Please help with PHP code :( Beating my head against the wall!

[Chad J]

I have read Kevins article on PHP and MySQL, and have modified the script for my needs. It all works excellent, except for the 'edit' page that is intended to allow my content providers to edit their own articles that they have submitted.

The code below is what I am using, and it has 2 problems.
1. Upon submittting updated content, the content is NOT updated, but:
2. The confirmation appears stating that the information has been updated.

Please help!

Code:

<?php

$dbcnx = @mysql_connect("localhost", "root", "mypasswd");
mysql_select_db("afs");

if ($submit): // The articles details have
                // been updated.
				
	$validpassword = mysql_query("SELECT id, password FROM authors WHERE id='$aid'");
		$stuff = mysql_fetch_array($validpassword);
    	$dbpass = $stuff["password"];
    	$id = $stuff["id"];
			
  	if ($password != $dbpass) {
    	echo("<P>Bad <b>Password</b> " .
         ". Click 'Back' " .
         "and try again.</P>");
		     exit();
		   }

  	$sql = "UPDATE articles SET " .
         "body='$body', " .
         "articlename='$title', " .
         "aid='$aid' " .
         "WHERE id=$id";
		 
  		if (mysql_query($sql)) {
    		echo("<P>Article details updated.</P>");
  		} else {
    		echo("<P>Error updating article details: " .
         	mysql_error() . "</P>");
  		}
?>

<?php
  else: // Allow the user to edit the article
        // with ID=$id

  $update=mysql_query("SELECT body, articlename, aid FROM articles WHERE id=$id");
  		if (!$update) {
    		echo("<P>Error fetching article details: " .
         			mysql_error() . "</P>");
    	exit();
  		}

  	$art = mysql_fetch_array($update);
  		$body = $art["body"];
  		$title = $art["articlename"];
  		$authid = $art["aid"];

  		// Convert HTML special characters
  		// in database value for use in
  		// an HTML document.
  		$body = htmlspecialchars($body);

  		// Get lists of authors and categories for
  		// the select box and checkboxes.
	$auth = mysql_query("SELECT id, name, password FROM authors Where id=$authid");
?>

	<FORM ACTION="<?php echo($PHP_SELF); ?>" METHOD=POST>
  		<P>Edit the Title:<br><input type="text" name="title" value="<?php echo($title); ?>">
  		<P>Edit the article:<BR>
    	<TEXTAREA NAME="body" ROWS=15 COLS=45 WRAP><?php
			echo($body);
?>			</TEXTAREA>
  		<P>Author: 
    	<SELECT NAME="aid" SIZE=1>
<?php
  		$validauthor = mysql_fetch_array($auth);
    	$aid = $validauthor["id"];
    	$aname = $validauthor["name"];

	 if ($aid == $authid) {
	   	 echo("<OPTION SELECTED VALUE='$aid'>$aname\n");
	 	 } else {
	     echo("<OPTION VALUE='$aid'>$aname\n");
		}
?>
    </SELECT>
    Password: 
    <input type="password" name="password">
  </P>

<INPUT TYPE=HIDDEN NAME="id" VALUE="<?php echo($id); ?>">
<P><INPUT TYPE=SUBMIT NAME="submit" VALUE="SUBMIT"></P>
</FORM>

<?php endif; ?>

This is my first PHP script, and first time actually working with a MySQL database, and I have been able to make my content management perfectly so far, except for this. The $id is passed in the URL.

My head is now beginning to hurt, so please help me out!

Thanks,

Chad

p.s. Kevin, great article! You've got me doing things I never thought I could. Thanks!

[atomicmunky]

change this section

Code:

$sql = "UPDATE articles SET " .
         "body='$body', " .
         "articlename='$title', " .
         "aid='$aid' " .
         "WHERE id=$id";

to this :

Code:

$sql = mysql_query("UPDATE articles SET
         body='$body',
         articlename='$title',
         aid='$aid'
         WHERE id='$id' ");

see if that does anything. notice the difference in the quotations marks. you had way to many quotations marks in your insert statement.

[freakysid]

atomic monkey, there is no practical difference between the original and your alternative code.

I've looked through the code twice and I can't see any obvious problem. My suggestion for debugging is to do this: echo your SQL statements before you do a mysql_query. Then you will be able to see (in your browser window) what sql is being sent to the mysql server. This may uncover the problem. Other wise do as freddydoesphp suggested in a recent thread - and copy the sql statement from your browser window and run it through mysql server from the command line and see what results you get.

[FatPiper]

Another little debugging thing you might try is at every select query you have, output all of the results (for example authorname, articlebody, etc.).
You might also want to have it output the form contents before it updates, then the mysql info after it updates, so you can easily check for differences.

Then also have it output the results for each of the select and insert statements.
That way you'll know what's going on at every point in the program, and hopefully can fix it.

If that doesn't work, then the only other thing I'd try if I were you (and I know that everyone will counsel against this, and say I'm wrong, but ...): add a semi colon at the end of your sql statement.

YES, I know, the php manual says not to. However, I also know that my CMS won't work without it. (Although that could just be my php.ini settings .. but I doubt it) If it doesn't work, then rip any semi-colons you added to your SQL out as fast as you can, and pretend it never happened.

However, when what should work doesn't, then what shouldn't work does.

Hope you manage to make it work!

[sylow]

I havent seen anywhere in your codes AddSlashes() function?
You should add slashes if the field is text field before inserting into database and then after getting from database use StripSlashes().
insertion
$body=AddSlashes($body)
UPDATE ..... body='$body'.....

after getting field from database
$body=StripSlashes($body)

also why dont you make aid field integer type? or it is integer type but when you were inserting you added quotas wrongly around '$aid' ?

[Chad J]

Ok, great! I got it working. I used the debugging technique that you guys said, and found that for some reason, my article id, and author id came up as being the same #.

If you notice in the script (at the top), I assigned the $id variable to contain the id of the authors db (AID). At least I think I did. Anyhow, now it works.

I do have one other question though, what is the purpose of the addslashes & strip slashes? What exactly does it do?

Thanks again! you've been very helpful!

Chad

[freakysid]

Your user may have entered characters into one of the text fields that are "special" characters that may screw up your SQL statement when the user supplied string is included in the SQL. These characters will include single quotes ', double quotes ", the backslash \ , etc.

addslashes goes through the string and "escapes" these characters by adding the backslash (escape character) before each instance of the characters that should be escaped so that you can safely include the string in your SQL.

http://www.php.net/manual/en/function.addslashes.php

Actually now I'm confused - is the escape character "\" aka a forwardslash or backslash ???

[FatPiper]

\ = backslash
/ = forwardslash

backslash = escape char
...
feeling better?