[Syfer]

<?php
include("connect.php");
error_reporting(0);
?>
<html>
<?php
 if(!isset($_SESSION['userid'])){
		header("Location:index.php");
 }else{
      $result = mysql_query("select * from users_info where userid='".$_SESSION['userid']."'");
	  while($row = mysql_fetch_array($result)){
	   echo "Welcome"."&nbsp".$row['first_name']."";

	  }
	   
	  ?>
	  
	  <a href="logout.php">Log out</a> &nbsp <a href="adminpage.php">Back</a>
	  <br/>
	  <hr/>
<head></head>
<body>
<div style="float:left;border:1px solid black;overflow:auto;">
<a  style="text-decoration:none;" href="adminchat.php">Join the Group Chat</a><br/>
<a  style="text-decoration:none;"href="make_record.php">Add/Make a Account</a><br/>
<a  style="text-decoration:none;"href="appoint.php">Appoint an admin</a><br/>
<a  style="text-decoration:none;"href="user_check.php">Check users information</a><br/>
<a  style="text-decoration:none;"href="check_appointment.php">Check Appointments</a><br/>
</div>
<div style="overflow:auto;">
<?php
	echo "<table border=\"1\">";
					echo "<tr><td>User ID</td><td>First Name</td><td>Last Name</td><td>Date</td><td>Tooth number</td> <td>Procedure</td><td>Dentist</td><td>Amount Charged</td><td>Amount Paid</td><td>Balance</td></tr>";
					
						$query = mysql_query("SELECT * FROM users_treatment_record ORDER BY record_id") or die(mysql_error());
					
					for($i = 0; $i < mysql_num_rows($query); $i++)
					{
					
						$a = mysql_result($query, $i, 'user_id');
						$fname= mysql_result($query,$i,'first_name');
						$lname= mysql_result($query,$i,'last_name');
						$b = mysql_result($query, $i, 'date');
						$c = mysql_result($query, $i, 'tooth_num');
						$d = mysql_result($query, $i, 'procedure');
						$e = mysql_result($query, $i, 'dentist');
						$f = mysql_result($query, $i, 'amount_charged');
						$g = mysql_result($query, $i, 'amount_paid');
						$h = mysql_result($query, $i, 'balance');
												
						
						
							echo '<tr><td>'.$a.'</td><td>'.$fname.'</td><td>'.$lname.'</td><td>'.$b.'</td><td>'.$c.'</td> <td>'.$d.'</td><td>'.$e.'</td><td>'.$f.'</td><td>'.$g.'</td><td>'.$h.'</td><td><a href="edit_record.php?action=edit&id='.$a.'">edit</a></td>';
						}
	echo "</table>";
		if(isset($_GET["action"]) && $_GET["action"] == "edit" && $_GET["id"]){
				$id=$_GET["id"];
				$query = mysql_query("SELECT * FROM users_treatment_record WHERE user_id='$id'") or die(mysql_error());
				echo "<div style=\"position:absolute;top:0;right:180;z-index:1;background-color:FFFFFF;border:1px solid black;\">";
				echo "Edit<br/><br/>";
						$a = mysql_result($query, 0, 'user_id');
						$fname = mysql_result($query, 0, 'first_name');
						$lname = mysql_result($query, 0, 'last_name');
						$b = mysql_result($query, 0, 'date');
						$c = mysql_result($query, 0, 'tooth_num');
						$d = mysql_result($query, 0, 'procedure');
						$e = mysql_result($query, 0, 'dentist');
						$f = mysql_result($query, 0, 'amount_charged');
						$g = mysql_result($query, 0, 'amount_paid');
						$h = mysql_result($query, 0, 'balance');
				echo "<form method='post' action='edit_record.php'>";
				echo "user id: <input type='text' disabled='disabled' name='aa' value='$a'><br/>";
				echo "<input type='hidden'  name='a' value='$a'><br/>";
				echo "date: <input type='text' disabled='disabled' name='bb' value='$b'><br/>";
				echo "<input type='hidden'  name='b' value='$b'><br/>";
				echo "tooth number: <input type='text'  name='c' value='$c'><br/>";
				echo "procedure: <input type='text'  name='d' value='$d'><br/>";
				echo "dentist: <input type='text'  name='e' value='$e'><br/>";
				echo "amount charged: <input type='text'  name='f' value='$f'><br/>";
				echo "amount paid: <input type='text'  name='g' value='$g'><br/>";
				echo "balance: <input type='text'  name='h' value='$h'><br/>";			
				echo "<input type='submit' value='edit' name='editor' />";
				echo "<a href='edit_record.php'>back</a>";
				echo "</form>";
				echo "</div>";
				
				 
				}
		if(isset($_POST['editor'])){
		$id=$_POST['a']+1;
		$b=$_POST['b'];
		$c=$_POST['c'];
		$d=$_POST['d'];
		$e=$_POST['e'];
		$f=$_POST['f'];
		$g=$_POST['g'];
		$h=$_POST['h'];
		
		mysql_query("UPDATE users_treatment_record SET `procedure` =  '$d',dentist= '$e' , amount_charged= '$f' , tooth_num = '$c',amount_paid= '$g' , balance= '$h' WHERE user_id = '".$id."'")or die(mysql_error());
		echo '<meta http-equiv="refresh" content="0;url=edit_record.php">';
	    exit;
		}
	  
	  }

	 
	
	 
	 

?>
</div>
</body>
</html>

First please do disregard the aligning of my code

about my problem:
the update fails after i update the form >_>

any help would be appreciated..

