Building A Quick-And-Dirty PHP/MySQL Publishing System - Changing Things Around
(Page 8 of 9 )
The last item on the agenda involves updating, or editing, a news item. The script that does this is called "edit.php", and it's a combination of both "add.php" and "delete.php".
Like "delete.php", "edit.php" also gets the record's unique identifier via the $id variable. It now needs to display a form similar to that used by "add.php", except that this form needs to be pre-filled with the data for that news item.
Let's see how this is accomplished:
<?
// edit.php - edit a press release
?>
<!-- page header - snip -->
<?
// includes
include("../conf.php");
include("../functions.php");
// form not yet submitted
// display initial form with values pre-filled
if (!$submit)
{
// open database connection
$connection = mysql_connect($host, $user, $pass) or die ("Unable to
connect!");
// select database
mysql_select_db($db) or die ("Unable to select database!");
// generate and execute query
$query = "SELECT slug, content, contact FROM news WHERE id = '$id'";
$result = mysql_query($query) or die ("Error in query: $query. " .
mysql_error());
// if a result is returned
if (mysql_num_rows($result) > 0)
{
// turn it into an object
$row = mysql_fetch_object($result);
// print form with values pre-filled
?>
<table cellspacing="5" cellpadding="5">
<form action="<? echo $PHP_SELF; ?>" method="POST">
<input type="hidden" name="id" value="<? echo $id; ?>">
<tr>
<td valign="top"><b><font size="-1">Slug</font></b></td>
<td><input size="50" maxlength="250" type="text" name="slug" value="<?
echo $row->slug; ?>"></td>
</tr>
<tr>
<td valign="top"><b><font size="-1">Content</font></b></td>
<td><textarea name="content" cols="40" rows="10"><? echo $row->content;
?></textarea></td>
</tr>
<tr>
<td valign="top"><font size="-1">Contact person</font></td>
<td><input size="50" maxlength="250" type="text" name="contact" value="<?
echo $row->contact; ?>"></td>
</tr>
<tr>
<td colspan=2><input type="Submit" name="submit" value="Update"></td>
</tr>
</form>
</table>
<?
}
// no result returned
// print graceful error message
else
{
echo "<font size=-1>That press release could not be located in our
database.</font>";
}
}
else
{
// form submitted
// start processing it
}
?>
<!-- page footer - snip -->
Using the identifier from "list.php", "edit.php" queries the
database for the fields relevant to that particular record, and uses that information to pre-fill an HTML form. Note that the $id variable is also attached to this form as a hidden variable; this ID will be used by the form processor when constructing the UPDATE query.
Here's what it looks like:
You might be wondering why I've bothered to check the number of rows returned by the query, and written code to display an error if no rows were returned. This is necessary because, if the identifier provided to "edit.php" is invalid or non-existent, the query will return zero rows, and the administrator will be faced with a form with no data in it.
Most of the time, this additional check is redundant, since the identifier will be generated from "list.php" and will therefore usually be valid. However, in the event that someone - a malicious hacker or, more likely, a company employee with too much time on his hands - decides to experiment with the URL string, changing the ID that gets appended to it to an invalid value, it could result in a series of ugly error messages or - even worse - cause the application to break. Therefore, by adding this check, I'm increasing the overall security of the application and simultaneously reducing the possibility of error.
Now, once the form gets submitted, the data entered into it needs to be validated and used to update the database. Let's see how that works:
<?
// edit.php - edit a press release
?>
<!-- page header - snip -->
<?
// form not yet submitted
// display initial form with values pre-filled
if (!$submit)
{
// form display code
}
else
{
// form submitted
// start processing it
// set up error list array
$errorList = array();
$count = 0;
// validate text input fields
if (!$slug) { $errorList[$count] = "Invalid entry: Slug"; $count++; }
if (!$content) { $errorList[$count] = "Invalid entry: Content"; $count++; }
// set default value for contact person
if (!$contact) { $contact = $def_contact; }
// check for errors
// if none found...
if (sizeof($errorList) == 0)
{
// open database connection
$connection = mysql_connect($host, $user, $pass) or die ("Unable to
connect!");
// select database
mysql_select_db($db) or die ("Unable to select database!");
// generate and execute query
$query = "UPDATE news SET slug = '$slug', content = '$content', contact =
'$contact', timestamp = NOW() WHERE id = '$id'";
$result = mysql_query($query) or die ("Error in query: $query. " .
mysql_error());
// print result
echo "<font size=-1>Update successful. <a href=list.php>Go back to the
main menu</a>.</font>";
// close database connection
mysql_close($connection);
}
else
{
// errors occurred
// print as list
echo "<font size=-1>The following errors were encountered: <br>";
echo "<ul>";
for ($x=0; $x<sizeof($errorList); $x++)
{
echo "<li>$errorList[$x]";
}
echo "</ul></font>";
}
}
?>
<!-- page footer - snip -->
This is almost identical to "add.php", with the obvious
difference that this query string uses an UPDATE command, while that one used an INSERT command.
Next: Game Over >>
More PHP Articles
More By icarus, (c) Melonfire
/ 42 
