Newb Here

jafox1 · February 27, 2012, 4:33am

Well here’s my story. Several years ago I volunteered to make a basic data entry page for a local non-profit to keep track of donations for their annual auction. I grabbed a couple php/mysql books from the library and taught myself the basics. The website was successful and worked perfectly for the first few years.

I originally put this together in 2008 and each year I would just go into the MySQL DB and clear the table, move all the files to the current year folder (ie. www.auctionsite.com/2012/) and away they would go for another year.

Well, not so this year and I don’t have the depth of knowledge to figure out why. Here are the only differences:
I upgraded my web host which is now php5 and MySQL 5.0. Previous versions were both 4.

The data entry page works as it did before, but the edit and delete entry pages do not. The edit page brings up the information correctly, but when I submit the changes, the DB does not update. The delete page just gives me the error.

I have included the code below and would appreciate ANY help from someone who ACTUALLY knows what they are doing (unlike myself who is just a hack).

Thank you,
Jay

hys.php (data entry page)
[php]

Auction Procurement <?php

$hostname=“..";
$username="";
$password="";
$database="***”;

mysql_connect($hostname,$username,$password) or die(“Unable to connect to database”);
@mysql_select_db($database) or die( “Unable to select database”);

$queryfetch1 = “select * from hysauction WHERE verbal=‘yes’”;
$result1 = mysql_db_query($database, $queryfetch1);
$total1 = mysql_num_rows($result1);

$queryfetch2 = “select * from hysauction WHERE verbal!=‘yes’”;
$result2 = mysql_db_query($database, $queryfetch2);
$total2 = mysql_num_rows($result2);

php?>

HYS Auction Procurement

						</tr>
						<tr>
							<td width="150" valign="top">
							<font face="Arial" color="#0000FF">Enter Special<br>Instructions Here:<br>
							<br></font>
							<font face="Arial" size="2" color="red">(ie: Minimum Bid,<br>Must pick up from,<br>Must be used by,<br>Contact so -n- so at #...)
							</font></td>
							<td width="274">
							<font color="#0000FF" face="Arial">
							<textarea rows="10" name="spinstruct" cols="40"></textarea></font></td>
						</tr>
						<tr>
							<td width="150" valign="top">
							<font face="Arial" color="#0000FF">Choose Type</font><br>
							<font face="arial" size="2" color="red">If you're not 100% sure<br>
							Leave unchecked</td>
							<td width="274">
							<font face="Arial" color="#0000FF">
							<input type="radio" name="verbal" value="yes"> Verbal Auction Item</br>
							<input type="radio" name="verbal" value="no"> Silent Auction Item</td>
							</font>
						</tr>
						<tr>
							<td valign="top" colspan="2" width="495">
							<p align="center">
							<font color="#0000FF" face="Arial">
							<input type="submit" value="Submit" name="B1"></font></td>
						</tr>
						
					</form>
				</table>
				
				
				</p>
				<hr color"white">

<?php echo "Verbal Auction - $total1
"; if ($result1) { echo "

Procured By:		Donated By:
Item Donated:		Donor Contact:
Item Value:		Phone Number:
		Address:
		City:
		State:
		Zip Code:

"; while ($r1 = mysql_fetch_array($result1)) { $procured1 = $r1["procured"]; $donated1 = $r1["donated"]; $phone1 = $r1["phone"]; $item1 = $r1["item"]; $value1 = $r1["value"]; $spinstruct1 = $r1["spinstruct"]; echo "

"; } echo "

Procured By:	Donated By:	Phone Number:	Item Donated:	Value:	Special Instructions

$procured1	$donated1	$phone1	$item1	$value1	$spinstruct1

"; } else { echo "No data."; } mysql_free_result($result1); echo"

"; echo "Silent Auction - $total2
"; if ($result2) { echo ""; while ($r2 = mysql_fetch_array($result2)) { $procured2 = $r2["procured"]; $donated2 = $r2["donated"]; $phone2 = $r2["phone"]; $item2 = $r2["item"]; $value2 = $r2["value"]; $spinstruct2 = $r2["spinstruct"]; echo "

"; } echo "

