Databases
StackOverflow2013
Postsdbo
POHow to securely edit information in a database from a user form PHP
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHow to securely edit information in a database from a user form PHP
    primarykey
    data
    text
    <p>Currently i have working PHP edit script, which allows users to edit ads they have posted, but I have realised that users can modify the ?id= number to bring up another set of data then edit someone else data and save it in the database. </p> <p>Is there any way I can make it so that when the user clicks on their advert they have posted to edit, it is only their own ads that they access to, that they wont be able to edit other peoples ads by adjusting the id?= and a way of protecting the form from manipulation? </p> <p>BIG THANKS TO ANYONE THAT CAN HELP!</p> <p>Here is my current code:</p> <pre><code>&lt;?php /* EDIT.PHP Allows user to edit specific entry in database */ // creates the edit record form // since this form is used multiple times in this file, I have made it a function that is easily reusable function renderForm($id, $fname, $lname, $contact, $price, $error) { ?&gt; &lt;!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"&gt; &lt;html&gt; &lt;head&gt; &lt;title&gt;Edit Record&lt;/title&gt; &lt;link rel="stylesheet" type="text/css" href="stylesheet.css"&gt; &lt;style type="text/css"&gt; #page-wrap { position:absolute; top: 206px; left: 288px; width: 50%; text-align:left; background-color:#FFF; padding: 10px; border-radius: 10px; box-shadow: 1px 2px 2px #888888; } &lt;/style&gt; &lt;script type = "text/javascript"&gt; function myfunction(url) { window.location.href = url; } &lt;/script&gt; &lt;/head&gt; &lt;body&gt; &lt;div class="container"&gt; &lt;div id="imagelogo" onclick = "window.location.href = 'index.html'" &gt; &lt;p&gt; Buy and sell stuff around University&lt;/p&gt; &lt;/div&gt; &lt;ul id="navigation" name="navigation"&gt; &lt;li id="nav-home"&gt;&lt;a href="index.html"&gt;Home&lt;/a&gt;&lt;/li&gt; &lt;li id="nav-search"&gt;&lt;a href="search.php"&gt;Search&lt;/a&gt;&lt;/li&gt; &lt;li id="nav-selling"&gt;&lt;a href="#"&gt;Selling&lt;/a&gt;&lt;/li&gt; &lt;li id="nav-buying"&gt;&lt;a href="#"&gt;Buying&lt;/a&gt;&lt;/li&gt; &lt;li id="nav-FAQ"&gt;&lt;a href="#"&gt;FAQ&lt;/a&gt;&lt;/li&gt; &lt;li id="nav-contact"&gt;&lt;a href="#"&gt;Contact&lt;/a&gt;&lt;/li&gt; &lt;p&gt;&amp;nbsp;&lt;/p&gt; &lt;p&gt;&amp;nbsp;&lt;/p&gt; &lt;p&gt;&amp;nbsp;&lt;/p&gt; &lt;p&gt;Sponsors&lt;/p&gt; &lt;/ul&gt; &lt;div id="account"&gt; &lt;?php if( isset( $_SESSION['username'] ) ){ echo "&lt;a href='securedpage1.php'&gt;My Account&lt;/a&gt;&lt;img src='images/uni-icon.png' width='30' height='18' style='vertical-align: middle;'/&gt;"; }else{ echo "&lt;a href='login.php' &gt;Login&lt;/a&gt;&lt;img src='images/uni-icon.png' width='30' height='18' style='vertical-align: middle;'/&gt;"; } ?&gt; &lt;/div&gt; &lt;div id="registerlogout"&gt; &lt;?php if( isset( $_SESSION['username'] ) ){ echo "&lt;a href='logout.php'&gt;Logout&lt;/a&gt;"; }else{ echo "&lt;a href='register.php'&gt; Register&lt;/a&gt;"; } ?&gt; &lt;/div&gt; &lt;div id="social"&gt; &lt;img src="images/fb-logo.png" width="22" height="20" /&gt; &lt;img src="images/twitter-logo.png" width="24" height="25" /&gt; &lt;/div&gt; &lt;div id="page-wrap"&gt; &lt;?php // if there are any errors, display them if ($error != '') { echo '&lt;div style="padding:4px; border:1px solid red; color:red;"&gt;'.$error.'&lt;/div&gt;'; } ?&gt; &lt;form action="" method="post"&gt; &lt;input type="hidden" name="id" value="&lt;?php echo $id; ?&gt;"/&gt; &lt;div&gt; &lt;strong&gt;Ad Title: *&lt;/strong&gt; &lt;input type="text" name="fname" style="width: 60%; box- sizing: border-box; -moz-box-sizing: border-box; -webkit-box-sizing: border-box;"value="&lt;?php echo $fname; ?