Tech CRUD edit display issue - GoFuckYourself.com

Publisher Bucks · 05-30-2022, 12:25 AM

So here is my problem:

The code I'm using for that form is as follows:

Quote:

<h1 style="text-align: center;">Edit Recipe.</h1><p>

<?php
// include database connection file
include_once("config.php");

// Check if submitted then redirect to crud home after update
if(isset($_POST['update']))
{
$RecipeID = $_POST['RecipeID'];
$Title=$_POST['Title'];
$Ingredients=$_POST['Ingredients'];
$Method=$_POST['Method'];
$Category=$_POST['Category'];

// update recipe data
$result = mysqli_query($mysqli, "UPDATE DatabaseName SET Title='$Title',Ingredients='$Ingredients',Method=' $Method',Category='$Category' WHERE RecipeID=$RecipeID");

// Redirect to homepage to display updated recipe in list
header("Location: blah/blah/blah/domain.com/crud/index.php");
}
?>
<?php
// Display selected recipe data based on RecipeID
// Getting id from url
$RecipeID = $_GET['RecipeID'];

// Fetch recipe data based on RecipeID
$result = mysqli_query($mysqli, "SELECT * FROM DatabaseName WHERE RecipeID=$RecipeID");

while($recipe_data = mysqli_fetch_array($result))
{
$Title=$recipe_data['Title'];
$Ingredients=$recipe_data['Ingredients'];
$Method=$recipe_data['Method'];
$Category=$recipe_data['Category'];
}

?>

<form name="update_recipe" method="post" action="edit.php">
<table border="0">
<tr>
<td>Title</td>
<td><input type="text" name="Title" value=<?php echo $Title;?>></td>
</tr>
<tr>
<td>Ingredients</td>
<td><input type="text" name="Ingredients" value=<?php echo $Ingredients;?>></td>
</tr>
<tr>
<td>Method</td>
<td><input type="text" name="Method" value=<?php echo $Method;?>></td>
</tr>
<tr>
<td>Category</td>
<td><input type="text" name="Category" value=<?php echo $Category;?>></td>
</tr>
<tr>
<td><input type="hidden" name="RecipeID" value=<?php echo $_GET['RecipeID'];?>></td>
<td><input type="submit" name="update" value="Update"></td>
</tr>
</table>
</form>

The specific entry in the MySQL row is as follows:

I'm assuming it has something to do with the database row, although I'm not sure why the first area for 'title' isn't displaying the full entry as there is no HTML markup in that column?

Any pointers or help from those of you 'in the know' please? This is actually the first time I'm trying to use CRUD on this system, I have a similar system setup for a domain management setup but that just uses 2/3 words in each column and it works fine (I copied across the edit.php exactly and just changed out the column names on this).

At this point I'm honestly at a loss as to why it isnt working, I've also tried using the <textarea> instead of text input to display the data and that didn't work either

k0nr4d · 05-30-2022, 12:34 AM

You didn't wrap the value parameter of your inputs in quotes.

Publisher Bucks · 05-30-2022, 12:36 AM

Quote:

Originally Posted by k0nr4d

You didn't wrap the value parameter of your inputs in quotes.

No data displays when I do, just a trailing backslash and quotation mark in the text fields.

k0nr4d · 05-30-2022, 12:59 AM

PHP Code:


			
<?php
include_once("config.php");
if(isset($_POST['update'])) {
    $RecipeID = mysqli_real_escape_string($mysqli, $_POST['RecipeID']);
    $Title= mysqli_real_escape_string($mysqli,$_POST['Title']);
    $Ingredients= mysqli_real_escape_string($mysqli,$_POST['Ingredients']);
    $Method= mysqli_real_escape_string($mysqli,$_POST['Method']);
    $Category= mysqli_real_escape_string($mysqli,$_POST['Category']);
    mysqli_query($mysqli, "UPDATE DatabaseName SET Title='".$Title."',Ingredients='".$Ingredients."',Method='".$Method."',Category='".$Category."' WHERE RecipeID='".$RecipeID."'");
    header("Location: blah/blah/blah/domain.com/crud/index.php");
}
?>

