Home/ Questions/Q 6017773
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T03:10:39+00:00

I have a table that has the user ID already in it, but some

  • 0

I have a table that has the user ID already in it, but some of the information is missing and that is where I need the user to input it themselves. With the URL of the form I have their ID in it… winnerpage.php?ID=123

I am having troubles getting the code to work. Any help would be great!

This is the code on that winnerpage.php

<form enctype="multipart/form-data" action="winnerpage.php" method="POST">
ID: <input name="ID" type="text" value="<?=$ID?>" /><br/>
First Name: <input type="text" name="FN"><br />
Last Name: <input type="text" name="LN"><br />
Email: <input type="text" name="EM"><br />
Phone: <input type="text" name="PH"><br />
<input type="submit" name="edit" value="edit"></form> <br>

<?
require_once('mysql_serv_inc.php');

$conn = mysql_connect("$mysql_server","$mysql_user","$mysql_pass"); 
if (!$conn) die ("ERROR"); 
mysql_select_db($mysql_database,$conn) or die ("ERROR"); 

if(isset($_POST['edit']))
{
$sID        =    addslashes($_POST['ID']);
$sFN        =    addslashes($_POST['FN']);
$sLN        =    addslashes($_POST['LN']);
$sEM        =    addslashes($_POST['EM']);
$sPH        =    addslashes($_POST['PH']);


mysql_query('UPDATE winner SET FN=$sFN, LN=$sLN, EM=$sEM, PH=$sPH 
             WHERE ID=$sID') or die (mysql_error());

echo 'Updated!';
}

$query = "select * from winner order by ID";
$result = mysql_query($query);
?>

<?
   while ($link=mysql_fetch_array($result))
   {
     echo 'Unique ID - Completion Time - First Name - Last Name - Email - Phone<br/>'.$link[ID].' -' .$link[FN].' - '.$link[LN].' - '.$link[EM].' - '.$link[PH].'<br>';
     }
?>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    1)
    ID: <input name="ID" type="text" value="<?=$ID?>" /><br/>

    Where do you get that $ID?
    Are you doing something like $_GET['ID'] or are you relying on safe_mode being ON? (it’s not clear from the code you provided)
    (better yet, if(isset($_GET['ID'])) { $ID = (int)$_GET['ID'] }

    2) Please don’t to that. Don’t use addslashes(). Use mysql_real_escape_string() or, even better, prepared statements. Addslashes is not utterly reliable in escaping datas for queries.

    sID    =    (int)$_POST['ID'];
$sFN   =    mysql_real_escape_string($_POST['FN']);
$sLN   =    mysql_real_escape_string($_POST['LN']);
$sEM   =    mysql_real_escape_string($_POST['EM']);
$sPH   =    mysql_real_escape_string($_POST['PH']);

    Also, add 'value=""' to each input field (not mandatory)

    3) encapsulate values in query:

    mysql_query("UPDATE winner SET FN='".$sFN."', LN='".$sLN."', EM='".$sEM."', PH='".$sPH."' WHERE ID='".$sID."'") or die (mysql_error());
    • 0