Procured By:	Donated By:	Phone Number:	Item Donated:	Value:	Special Instructions

$procured2	$donated2	$phone2	$item2	$value2	$spinstruct2

"; } else { echo "No data."; } mysql_free_result($result2); mysql_close(); ?>

[/php]

edithys.php
[php]<?
//connect to mysql
//change user and password to your mySQL name and password
$host=“..";
$user="";
$pass="";
$dbase="***”;

mysql_connect($host,$user,$pass) or die(“Unable to connect to database”);

//select which database you want to edit
mysql_select_db("$dbase") or die(“Unable to connect select database”);

//If cmd has not been initialized
if(!isset($cmd))
{
//display all the entries
$result = mysql_query(“select * from hysauction order by procured, donated, item”);

//run the while loop that grabs all the donations
while($r=mysql_fetch_array($result))
{
//grab the procurer, donor and item from the list
$id=$r[“id”];//take out the id
$procured=$r[“procured”];//take out the procurer
$donated=$r[“donated”];//take out the donor
$item=$r[“item”];//take out the item

 //make the Item a link
  echo  
   "<table border=0 bgcolor=#ffffff><font face=Arial color=#0000ff><tr>
<td width=140>$procured</td><td width=20></td>
<td width=140>$donated</td><td width=20></td>
<td>$item</td><td width=5></td>
<td><a href=\"edithys.php?cmd=edit&id=$id\">Edit</a></td>
<td width=5></td>
<td><a href=\"deletehys.php?cmd=delete&id=$id\" onclick=\"return confirm('Are you SURE you want to delete?')\">Delete</a></td>
</tr>";
}
echo "</table>";

}
?>

<? if($_GET["cmd"]=="edit" || $_POST["cmd"]=="edit") { if (!isset($_POST["submit"])) { $id = $_GET["id"]; $sql = "SELECT * FROM hysauction WHERE id=$id"; $result = mysql_query($sql); $myrow = mysql_fetch_array($result); ?>

  <form action="edithys.php" method="post">
  <input type=hidden name="id" value="<?php echo $myrow["id"] ?>">

  Procured By:<INPUT TYPE="TEXT" NAME="procured" VALUE="<?php echo $myrow["procured"] ?>" SIZE=30><br>
  Donated By:<INPUT TYPE="TEXT" NAME="donated" VALUE="<? echo $myrow["donated"] ?>" SIZE=30><br>
  Donors Contact:<INPUT TYPE="TEXT" NAME="donorcontact" VALUE="<?php echo $myrow["donorcontact"] ?>" SIZE=30><br>
  Phone Number:<INPUT TYPE="TEXT" NAME="phone" VALUE="<?php echo $myrow["phone"] ?>" SIZE=30><br>
  Street Address:<INPUT TYPE="TEXT" NAME="address" VALUE="<?php echo $myrow["address"] ?>" SIZE=30><br>
  City:<INPUT TYPE="TEXT" NAME="city" VALUE="<?php echo $myrow["city"] ?>" SIZE=30><br>
  State:<INPUT TYPE="TEXT" NAME="state" VALUE="<?php echo $myrow["state"] ?>" SIZE=30><br>
  Zip Code:<INPUT TYPE="TEXT" NAME="zip" VALUE="<?php echo $myrow["zip"] ?>" SIZE=30><br>
  Item Donated:<INPUT TYPE="TEXT" NAME="item" VALUE="<?php echo $myrow["item"] ?>" SIZE=30><br>
  Item Value:<INPUT TYPE="TEXT" NAME="value" VALUE="<?php echo $myrow["value"] ?>" SIZE=30><br>
  Special Instructions:<TEXTAREA NAME="spinstruct" ROWS=10 COLS=40><?php echo $myrow["spinstruct"] ?></TEXTAREA><br>
  Verbal Item:<INPUT TYPE="TEXT" NAME="verbal" VALUE="<?php echo $myrow["verbal"] ?>" SIZE=3><br>

  <input type="hidden" name="cmd" value="edit">

  <input type="submit" name="submit" value="submit">


  </form>

<? } ?> <? if ($_POST["$submit"]) { $procured = $_POST["procured"]; $donated = $_POST["donated"]; $donorcontact = $_POST["donorcontact"]; $phone = $_POST["phone"]; $address = $_POST["address"]; $city = $_POST["city"]; $state = $_POST["state"]; $zip = $_POST["zip"]; $item = $_POST["item"]; $value = $_POST["value"]; $spinstruct = $_POST["spinstruct"]; $verbal = $_POST["verbal"]; $sql = "UPDATE hysauction SET procured='$procured',donated='$donated',phone='$phone',item='$item',value='$value',spinstruct='$spinstruct',verbal='$verbal',address='$address',city='$city',state='$state',zip='$zip',donorcontact='$donorcontact' WHERE id=$id"; //replace new info with your table name above $result = mysql_query($sql); echo "Thank you! Information updated.

