This is the query:
if (isset($_POST['editMessage'])) {
$result = mysql_query("UPDATE messages SET message = '".htmlspecialchars($edited开发者_StackOverflow社区message)."' WHERE id = '".$id."'");
if ($result) {
die("<strong>Message has been edited!</strong>");
} else {
die("<strong>Error ".mysql_error()."</strong>");
}
}
Using this form:
<form action="index.php" method="post">
<textarea name='editedmessage' rows='5' cols='70'><?php echo $_POST['editedmessage'];?></textarea>
<input type='submit' name='editMessage' value='Edit'>
It's not showing an error, it updates the table field, but doesn't enter the edited message into the field, so the field updates and shows no informtion at all.
Where am I going wrong?
htmlspecialchars($editedmessage)
- You don't seem to be defining
$editedmessage
anywhere, did you mean$_POST['message1']
- That should really be
mysql_real_escape_string( htmlspecialchars( ... ) )
Try the other way when its correct you get an ressource back:
if(!$result) {
die('Died: ' . mysql_error());
} else {
echo "Edited:";
}
You're missing the line:
$editedmessage = $_POST['editMessage'];
You are wrong here
$result = mysql_query("UPDATE messages SET message = '".htmlspecialchars($_POST['editedmessage'])."' WHERE id = '".$id."'");
You use $editMessage
in the query instead of _POST[editMessage] (unless you have register globals on, apparently you don't).
However, do NOT do this without running mysql_real_escape_string()
on editMessage first, and DO NOT run htmlspecialchars() on it! Encoded data does not belong in the DB.
Either do $editMessage = $_POST['editMessage'];
, or use _POST in the query directly, but wrap it in mysql_real_escape_string()
for goodness sake!
However, you DO want to run htmlspecialchars()
, htmlentities()
, or at the very least string_tags()
on $_POST['message1'] when you echo it out. This page is XSS (cross-site script) vulnerable.
精彩评论