<h1 style="text-align: center;">Edit Recipe.</h1>
<?php
$result = mysqli_query($mysqli, "SELECT * FROM DatabaseName WHERE RecipeID='".mysqli_real_escape_string($mysqli, $_GET['RecipeID'])."'");
$row = mysqli_fetch_array($result);
?>
<form name="update_recipe" method="post" action="">
<table border="0">
<tr>
<td>Title</td>
<td><input type="text" name="Title" value="<?php echo htmlentities($row['Title']); ?>"></td>
</tr>
<tr>
<td>Ingredients</td>
<td><textarea name='Ingredients'><?php echo htmlentities($row['Ingredients']); ?></textarea></td>
</tr>
<tr>
<td>Method</td>
<td><textarea name='Method'><?php echo htmlentities($row['Method']); ?></textarea></td>
</tr>
<tr>
<td>Category</td>
<td><input type="text" name="Category" value="<?php echo htmlentities($row['Category']); ?>"></td>
</tr>
<tr>
<td><input type="hidden" name="RecipeID" value=<?php echo htmlentities($_GET['RecipeID']);?>></td>
<td><input type="submit" name="update" value="1"></td>
</tr>
</table>
</form>

redwhiteandblue · 05-30-2022, 02:03 AM

You can't put HTML tags inside an input field. So those <BR> tags need to be converted to "\r\n".

You could do for example,

$Ingredients = str_replace("<BR>", "\r\n", $Ingredients);

Then the line to display it should use <textarea>

<td><textarea name="Ingredients"><?php echo $Ingredients;?></textarea></td>

Publisher Bucks · 05-30-2022, 02:23 AM

Awesome, thank you both for your help with this, I have it running correctly now

Publisher Bucks · 05-31-2022, 11:02 AM

I'm having another really strange issue with this edit.php on the crud system, does anyone know what might be causing it not to add data to the Category field?

Everything else appears to be working correctly, but it isnt allowing me to add new data (when editing) to this field specifically.

Its set as mediumtext in the database and only have 2 words seperated by a comma presently so the space in the column shouldn't be an issue.

The code is exactly as above so should be working fine.

Adding a new record isnt giving me any issues and neither is displaying or deleting a record

Any thoughts on what may be causing this issue please?

k0nr4d · 05-31-2022, 11:09 AM

Quote:

Originally Posted by Publisher Bucks

I'm having another really strange issue with this edit.php on the crud system, does anyone know what might be causing it not to add data to the Category field?

Everything else appears to be working correctly, but it isnt allowing me to add new data (when editing) to this field specifically.

Its set as mediumtext in the database and only have 2 words seperated by a comma presently so the space in the column shouldn't be an issue.

The code is exactly as above so should be working fine.

Adding a new record isnt giving me any issues and neither is displaying or deleting a record

Any thoughts on what may be causing this issue please?

Post the code, we don't know what you ended up using on it

Publisher Bucks · 05-31-2022, 11:20 AM

Quote:

<?php
// include database connection file
include_once("../../config.php");

// Check if form is submitted for recipe update, then redirect to homepage after update
if(isset($_POST['update']))
{
$RecipeID = $_POST['RecipeID'];
$Title=$_POST['Title'];
$Ingredients=$_POST['Ingredients'];
$Method=$_POST['Method'];
$Category=$_POST['Category'];
$Edit=$_POST['Edit'];

// update recipe data
$result = mysqli_query($mysqli, "UPDATE Recipe SET Title='$Title',Ingredients='$Ingredients',Method=' $Method',Category='$Category',Edit='$Edit' WHERE RecipeID=$RecipeID");

// Redirect to homepage to display updated recipe in list
header("Location: /blah/blah/domain.com/manage/index.php");
}
?>
<?php
// Display selected recipe data based on id
// Getting id from url
$RecipeID = $_GET['RecipeID'];

