GoFuckYourself.com - Adult Webmaster Forum - Tech CRUD edit display issue

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)

- Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)

- - Tech CRUD edit display issue (https://gfy.com/showthread.php?t=1355169)

Publisher Bucks

05-30-2022 12:25 AM

CRUD edit display issue

So here is my problem:

http://www.publisherbucks.com/crud.jpg

The code I'm using for that form is as follows:

Quote:

<h1 style="text-align: center;">Edit Recipe.</h1><p>

<?php
// include database connection file
include_once("config.php");

// Check if submitted then redirect to crud home after update
if(isset($_POST['update']))
{
$RecipeID = $_POST['RecipeID'];
$Title=$_POST['Title'];
$Ingredients=$_POST['Ingredients'];
$Method=$_POST['Method'];
$Category=$_POST['Category'];

// update recipe data
$result = mysqli_query($mysqli, "UPDATE DatabaseName SET Title='$Title',Ingredients='$Ingredients',Method=' $Method',Category='$Category' WHERE RecipeID=$RecipeID");

// Redirect to homepage to display updated recipe in list
header("Location: blah/blah/blah/domain.com/crud/index.php");
}
?>
<?php
// Display selected recipe data based on RecipeID
// Getting id from url
$RecipeID = $_GET['RecipeID'];

// Fetch recipe data based on RecipeID
$result = mysqli_query($mysqli, "SELECT * FROM DatabaseName WHERE RecipeID=$RecipeID");

while($recipe_data = mysqli_fetch_array($result))
{
$Title=$recipe_data['Title'];
$Ingredients=$recipe_data['Ingredients'];
$Method=$recipe_data['Method'];
$Category=$recipe_data['Category'];
}

?>

<form name="update_recipe" method="post" action="edit.php">
<table border="0">
<tr>
<td>Title</td>
<td><input type="text" name="Title" value=<?php echo $Title;?>></td>
</tr>
<tr>
<td>Ingredients</td>
<td><input type="text" name="Ingredients" value=<?php echo $Ingredients;?>></td>
</tr>
<tr>
<td>Method</td>
<td><input type="text" name="Method" value=<?php echo $Method;?>></td>
</tr>
<tr>
<td>Category</td>
<td><input type="text" name="Category" value=<?php echo $Category;?>></td>
</tr>
<tr>
<td><input type="hidden" name="RecipeID" value=<?php echo $_GET['RecipeID'];?>></td>
<td><input type="submit" name="update" value="Update"></td>
</tr>
</table>
</form>

The specific entry in the MySQL row is as follows:

http://www.publisherbucks.com/crud2.jpg

I'm assuming it has something to do with the database row, although I'm not sure why the first area for 'title' isn't displaying the full entry as there is no HTML markup in that column?

Any pointers or help from those of you 'in the know' please? This is actually the first time I'm trying to use CRUD on this system, I have a similar system setup for a domain management setup but that just uses 2/3 words in each column and it works fine (I copied across the edit.php exactly and just changed out the column names on this).

At this point I'm honestly at a loss as to why it isnt working, I've also tried using the <textarea> instead of text input to display the data and that didn't work either :Oh crap

k0nr4d

05-30-2022 12:34 AM

You didn't wrap the value parameter of your inputs in quotes.

Publisher Bucks

05-30-2022 12:36 AM

Quote:

Originally Posted by k0nr4d (Post 23006040)

You didn't wrap the value parameter of your inputs in quotes.

No data displays when I do, just a trailing backslash and quotation mark in the text fields.

k0nr4d

05-30-2022 12:59 AM

PHP Code:


		
			
<?php
include_once("config.php");
if(isset($_POST['update'])) {
    $RecipeID = mysqli_real_escape_string($mysqli, $_POST['RecipeID']);
    $Title= mysqli_real_escape_string($mysqli,$_POST['Title']);
    $Ingredients= mysqli_real_escape_string($mysqli,$_POST['Ingredients']);
    $Method= mysqli_real_escape_string($mysqli,$_POST['Method']);
    $Category= mysqli_real_escape_string($mysqli,$_POST['Category']);
    mysqli_query($mysqli, "UPDATE DatabaseName SET Title='".$Title."',Ingredients='".$Ingredients."',Method='".$Method."',Category='".$Category."' WHERE RecipeID='".$RecipeID."'");
    header("Location: blah/blah/blah/domain.com/crud/index.php");
}
?>

