February 27, 2013

Data some is errased when update button is pressed

Question by user1868306

Please, I am having a problem when updating data in the database through a form. When ever I press the Update button to submit any changes made to a record, all the data in the mysql fields corresponding to drop list controls is errased. I do not know what is causing this problem. Here is the code:

<?php

    //include database connection
    include 'db_connect.php';

    // get value of object id that was sent from address bar
    $c_id = $_GET['c_id'];

    //check any user action
    $action = isset( $_POST['action'] ) ? $_POST['action'] : "";

    if($action == "update"){ //if the user hit the submit button

    //write our update query
    //$mysqli->real_escape_string() function helps us prevent attacks such as SQL injection

    $query = "UPDATE collections
    SET
    ctitle = '".$mysqli->real_escape_string($_POST['ctitle'])."',
    csubject = '".$mysqli->real_escape_string($_POST['csubject'])."',
    creference = '".$mysqli->real_escape_string($_POST['creference'])."',
    cyear  = '".$mysqli->real_escape_string($_POST['cyear'])."',
    cobjecttype = '".$mysqli->real_escape_string($_POST['cobjecttype'])."',
    cmaterial = '".$mysqli->real_escape_string($_POST['cmaterial'])."',
    ctechnic = '".$mysqli->real_escape_string($_POST['ctechnic'])."',
    cwidth = '".$mysqli->real_escape_string($_POST['cwidth'])."',
    cheight = '".$mysqli->real_escape_string($_POST['cheight'])."',
    cperiod = '".$mysqli->real_escape_string($_POST['cperiod'])."',
    cmarkings = '".$mysqli->real_escape_string($_POST['cmarkings'])."',
    cdescription = '".$mysqli->real_escape_string($_POST['cdescription'])."',
    csource = '".$mysqli->real_escape_string($_POST['csource'])."',
    cartist = '".$mysqli->real_escape_string($_POST['cartist'])."'
    where c_id='".$mysqli->real_escape_string($_REQUEST['c_id'])."'";

    //execute the query
    if( $mysqli->query($query) ) {

    //if updating the record was successful
    echo "The record was updated.";

    }else{

    //if unable to update new record
    echo "Database Error: Unable to update record.";

    }

    }

    //select the specific database record to update
    $query = "SELECT c_id, ctitle, csubject, creference, cyear, cobjecttype, cmaterial, ctechnic, cwidth, cheight, cperiod, cmarkings, cdescription, csource, cartist, cfilename
    FROM collections
    WHERE c_id='".$mysqli->real_escape_string($_REQUEST['c_id'])."'

    limit 0,1";

    //execute the query
    $result = $mysqli->query( $query );

    //get the result
    $row = $result->fetch_assoc();

    //assign the result to certain variable so our html form will be filled up with values
    $c_id = $row['c_id'];
    $ctitle = $row['ctitle'];
    $csubject = $row['csubject'];
    $creference = $row['creference'];
    $cyear = $row['cyear'];
    $cobjecttype = $row['cobjecttype'];
    $cmaterial = $row['cmaterial'];
    $ctechnic = $row['ctechnic'];
    $cwidth = $row['cwidth'];
    $cheight = $row['cheight'];
    $cperiod = $row['cperiod'];
    $cmarkings = $row['cmarkings'];
    $cdescription = $row['cdescription'];
    $csource = $row['csource'];
    $cartist = $row['cartist'];
    $cfilename = $row['cfilename'];

    ?>

    <!--we have our html form here where new object information will be entered-->
    <table align=left>
        <tr>
    <td> <?php echo '<img src="./images/'.$cfilename.'" width="300" height="400" />';  ?> </td>
        </tr>
    <table>