// Fetech recipe data based on id
$result = mysqli_query($mysqli, "SELECT * FROM Recipe WHERE RecipeID=$RecipeID");

while($recipe_data = mysqli_fetch_array($result))
{
$Title=$recipe_data['Title'];
$Ingredients=$recipe_data['Ingredients'];
$Method=$recipe_data['Method'];
$Category=$recipe_data['Category'];
$Edit=$recipe_data['Edit'];
}

?>

<form name="update_recipe" method="post" action="edit.php">
<table border="0">
<input name="Edit" type="hidden" value="<?php echo $username; ?>" /></p>
<tr>
<td valign="top">Title</td>
<td><input type="text" name="Title" value="<?php echo $Title;?>" style="width: 250px"></td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top">Ingredients</td>
<td><textarea name="Ingredients" style="width: 500px; height: 150px"><?php echo $Ingredients;?></textarea></td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top">Method</td>
<td><textarea name="Method" style="width: 500px; height: 150px"><?php echo $Method;?></textarea></td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top">Category</td>
<td><textarea name="Category" style="width: 250px; height: 50px"><?php echo $Category;?></textarea></td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td><input type="hidden" name="RecipeID" value=<?php echo $_GET['RecipeID'];?>></td>
<td><input type="submit" name="update" value="Update"></td>
</tr>
</table>
</form>

Those are lines 116 thru 200.

I'm wondering if its an issue with the connection although, no errors appear to be showing in the logs other than a modify header one to redirect to the main index.php page, which ill deal with later.

Quote:

[31-May-2022 13:06:47 America/Chicago] PHP Warning: Cannot modify header information - headers already sent by (output started at /blah/blah/domain.com/home/manage/edit.php:12) in /blah/blah/domain.com/home/manage/edit.php on line 134

k0nr4d · 05-31-2022, 11:28 AM

Did you try using my code? It fixes that headers already sent, and isn't full of sql injection exploits in literally every possible place one could be

Does the data you are putting into categories contain a ' ? because that would be enough to cause an SQL error in your code.

Publisher Bucks · 05-31-2022, 12:34 PM

Quote:

Originally Posted by k0nr4d

Did you try using my code? It fixes that headers already sent, and isn't full of sql injection exploits in literally every possible place one could be

Does the data you are putting into categories contain a ' ? because that would be enough to cause an SQL error in your code.

This is just for testing right now, once its live itll have all the injection areas edited correctly and no, no question marks or anything other than commas.

redwhiteandblue · 05-31-2022, 01:36 PM

Quote:

Originally Posted by Publisher Bucks

This is just for testing right now, once its live itll have all the injection areas edited correctly and no, no question marks or anything other than commas.

Konrad means the ' character - single quotation mark. If you are not at least escaping it with the addslashes() function, if there ever is one in any string you try to put in a query it will break the query.

Can't see anything wrong at first glance but when trying to debug this sort of thing you should try to find out exactly what is going wrong. To do this I would change

$result = mysqli_query($mysqli, "UPDATE Recipe SET Title='$Title',Ingredients='$Ingredients',Method=' $Method',Category='$Category',Edit='$Edit' WHERE RecipeID=$RecipeID");

to

$query = "UPDATE Recipe SET Title='$Title',Ingredients='$Ingredients',Method=' $Method',Category='$Category',Edit='$Edit' WHERE RecipeID=$RecipeID";
$result = mysqli_query($mysqli, $query) or die(mysqli_error($mysqli) . " query was $query");

This will spit out an error if the insert failed and stop the script right there, telling you what the actual query was you were trying to use. Obviously remove this code for the live version, and set up a proper try...catch construct, this is just a quick way to see what's going on.

If that doesn't give any error message the problem is somewhere else.

Publisher Bucks · 05-31-2022, 01:45 PM

Quote:

Originally Posted by redwhiteandblue

Konrad means the ' character - single quotation mark. If you are not at least escaping it with the addslashes() function, if there ever is one in any string you try to put in a query it will break the query.

