1 Replies - 258 Views - Last Post: 07 October 2012 - 03:31 PM Rate Topic: -----

#1 DoxramosPS  Icon User is offline

  • D.I.C Head

Reputation: 4
  • View blog
  • Posts: 156
  • Joined: 07-October 12

Hidden Field Not being Retrieved

Posted 07 October 2012 - 02:15 PM

I'm working on a CMS platform using PHP and MySQL;
When the user is logged in as an administrator the following code is displayed.
<?php
		$con=mysql_connect("$server","$user","$pass");
		if
		(!$con)
			{
			die('Could not connect: ' .mysql_error());
			}
		mysql_select_db("$webdb", $con);
			$result=mysql_query("SELECT * FROM pages WHERE name='Index'");
			while ($row=
			mysql_fetch_array($result))
				{
				echo "<title>";
				echo $row['title'];
				echo "</title>";
				echo $row['content'];
            
				}
	mysql_close($con);
	?>
    <br />
    <form action="update_content.php" method="post">
    <textarea name="content" cols="80" rows="10"></textarea>
    <input type="hidden" name="page" value="Index" />
    
   <br /><input type="button" onclick="javascript:window.location.href='update_content.php'" value="Update" />
   </form>


This is the index_admin.php Code that I have and then I have it pulling update_content.php as the following.
$con = mysql_connect("$server","$user","$pass");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
    
mysql_select_db("$webdb", $con);

$query = "UPDATE pages SET content='$_POST[content]' WHERE name='$_POST[page]'";

if (!mysql_query($query,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "$_POST[page] has been Successfully Updated";
mysql_close($con);
?>


When the user submits it looks as if the hidden field isn't being proccessed into the database; if anyone knows why it would be a great headache saver. Appreciate it much.

Is This A Good Question/Topic? 0
  • +

Replies To: Hidden Field Not being Retrieved

#2 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3710
  • View blog
  • Posts: 5,958
  • Joined: 08-June 10

Re: Hidden Field Not being Retrieved

Posted 07 October 2012 - 03:31 PM

The problem there would be that the "Update" button is redirecting the user using Javascript, instead of submitting the form. When you do that, none of the form data will be sent with the redirect. You should be using a simple <input type="submit" value="Update"> button instead.


Also, I should point out that your code is wide open to SQL Injection. You don't even check to see if the $_POST values in the update_content PHP script were sent, you just pass them directly into a SQL query. - At no point, ever, should the $_POST array be used directly in an SQL query. Never! If you are going to use the old mysql_query function to execute a query, all values that are going into the query should be passed through the mysql_real_escape_string function first.

However, the best way to execute MySQL queries is to use either PDO or MySQLi, and use Prepared Statements. That's by far the safest way.
Was This Post Helpful? 4
  • +
  • -

Page 1 of 1