<h1 style="text-align: center;">Edit Recipe.</h1>
<?php
$result = mysqli_query($mysqli, "SELECT * FROM DatabaseName WHERE RecipeID='".mysqli_real_escape_string($mysqli, $_GET['RecipeID'])."'");
$row = mysqli_fetch_array($result);
?>
<form name="update_recipe" method="post" action="">
<table border="0">
<tr>
<td>Title</td>
<td><input type="text" name="Title" value="<?php echo htmlentities($row['Title']); ?>"></td>
</tr>
<tr>
<td>Ingredients</td>
<td><textarea name='Ingredients'><?php echo htmlentities($row['Ingredients']); ?></textarea></td>
</tr>
<tr>
<td>Method</td>
<td><textarea name='Method'><?php echo htmlentities($row['Method']); ?></textarea></td>
</tr>
<tr>
<td>Category</td>
<td><input type="text" name="Category" value="<?php echo htmlentities($row['Category']); ?>"></td>
</tr>
<tr>
<td><input type="hidden" name="RecipeID" value=<?php echo htmlentities($_GET['RecipeID']);?>></td>
<td><input type="submit" name="update" value="1"></td>
</tr>
</table>
</form>

redwhiteandblue

05-30-2022 02:03 AM

You can't put HTML tags inside an input field. So those <BR> tags need to be converted to "\r\n".

You could do for example,

$Ingredients = str_replace("<BR>", "\r\n", $Ingredients);

Then the line to display it should use <textarea>

<td><textarea name="Ingredients"><?php echo $Ingredients;?></textarea></td>

Publisher Bucks

05-30-2022 02:23 AM

Awesome, thank you both for your help with this, I have it running correctly now :thumbsup

Publisher Bucks

05-31-2022 11:02 AM

I'm having another really strange issue with this edit.php on the crud system, does anyone know what might be causing it not to add data to the Category field?

Everything else appears to be working correctly, but it isnt allowing me to add new data (when editing) to this field specifically.

Its set as mediumtext in the database and only have 2 words seperated by a comma presently so the space in the column shouldn't be an issue.

The code is exactly as above so should be working fine.

Adding a new record isnt giving me any issues and neither is displaying or deleting a record :Oh crap

Any thoughts on what may be causing this issue please?

k0nr4d

05-31-2022 11:09 AM

Quote:

Originally Posted by Publisher Bucks (Post 23006503)

Post the code, we don't know what you ended up using on it

Publisher Bucks

05-31-2022 11:20 AM

Quote:

<?php
// include database connection file
include_once("../../config.php");

// Check if form is submitted for recipe update, then redirect to homepage after update
if(isset($_POST['update']))
{
$RecipeID = $_POST['RecipeID'];
$Title=$_POST['Title'];
$Ingredients=$_POST['Ingredients'];
$Method=$_POST['Method'];
$Category=$_POST['Category'];
$Edit=$_POST['Edit'];

// update recipe data
$result = mysqli_query($mysqli, "UPDATE Recipe SET Title='$Title',Ingredients='$Ingredients',Method=' $Method',Category='$Category',Edit='$Edit' WHERE RecipeID=$RecipeID");

// Redirect to homepage to display updated recipe in list
header("Location: /blah/blah/domain.com/manage/index.php");
}
?>
<?php
// Display selected recipe data based on id
// Getting id from url
$RecipeID = $_GET['RecipeID'];

// Fetech recipe data based on id
$result = mysqli_query($mysqli, "SELECT * FROM Recipe WHERE RecipeID=$RecipeID");

while($recipe_data = mysqli_fetch_array($result))
{
$Title=$recipe_data['Title'];
$Ingredients=$recipe_data['Ingredients'];
$Method=$recipe_data['Method'];
$Category=$recipe_data['Category'];
$Edit=$recipe_data['Edit'];
}

?>

<form name="update_recipe" method="post" action="edit.php">
<table border="0">
<input name="Edit" type="hidden" value="<?php echo $username; ?>" /></p>
<tr>
<td valign="top">Title</td>
<td><input type="text" name="Title" value="<?php echo $Title;?>" style="width: 250px"></td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top">Ingredients</td>
<td><textarea name="Ingredients" style="width: 500px; height: 150px"><?php echo $Ingredients;?></textarea></td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top">Method</td>
<td><textarea name="Method" style="width: 500px; height: 150px"><?php echo $Method;?></textarea></td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td valign="top">Category</td>
<td><textarea name="Category" style="width: 250px; height: 50px"><?php echo $Category;?></textarea></td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td><input type="hidden" name="RecipeID" value=<?php echo $_GET['RecipeID'];?>></td>
<td><input type="submit" name="update" value="Update"></td>
</tr>
</table>
</form>

Those are lines 116 thru 200.