Can't see anything wrong at first glance but when trying to debug this sort of thing you should try to find out exactly what is going wrong. To do this I would change

$result = mysqli_query($mysqli, "UPDATE Recipe SET Title='$Title',Ingredients='$Ingredients',Method=' $Method',Category='$Category',Edit='$Edit' WHERE RecipeID=$RecipeID");

to

$query = "UPDATE Recipe SET Title='$Title',Ingredients='$Ingredients',Method=' $Method',Category='$Category',Edit='$Edit' WHERE RecipeID=$RecipeID";
$result = mysqli_query($mysqli, $query) or die(mysqli_error($mysqli) . " query was $query");

This will spit out an error if the insert failed and stop the script right there, telling you what the actual query was you were trying to use. Obviously remove this code for the live version, and set up a proper try...catch construct, this is just a quick way to see what's going on.

If that doesn't give any error message the problem is somewhere else.

This is the error it kicked out, checking the sql data now to see what the issue is.

Quote:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'sugar.
',Category='Snacks, Cookie, Dessert, Shortbread',Edit='Eric' WHERE Reci' at line 1 query was UPDATE Recipe SET Title='3-Ingredient Shortbread Cookies',Ingredients='1 cup unsalted butter, softened .
1/2 cup sugar .
2 cups all-purpose flour.
Confectioners sugar, optional.
',Method=' Preheat oven to 325 degrees.
Cream butter and sugar until light and fluffy.
Gradually beat in flour.
Press dough into an ungreased 9" square baking pan.
Prick with a fork.
Bake until light brown, 30-35 minutes.
Cut into squares while warm.
Cool completely on a wire rack.
If desired, dust with confectioners' sugar.
',Category='Snacks, Cookie, Dessert, Shortbread',Edit='Eric' WHERE RecipeID=4792

*EDIT*

Found it, there an an unescaped single quotation mark at the end of confectioners' sugar.

Thanks again for the help guys, looks like ill be running a quick search & replace on the database to make sure that issue doesnt happen again

redwhiteandblue · 05-31-2022, 01:54 PM

You just need to do

$Ingredients = addslashes($Ingredients);

before trying to construct the query string with it. Do it with all the other vars too. Or to be more thorough you should use mysql_real_escape_string() as Konrad suggested.

sarettah · 05-31-2022, 01:57 PM

Quote:

Originally Posted by redwhiteandblue

you should use mysql_real_escape_string() as Konrad suggested.

This ^^^^^

.

Publisher Bucks · 05-31-2022, 08:30 PM

i just updated this to the code suggested by Konrad

Again, thank you all for your assistance with this

k0nr4d · 05-31-2022, 11:30 PM

Quote:

Originally Posted by Publisher Bucks

i just updated this to the code suggested by Konrad

Again, thank you all for your assistance with this

You should always write with the security stuff already in place, that is good practice. It's gotta be there anyways and this way you'll be used to just writing it as you go.

05-30-2022, 12:34 AM	#2
k0nr4d Confirmed User Industry Role: Join Date: Aug 2006 Location: Poland Posts: 9,228	You didn't wrap the value parameter of your inputs in quotes. __________________ Mechanical Bunny Media Mechbunny Tube Script \| Mechbunny Webcam Aggregator Script \| Custom Web Development