Main Procurement Page

Edit Another Entry

"; } } ?>

[/php]

deletehys.php
[php]<?
//connect to mysql
//change user and password to your mySQL name and password
$hostname=“..";
$username="";
$password="";
$database="***”;

mysql_connect($hostname,$username,$password) or die(“Unable to connect to database”);

//select which database you want to edit
mysql_select_db("$database") or die(mysql_error());

if($cmd==“delete”)
{
mysql_query(“DELETE FROM hysauction WHERE id=$id”);
echo "Entry Deleted!

Main Procurement Page

Edit Another Entry

";
}

//If cmd has not been initialized
else echo “You did not arrive at this page in the correct manner!”;
?>
[/php]

richei · February 27, 2012, 4:48am

Check your phpinfo() to see if they allow asp style tags (ex. <? ?>). Most do not. Also, you have a lot of depreciated code, might be time to upgrade it. Those font tags have been replaced with css and the style attribute. You can close php tags with just ?> and your queries can be changed to mysql_query(). Also, as a major security precaution, put your db connection info in a seperate file and just include or require it. If someone were to get a hold of the server-side code, they’ll have free rein on your sql server.

I don’t see any insert code, but as a tip, use mysql_real_escape_string() to keep buggers from doing bad things to your db. You may trust whoever is doing the entries, but it only takes 1 person to mess it up, its happened to me before.

Aside from some code overhaul, i’d say you did a great job I think the short tags are what’s causing the problems for you, if you do regular php tags, it’ll probably work.

jafox1 · February 27, 2012, 5:14am

So, if I understand correctly:
anywhere I have <? code should be <?php code
mysql_db_query() should be changed to mysql_query()
I’ll look up the usage for include and change that
I’m sure I’m not inserting correctly that’s what she said

[php]

HYS Auction <?php $hostname="***.***.***"; $username="****"; $password="****"; $database="****"; $postprocured=$_POST['procured']; $postdonated=$_POST['donated']; $postphone=$_POST['phone']; $postitem=$_POST['item']; $postvalue=$_POST['value']; $postspinstruct=$_POST['spinstruct']; $postverbal=$_POST['verbal']; $postaddress=$_POST['address']; $postcity=$_POST['city']; $poststate=$_POST['state']; $postzip=$_POST['zip']; $postdonorcontact=$_POST['donorcontact']; mysql_connect($hostname,$username,$password) or die("Unable to connect to database"); @mysql_select_db($database) or die( "Unable to select database"); $queryadd = "INSERT INTO hysauction VALUES ('','$postprocured','$postdonated','$postphone','$postitem','$postvalue','$postspinstruct','$postverbal','$postaddress','$postcity','$poststate','$postzip','$postdonorcontact')"; mysql_query($queryadd); php?> May God continue to bless HYS! [/php]

richei · February 27, 2012, 6:21am

what’s that office stuff? aside from that, yes.

jafox1 · February 27, 2012, 6:31am

Sorry, my attempt at humor. The TV show “The Office”.

Working on some of the changes now, will let you know the outcome.

Thank you.

richei · February 27, 2012, 6:42am

any user input (like your inserts) need to be filtered, like $postprocured=mysql_real_escape_string($_POST[‘procured’]); what it does is escape any quotes that may be there (intentional or not). its an easy way to keep people from deleteing or changing your records.

This isn’t a major thing, but if your table columns are listed as int or some other number based column, you don’t need to put quotes around it when inserting it. but if its working for you, then there’s no real need to change it

jafox1 · February 27, 2012, 7:27am

I need to call it a night here. Banging my head after making some changes. Apparently mysql_query() does not allow multiple queries. I was using $result1 for verbal auction items and $result2 for silent auction. No big deal, I’ll figure out another way.

Thanks for you help thus far. I did make the changes to the edit and delete pages but still no luck. I’ll post the new code tomorrow. Still getting same results as before.