I'm wondering if its an issue with the connection although, no errors appear to be showing in the logs other than a modify header one to redirect to the main index.php page, which ill deal with later.

Quote:

[31-May-2022 13:06:47 America/Chicago] PHP Warning: Cannot modify header information - headers already sent by (output started at /blah/blah/domain.com/home/manage/edit.php:12) in /blah/blah/domain.com/home/manage/edit.php on line 134

k0nr4d

05-31-2022 11:28 AM

Did you try using my code? It fixes that headers already sent, and isn't full of sql injection exploits in literally every possible place one could be :)

Does the data you are putting into categories contain a ' ? because that would be enough to cause an SQL error in your code.

Publisher Bucks

05-31-2022 12:34 PM

Quote:

Originally Posted by k0nr4d (Post 23006525)

This is just for testing right now, once its live itll have all the injection areas edited correctly and no, no question marks or anything other than commas.

redwhiteandblue

05-31-2022 01:36 PM

Quote:

Originally Posted by Publisher Bucks (Post 23006561)

This is just for testing right now, once its live itll have all the injection areas edited correctly and no, no question marks or anything other than commas.

Konrad means the ' character - single quotation mark. If you are not at least escaping it with the addslashes() function, if there ever is one in any string you try to put in a query it will break the query.

Can't see anything wrong at first glance but when trying to debug this sort of thing you should try to find out exactly what is going wrong. To do this I would change

$result = mysqli_query($mysqli, "UPDATE Recipe SET Title='$Title',Ingredients='$Ingredients',Method=' $Method',Category='$Category',Edit='$Edit' WHERE RecipeID=$RecipeID");

to

$query = "UPDATE Recipe SET Title='$Title',Ingredients='$Ingredients',Method=' $Method',Category='$Category',Edit='$Edit' WHERE RecipeID=$RecipeID";
$result = mysqli_query($mysqli, $query) or die(mysqli_error($mysqli) . " query was $query");

This will spit out an error if the insert failed and stop the script right there, telling you what the actual query was you were trying to use. Obviously remove this code for the live version, and set up a proper try...catch construct, this is just a quick way to see what's going on.

If that doesn't give any error message the problem is somewhere else.

Publisher Bucks

05-31-2022 01:45 PM

Quote:

Originally Posted by redwhiteandblue (Post 23006583)

This is the error it kicked out, checking the sql data now to see what the issue is.

Quote:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'sugar.
',Category='Snacks, Cookie, Dessert, Shortbread',Edit='Eric' WHERE Reci' at line 1 query was UPDATE Recipe SET Title='3-Ingredient Shortbread Cookies',Ingredients='1 cup unsalted butter, softened .
1/2 cup sugar .
2 cups all-purpose flour.
Confectioners sugar, optional.
',Method=' Preheat oven to 325 degrees.
Cream butter and sugar until light and fluffy.
Gradually beat in flour.
Press dough into an ungreased 9" square baking pan.
Prick with a fork.
Bake until light brown, 30-35 minutes.
Cut into squares while warm.
Cool completely on a wire rack.
If desired, dust with confectioners' sugar.
',Category='Snacks, Cookie, Dessert, Shortbread',Edit='Eric' WHERE RecipeID=4792

*EDIT*

Found it, there an an unescaped single quotation mark at the end of confectioners' sugar.

Thanks again for the help guys, looks like ill be running a quick search & replace on the database to make sure that issue doesnt happen again :)

redwhiteandblue

05-31-2022 01:54 PM

You just need to do

$Ingredients = addslashes($Ingredients);

before trying to construct the query string with it. Do it with all the other vars too. Or to be more thorough you should use mysql_real_escape_string() as Konrad suggested.

sarettah

05-31-2022 01:57 PM

Quote:

Originally Posted by redwhiteandblue (Post 23006593)

you should use mysql_real_escape_string() as Konrad suggested.

This ^^^^^

.

Publisher Bucks

05-31-2022 08:30 PM

i just updated this to the code suggested by Konrad :)

Again, thank you all for your assistance with this :thumbsup

k0nr4d

05-31-2022 11:30 PM

Quote:

Originally Posted by Publisher Bucks (Post 23006673)

i just updated this to the code suggested by Konrad :)

Again, thank you all for your assistance with this :thumbsup

You should always write with the security stuff already in place, that is good practice. It's gotta be there anyways and this way you'll be used to just writing it as you go.

All times are GMT -7. The time now is 01:15 PM.