Changing Things Around - PHP

The last item on the agenda involves updating, or editing, a news item. The script that does this is called "edit.php", and it's a combination of both "add.php" and "delete.php".

Like "delete.php", "edit.php" also gets the record's unique identifier via the $id variable. It now needs to display a form similar to that used by "add.php", except that this form needs to be pre-filled with the data for that news item.

Let's see how this is accomplished:

<?

// edit.php - edit a press release

?>



<!-- page header - snip -->



<?

// includes

include("../conf.php");

include("../functions.php");



// form not yet submitted

// display initial form with values pre-filled

if (!$submit)

{

 // open database connection

 $connection = mysql_connect($host, $user, $pass) or die ("Unable to

connect!");



 // select database

 mysql_select_db($db) or die ("Unable to select database!");



 // generate and execute query

 $query = "SELECT slug, content, contact FROM news WHERE id = '$id'";

 $result = mysql_query($query) or die ("Error in query: $query. " .

mysql_error());



 // if a result is returned

 if (mysql_num_rows($result) > 0)

 {

  // turn it into an object

  $row = mysql_fetch_object($result);



  // print form with values pre-filled

?>

<table cellspacing="5" cellpadding="5">

<form action="<? echo $PHP_SELF; ?>" method="POST">

<input type="hidden" name="id"  value="<? echo $id; ?>">

<tr>

 <td valign="top"><b><font size="-1">Slug</font></b></td>

 <td><input size="50" maxlength="250" type="text" name="slug" value="<?

echo $row->slug; ?>"></td>

</tr>

<tr>

 <td valign="top"><b><font size="-1">Content</font></b></td>

 <td><textarea name="content" cols="40" rows="10"><? echo $row->content;

?></textarea></td>

</tr>

<tr>

 <td valign="top"><font size="-1">Contact person</font></td>

 <td><input size="50" maxlength="250" type="text" name="contact"  value="<?

echo $row->contact; ?>"></td>

</tr>

<tr>

 <td colspan=2><input type="Submit" name="submit" value="Update"></td>

</tr>

</form>

</table>

<?

 }

 // no result returned

 // print graceful error message

 else

 {

  echo "<font size=-1>That press release could not be located in our

database.</font>";

 }

}

else

{

// form submitted

// start processing it

}

?>



<!-- page footer - snip -->

Using the identifier from "list.php", "edit.php" queries the database for the fields relevant to that particular record, and uses that information to pre-fill an HTML form. Note that the $id variable is also attached to this form as a hidden variable; this ID will be used by the form processor when constructing the UPDATE query.

Here's what it looks like:



You might be wondering why I've bothered to check the number of rows returned by the query, and written code to display an error if no rows were returned. This is necessary because, if the identifier provided to "edit.php" is invalid or non-existent, the query will return zero rows, and the administrator will be faced with a form with no data in it.

Most of the time, this additional check is redundant, since the identifier will be generated from "list.php" and will therefore usually be valid. However, in the event that someone - a malicious hacker or, more likely, a company employee with too much time on his hands - decides to experiment with the URL string, changing the ID that gets appended to it to an invalid value, it could result in a series of ugly error messages or - even worse - cause the application to break. Therefore, by adding this check, I'm increasing the overall security of the application and simultaneously reducing the possibility of error.

Now, once the form gets submitted, the data entered into it needs to be validated and used to update the database. Let's see how that works:

<?

// edit.php - edit a press release

?>



<!-- page header - snip -->



<?

// form not yet submitted

// display initial form with values pre-filled

if (!$submit)

{

 // form display code

}

else

{

// form submitted

// start processing it



 // set up error list array

 $errorList = array();

 $count = 0;



 // validate text input fields

 if (!$slug) { $errorList[$count] = "Invalid entry: Slug"; $count++; }



 if (!$content) { $errorList[$count] = "Invalid entry: Content"; $count++; }



 // set default value for contact person

 if (!$contact) { $contact = $def_contact; }



 // check for errors

 // if none found...

 if (sizeof($errorList) == 0)

 {

  // open database connection

  $connection = mysql_connect($host, $user, $pass) or die ("Unable to

connect!");



  // select database

  mysql_select_db($db) or die ("Unable to select database!");



  // generate and execute query

  $query = "UPDATE news SET slug = '$slug', content = '$content', contact =

'$contact', timestamp = NOW() WHERE id = '$id'";

  $result = mysql_query($query) or die ("Error in query: $query. " .

mysql_error());



  // print result

  echo "<font size=-1>Update successful. <a href=list.php>Go back to the

main menu</a>.</font>";



  // close database connection

  mysql_close($connection);

 }

 else

 {

  // errors occurred

  // print as list

  echo "<font size=-1>The following errors were encountered: <br>";

  echo "<ul>";

  for ($x=0; $x<sizeof($errorList); $x++)

  {

   echo "<li>$errorList[$x]";

  }

  echo "</ul></font>";

 }

}

?>



<!-- page footer - snip -->

This is almost identical to "add.php", with the obvious difference that this query string uses an UPDATE command, while that one used an INSERT command.

>>> More PHP Articles          >>> More By icarus, (c) Melonfire

blog comments powered by Disqus