05-30-2022, 12:59 AM	#4
k0nr4d Confirmed User Industry Role: Join Date: Aug 2006 Location: Poland Posts: 9,228	PHP Code: <?php include_once("config.php"); if(isset($_POST['update'])) { $RecipeID = mysqli_real_escape_string($mysqli, $_POST['RecipeID']); $Title= mysqli_real_escape_string($mysqli,$_POST['Title']); $Ingredients= mysqli_real_escape_string($mysqli,$_POST['Ingredients']); $Method= mysqli_real_escape_string($mysqli,$_POST['Method']); $Category= mysqli_real_escape_string($mysqli,$_POST['Category']); mysqli_query($mysqli, "UPDATE DatabaseName SET Title='".$Title."',Ingredients='".$Ingredients."',Method='".$Method."',Category='".$Category."' WHERE RecipeID='".$RecipeID."'"); header("Location: blah/blah/blah/domain.com/crud/index.php"); } ?> <h1 style="text-align: center;">Edit Recipe.</h1> <?php $result = mysqli_query($mysqli, "SELECT * FROM DatabaseName WHERE RecipeID='".mysqli_real_escape_string($mysqli, $_GET['RecipeID'])."'"); $row = mysqli_fetch_array($result); ?> <form name="update_recipe" method="post" action=""> <table border="0"> <tr> <td>Title</td> <td><input type="text" name="Title" value="<?php echo htmlentities($row['Title']); ?>"></td> </tr> <tr> <td>Ingredients</td> <td><textarea name='Ingredients'><?php echo htmlentities($row['Ingredients']); ?></textarea></td> </tr> <tr> <td>Method</td> <td><textarea name='Method'><?php echo htmlentities($row['Method']); ?></textarea></td> </tr> <tr> <td>Category</td> <td><input type="text" name="Category" value="<?php echo htmlentities($row['Category']); ?>"></td> </tr> <tr> <td><input type="hidden" name="RecipeID" value=<?php echo htmlentities($_GET['RecipeID']);?>></td> <td><input type="submit" name="update" value="1"></td> </tr> </table> </form> __________________ Mechanical Bunny Media Mechbunny Tube Script \| Mechbunny Webcam Aggregator Script \| Custom Web Development

05-30-2022, 02:03 AM	#5
redwhiteandblue Bollocks Industry Role: Join Date: Jun 2007 Location: Bollocks Posts: 2,792	You can't put HTML tags inside an input field. So those <BR> tags need to be converted to "\r\n". You could do for example, $Ingredients = str_replace("<BR>", "\r\n", $Ingredients); Then the line to display it should use <textarea> <td><textarea name="Ingredients"><?php echo $Ingredients;?></textarea></td> __________________ Interserver unmanaged AMD Ryzen servers from $73.00

05-30-2022, 02:23 AM	#6
Publisher Bucks Confirmed User Industry Role: Join Date: Oct 2018 Location: New Orleans, Louisiana. / Newcastle, England. Posts: 1,123	Awesome, thank you both for your help with this, I have it running correctly now __________________ SOMETHING EXTREME IS COMING SOON!

05-31-2022, 11:02 AM	#7
Publisher Bucks Confirmed User Industry Role: Join Date: Oct 2018 Location: New Orleans, Louisiana. / Newcastle, England. Posts: 1,123	I'm having another really strange issue with this edit.php on the crud system, does anyone know what might be causing it not to add data to the Category field? Everything else appears to be working correctly, but it isnt allowing me to add new data (when editing) to this field specifically. Its set as mediumtext in the database and only have 2 words seperated by a comma presently so the space in the column shouldn't be an issue. The code is exactly as above so should be working fine. Adding a new record isnt giving me any issues and neither is displaying or deleting a record Any thoughts on what may be causing this issue please? __________________ SOMETHING EXTREME IS COMING SOON!

05-31-2022, 11:28 AM	#10
k0nr4d Confirmed User Industry Role: Join Date: Aug 2006 Location: Poland Posts: 9,228	Did you try using my code? It fixes that headers already sent, and isn't full of sql injection exploits in literally every possible place one could be Does the data you are putting into categories contain a ' ? because that would be enough to cause an SQL error in your code. __________________ Mechanical Bunny Media Mechbunny Tube Script \| Mechbunny Webcam Aggregator Script \| Custom Web Development

05-31-2022, 01:54 PM	#14
redwhiteandblue Bollocks Industry Role: Join Date: Jun 2007 Location: Bollocks Posts: 2,792	You just need to do $Ingredients = addslashes($Ingredients); before trying to construct the query string with it. Do it with all the other vars too. Or to be more thorough you should use mysql_real_escape_string() as Konrad suggested. __________________ Interserver unmanaged AMD Ryzen servers from $73.00

05-31-2022, 08:30 PM	#16
Publisher Bucks Confirmed User Industry Role: Join Date: Oct 2018 Location: New Orleans, Louisiana. / Newcastle, England. Posts: 1,123	i just updated this to the code suggested by Konrad Again, thank you all for your assistance with this __________________ SOMETHING EXTREME IS COMING SOON!