  <tr>
                  <td>&nbsp;</td>
                  <td>&nbsp;</td>
                  </tr>
                  <tr>
                  <td><input type="hidden" name="RecipeID" value=<?php echo $_GET['RecipeID'];?>></td>
                  <td><input type="submit" name="update" value="Update"></td>
                  </tr>
                  </table>
                  </form>
                  Those are lines 116 thru 200.

                  I'm wondering if its an issue with the connection although, no errors appear to be showing in the logs other than a modify header one to redirect to the main index.php page, which ill deal with later.

                  [31-May-2022 13:06:47 America/Chicago] PHP Warning: Cannot modify header information - headers already sent by (output started at /blah/blah/domain.com/home/manage/edit.php:12) in /blah/blah/domain.com/home/manage/edit.php on line 134
                  Extreme Link List - v1.0

                  Comment

                  • k0nr4d
                    Confirmed User
                    • Aug 2006
                    • 9231

                    #10
                    Did you try using my code? It fixes that headers already sent, and isn't full of sql injection exploits in literally every possible place one could be

                    Does the data you are putting into categories contain a ' ? because that would be enough to cause an SQL error in your code.
                    Mechanical Bunny Media
                    Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

                    Comment

                    • Publisher Bucks
                      Confirmed User
                      • Oct 2018
                      • 1332

                      #11
                      Originally posted by k0nr4d
                      Did you try using my code? It fixes that headers already sent, and isn't full of sql injection exploits in literally every possible place one could be

                      Does the data you are putting into categories contain a ' ? because that would be enough to cause an SQL error in your code.
                      This is just for testing right now, once its live itll have all the injection areas edited correctly and no, no question marks or anything other than commas.
                      Extreme Link List - v1.0

                      Comment

                      • redwhiteandblue
                        Bollocks
                        • Jun 2007
                        • 2793

                        #12
                        Originally posted by Publisher Bucks
                        This is just for testing right now, once its live itll have all the injection areas edited correctly and no, no question marks or anything other than commas.
                        Konrad means the ' character - single quotation mark. If you are not at least escaping it with the addslashes() function, if there ever is one in any string you try to put in a query it will break the query.

                        Can't see anything wrong at first glance but when trying to debug this sort of thing you should try to find out exactly what is going wrong. To do this I would change

                        $result = mysqli_query($mysqli, "UPDATE Recipe SET Title='$Title',Ingredients='$Ingredients',Method=' $Method',Category='$Category',Edit='$Edit' WHERE RecipeID=$RecipeID");

                        to

                        $query = "UPDATE Recipe SET Title='$Title',Ingredients='$Ingredients',Method=' $Method',Category='$Category',Edit='$Edit' WHERE RecipeID=$RecipeID";
                        $result = mysqli_query($mysqli, $query) or die(mysqli_error($mysqli) . " query was $query");

                        This will spit out an error if the insert failed and stop the script right there, telling you what the actual query was you were trying to use. Obviously remove this code for the live version, and set up a proper try...catch construct, this is just a quick way to see what's going on.

                        If that doesn't give any error message the problem is somewhere else.
                        Interserver unmanaged AMD Ryzen servers from $73.00

                        Comment

                        • Publisher Bucks
                          Confirmed User
                          • Oct 2018
                          • 1332

                          #13
                          Originally posted by redwhiteandblue
                          Konrad means the ' character - single quotation mark. If you are not at least escaping it with the addslashes() function, if there ever is one in any string you try to put in a query it will break the query.

                          Can't see anything wrong at first glance but when trying to debug this sort of thing you should try to find out exactly what is going wrong. To do this I would change

                          $result = mysqli_query($mysqli, "UPDATE Recipe SET Title='$Title',Ingredients='$Ingredients',Method=' $Method',Category='$Category',Edit='$Edit' WHERE RecipeID=$RecipeID");

                          to

                          $query = "UPDATE Recipe SET Title='$Title',Ingredients='$Ingredients',Method=' $Method',Category='$Category',Edit='$Edit' WHERE RecipeID=$RecipeID";
                          $result = mysqli_query($mysqli, $query) or die(mysqli_error($mysqli) . " query was $query");

                          This will spit out an error if the insert failed and stop the script right there, telling you what the actual query was you were trying to use. Obviously remove this code for the live version, and set up a proper try...catch construct, this is just a quick way to see what's going on.

                          If that doesn't give any error message the problem is somewhere else.
                          This is the error it kicked out, checking the sql data now to see what the issue is.

                          You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'sugar.
                          ',Category='Snacks, Cookie, Dessert, Shortbread',Edit='Eric' WHERE Reci' at line 1 query was UPDATE Recipe SET Title='3-Ingredient Shortbread Cookies',Ingredients='1 cup unsalted butter, softened .
                          1/2 cup sugar .
                          2 cups all-purpose flour.
                          Confectioners sugar, optional.
                          ',Method=' Preheat oven to 325 degrees.
                          Cream butter and sugar until light and fluffy.
                          Gradually beat in flour.
                          Press dough into an ungreased 9" square baking pan.
                          Prick with a fork.
                          Bake until light brown, 30-35 minutes.
                          Cut into squares while warm.
                          Cool completely on a wire rack.
                          If desired, dust with confectioners' sugar.
                          ',Category='Snacks, Cookie, Dessert, Shortbread',Edit='Eric' WHERE RecipeID=4792
                          *EDIT*

                          Found it, there an an unescaped single quotation mark at the end of confectioners' sugar.

                          Thanks again for the help guys, looks like ill be running a quick search & replace on the database to make sure that issue doesnt happen again
                          Extreme Link List - v1.0

                          Comment

                          • redwhiteandblue
                            Bollocks
                            • Jun 2007
                            • 2793

                            #14
                            You just need to do

                            $Ingredients = addslashes($Ingredients);

                            before trying to construct the query string with it. Do it with all the other vars too. Or to be more thorough you should use mysql_real_escape_string() as Konrad suggested.
                            Interserver unmanaged AMD Ryzen servers from $73.00

                            Comment

                            • sarettah
                              see you later, I'm gone
                              • Oct 2002
                              • 14322

                              #15
                              Originally posted by redwhiteandblue
                              you should use mysql_real_escape_string() as Konrad suggested.
                              This ^^^^^

                              .
                              All cookies cleared!

                              Comment

                              • Publisher Bucks
                                Confirmed User
                                • Oct 2018
                                • 1332

                                #16
                                i just updated this to the code suggested by Konrad

                                Again, thank you all for your assistance with this
                                Extreme Link List - v1.0

                                Comment

                                • k0nr4d
                                  Confirmed User
                                  • Aug 2006
                                  • 9231

                                  #17
                                  Originally posted by Publisher Bucks
                                  i just updated this to the code suggested by Konrad

                                  Again, thank you all for your assistance with this
                                  You should always write with the security stuff already in place, that is good practice. It's gotta be there anyways and this way you'll be used to just writing it as you go.
                                  Mechanical Bunny Media
                                  Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

                                  Comment

                                  Working...