[e_i_pi]

Are you trying to handle the entire process in the one file? Because that will not work. When a user clicks the submit button, it should take them to another file (read: page). I suspect you will need to split that code into various files, each representing a page, or a process.

Also, you should not use both the $_GET and $_POST methods at the same time. The method you use should match the method declared in the submit button.

This post has been edited by e_i_pi: 03 November 2011 - 09:54 PM

[Syfer]

e_i_pi, on 03 November 2011 - 09:54 PM, said:

Are you trying to handle the entire process in the one file? Because that will not work. When a user clicks the submit button, it should take them to another file (read: page). I suspect you will need to split that code into various files, each representing a page, or a process.

Also, you should not use both the $_GET and $_POST methods at the same time. The method you use should match the method declared in the submit button.

i'll keep that in mind.

Thanks..

any more advice? or help?

[e_i_pi]

Well, I would avoid using variable names such as $a, $b, etc. Your code would be more readable is you used variable names such as $Procedure and $dentist. Code readability seems like a moot point. That is, until you have to go back to that code, either to fix it or make it better. Then, it becomes very hard to understand at a glance what $a means, especially if it is declared/populated at the top of the code block and you're 200 lines in.

You should also look into sanitising your SQL queries. The best way to do this is with PDOs, which I will admit are an advanced concept. The problem with your SQL at the moment is that people can freely enter text into your forms, that text is passed to your query as a variable, but if that variable is something like '; DROP TABLE users_treatment_record; --', then you're in big trouble.

Here's some resources:
Intorduction to PDOs
Prepared statements
A list of great links for learning about PHP on DIC

[Atli]

e_i_pi, on 04 November 2011 - 04:54 AM, said:

Are you trying to handle the entire process in the one file? Because that will not work. When a user clicks the submit button, it should take them to another file (read: page). I suspect you will need to split that code into various files, each representing a page, or a process.

Also, you should not use both the $_GET and $_POST methods at the same time. The method you use should match the method declared in the submit button.

Actually, you are wrong on both points.

It is entirely possible to do this on one page. It's in fact a pretty common method used to update records, like Syfer is doing. And the method he's using looks fine at a glance.

There is also no reason why you should not be using GET and POST at the same time. It can be quite useful at times. Most PHP frameworks do, in fact, rely on the ability to use both at the same time. They tend to use the GET protocol to route requests, regardless of whether it's a POST or a GET request. (They usually rewrite URLs, passing the name of controllers and actions to PHP via GET.)

Syfer's code actually demonstrates a pretty good reason why you'd want to use both on the same page. Although technically he isn't using them at the same time. He uses GET to decide whether or not to show the form, which upon submission send the data using POST. Neither request uses both.

Syfer, on 04 November 2011 - 04:42 AM, said:

about my problem:
the update fails after i update the form >_>

How does it fail? With an error or does it just have no effect?

The first thing I would do would be to var_dump the $_POST array and the SQL you use to send the update. Make sure it is what you expect it to be.

Just to add to e_i_pi's point about the way you are building your queries... Passing unverified user input into a query without escaping it first is just about the most dangerous thing you can do. Not only does it make your site extremely easy to hack and/or destroy, it makes it very easy for you to mess up the data yourself purely by accident.

The easiest way to fix this, while using the mysql extension, is to use the mysql_real_escape_string function. No value should ever go into a mysql_query before it run through this function. Even hard-coded values!


Another thing. On line 8 you use the header function, but on line 5 you have already started sending HTML. The header function can not be used after any content has been sent, be it a line of HTML or even a single white-space.

[Syfer]

Thanks for that

anyways , what i'm thinking about is the my code works perfectly at home but when i try to access and paste it in the
computer at school it became messed up and not working... what might be the reason/s?

old xampp? or ?

[e_i_pi]

Atli, on 03 November 2011 - 11:53 PM, said:

Actually, you are wrong on both points.

It is entirely possible to do this on one page. It's in fact a pretty common method used to update records, like Syfer is doing. And the method he's using looks fine at a glance.

There is also no reason why you should not be using GET and POST at the same time. It can be quite useful at times. Most PHP frameworks do, in fact, rely on the ability to use both at the same time. They tend to use the GET protocol to route requests, regardless of whether it's a POST or a GET request. (They usually rewrite URLs, passing the name of controllers and actions to PHP via GET.)

Syfer's code actually demonstrates a pretty good reason why you'd want to use both on the same page. Although technically he isn't using them at the same time. He uses GET to decide whether or not to show the form, which upon submission send the data using POST. Neither request uses both.

Ah yes I stand corrected. With the second point I meant that a form can't send both GET and POST data in the one transaction, not that they can't both be used in the one PHP file. But even on that point I am wrong! It is entirely possible to do this:

<form name="my_form" action="my_page.php?foo=a" method="post">
  <input type="submit" name="bar" value="b">
</form>

'foo' will be passed as a GET variable and 'bar' will be passed as a POST variable.

Sorry to lead you down the wrong track Syfer!