    <form action='#' method='post' border='0'> 
    <table>
    <tr>
    <td>TITLE</td>
    <td><input type='text' name='ctitle' value='<?php echo $ctitle;  ?>' /></td>
    </tr>
    <tr>
    <td>SUBJECT</td>
    <td><input type='text' name='csubject' value='<?php echo $csubject;  ?>' /></td>
    </tr>
    <tr>
    <td>REFERENCE No.</td>
    <td><input type='text' name='creference'  value='<?php echo $creference;  ?>' /></td>
    </tr>
    <tr>
    <td>YEAR</td>
    <td><input type='text' name='cyear'  value='<?php echo $cyear;  ?>' /></td>
    <tr><td>OBJECT TYPE</td>
    <td>
        <select name="cobjecttype" id="cobjecttype" tabindex="">
            <option value="">---Select object type---</option>
            <option value="ceramic">Ceramic</option>
            <option value="clock">Clock</option>
            <option value="gold">Gold and silverware</option>
            <option value="mask">Mask</option>
            <option value="painting">Painting</option>
            <option value="sculpture">Sculpture</option>
            <option value="tapestry">Tapestry</option>
        </select>
        </td></tr>
        <tr><td>MATERIAL USED</td>
    <td>
        <select name="cmaterial" id="cmaterial" tabindex="" >
            <option value="">---Select Material---</option>
            <option value="brass">Brass</option>
            <option value="oil">Oil</option>
            <option value="wood">Wood</option>
            <option value="carved">Canvas/Cotton/Fabric/Linen/Wool</option>
      </select>
        </td></tr>
    <tr><td>TECHNIC</td>
    <td>
        <select name="ctechnic" id="ctechnic" tabindex="7" >
            <option value="">---Select Technic---</option>
            <option value="cast">Cast</option>
            <option value="carved">Carved</option>
            <option value="etched">Etched</option>                      
      </select>  
        </td></tr>
    <tr>
    <td>WIDTH</td>
    <td width="100"><input name="cwidth" type="text" id="cwidth" value="<?php echo $cwidth; ?>" size="10"></td>
    </tr>
    <tr>
    <td>HEIGHT</td>
    <td width="100"><input name="cheight" type="text" id="cheight" value="<?php echo $cheight; ?>" size="10"></td>
    </tr>
    <tr>
    <td>PERIOD</td>
    <td width="100"><input name="cperiod" type="text" id="cperiod" value="<?php echo $cperiod; ?>" size="30"></td>
    </tr>
    <tr>
    <td>MARKINGS</td>
    <td width="100"><input name="cmarkings" type="text" id="cmarkings" value="<?php echo $cmarkings; ?>" size="30"></td>
    </tr>
    <tr>
    <td>DESCRIPTION</td>
    <td width="400"><textarea name="cdescription" rows="2" cols="50" id="cdescription" value="<?php echo $cdescription; ?>"></textarea></td></tr>
    <tr>
    <td>SOURCE</td>
    <td width="100"><input name="csource" type="text" id="csource" value="<?php echo $csource; ?>" size="30"></td>
    </tr>
    <tr>
    <td>ARTIST</td>
    <td width="100"><input name="cartist" type="text" id="cartist" value="<?php echo $cartist; ?>" size="30"></td>
    </tr>
    <td></td>
    <td>

    <!-- so that we could identify what record is to be updated -->
    <input type='hidden' name='c_id' value='<?php echo $c_id ?>' />

    <!-- we will set the action to update -->
    <input type='hidden' name='action' value='update' />
    <input type='submit' value='Save' />
    <a href='gallery.php'>Back to display page</a>
    </td>
    </tr>
    </table>
    </form>

Can someone help to identify what the problem is?

Answer by Starx

Such problem occur when you dont validate your POST data correctly. In your code, you are updating your records directly, by using mysql_real_escape_string($variable). But although this might fix some security issues will not validated every data if it is present or not.

Validate your variables to be present and hold data before updating to the query.

Author: Nabin Nepal (Starx)

Hello, I am Nabin Nepal and you can call me Starx. This is my blog where write about my life and my involvements. I am a Software Developer, A Cyclist and a Realist. I hope you will find my blog interesting. Follow me on Google+

...

Please fill the form - I will response as fast as I can!