&gt;"/&gt;&lt;br/&gt; &lt;strong&gt;Description: *&lt;/strong&gt; &lt;textarea name="lname" cols="45" rows="5"&gt;&lt;?php echo $lname; ?&gt;&lt;/textarea&gt;&lt;br/&gt; &lt;strong&gt;Contact*&lt;/strong&gt; &lt;input type="text" name="contact" style="width: 60%; box- sizing: border-box; -moz-box-sizing: border-box; -webkit-box-sizing: border-box;" value="&lt;?php echo $contact; ?&gt;"/&gt;&lt;br/&gt; &lt;strong&gt;Price*&lt;/strong&gt; &lt;input type="text" name="price" style="width: 60%; box-sizing: border-box; -moz-box-sizing: border-box; -webkit-box-sizing: border-box;" value="&lt;?php echo $price; ?&gt;"/&gt;&lt;br/&gt; &lt;p&gt;* Required&lt;/p&gt; &lt;input type="submit" name="submit" value="Submit"&gt; &lt;/div&gt; &lt;/form&gt; &lt;/div&gt; &lt;/div&gt; &lt;/body&gt; &lt;/html&gt; &lt;?php } // Inialize session session_start(); // connect to the database include('conn.php'); // check if the form has been submitted. If it has, process the form and save it to the database if (isset($_POST['submit'])) { // confirm that the 'id' value is a valid integer before getting the form data if (is_numeric($_POST['id'])) { // get form data, making sure it is valid $id = $_POST['id']; $fname = mysql_real_escape_string(htmlspecialchars($_POST['fname'])); $lname = mysql_real_escape_string(htmlspecialchars($_POST['lname'])); $contact = mysql_real_escape_string(htmlspecialchars($_POST['contact'])); $price = mysql_real_escape_string(htmlspecialchars($_POST['price'])); // check that firstname/lastname fields are both filled in if ($fname == '' || $lname == '' || $contact == '' || $price == '' ) { // generate error message $error = 'ERROR: Please fill in all required fields!'; //error, display form renderForm($id, $fname, $lname, $contact, $price, $error); } else { // save the data to the database mysql_query("UPDATE people SET price='$price', contact='$contact', fname='$fname', lname='$lname' WHERE id='$id'") or die(mysql_error()); // once saved, redirect back to the view page header("Location: view.php"); } } else { // if the 'id' isn't valid, display an error echo 'Error!'; } } else // if the form hasn't been submitted, get the data from the db and display the form { // get the 'id' value from the URL (if it exists), making sure that it is valid (checing that it is numeric/larger than 0) if (isset($_GET['id']) &amp;&amp; is_numeric($_GET['id']) &amp;&amp; $_GET['id'] &gt; 0) { // query db $id = $_GET['id']; $result = mysql_query("SELECT * FROM people WHERE id=$id") or die(mysql_error()); $row = mysql_fetch_array($result); // check that the 'id' matches up with a row in the databse if($row) { // get data from db $fname = $row['fname']; $lname = $row['lname']; $contact = $row['contact']; $price = $row['price']; // show form renderForm($id, $fname, $lname, $contact, $price, ''); } else // if no match, display result { echo "No results!"; } } else // if the 'id' in the URL isn't valid, or if there is no 'id' value, display an error { echo 'Error!'; } } ?&gt; </code></pre>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. This table or related slice is empty.
    1. USneeko
    plurals
    1. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    3. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POHow to securely edit information in a database from a user form PHP
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POHow to securely edit information in a database from a user form PHP
      1. USvzhen
      1. VTFavorite
    3. VO
      singulars
      1. POHow to securely edit information in a database from a user form PHP
      1. This table or related slice is empty.
      1. VTUpMod
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload